2018-10-22 09:53:30 |
Giuseppe Ravasio |
bug |
|
|
added bug |
2018-10-23 14:17:04 |
Andreas Hasenack |
bug watch added |
|
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7646 |
|
2018-10-23 14:17:04 |
Andreas Hasenack |
bug task added |
|
spamassassin |
|
2018-10-23 14:51:51 |
Andreas Hasenack |
spamassassin (Ubuntu): status |
New |
Triaged |
|
2018-10-23 14:51:57 |
Andreas Hasenack |
spamassassin (Ubuntu): importance |
Undecided |
Medium |
|
2018-10-23 14:52:08 |
Andreas Hasenack |
bug |
|
|
added subscriber Ubuntu Server |
2018-11-07 10:42:25 |
Bug Watch Updater |
spamassassin: status |
Unknown |
Confirmed |
|
2018-11-07 10:42:25 |
Bug Watch Updater |
spamassassin: importance |
Unknown |
High |
|
2019-11-07 13:50:02 |
Andreas Hasenack |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=454595 |
|
2019-11-07 13:50:11 |
Andreas Hasenack |
bug task added |
|
spamassassin (Debian) |
|
2019-11-07 14:42:46 |
Bug Watch Updater |
spamassassin (Debian): status |
Unknown |
New |
|
2022-04-01 18:40:30 |
Sergio Durigan Junior |
nominated for series |
|
Ubuntu Bionic |
|
2022-04-01 18:40:30 |
Sergio Durigan Junior |
bug task added |
|
spamassassin (Ubuntu Bionic) |
|
2022-04-01 18:40:30 |
Sergio Durigan Junior |
nominated for series |
|
Ubuntu Focal |
|
2022-04-01 18:40:30 |
Sergio Durigan Junior |
bug task added |
|
spamassassin (Ubuntu Focal) |
|
2022-04-01 18:40:30 |
Sergio Durigan Junior |
nominated for series |
|
Ubuntu Jammy |
|
2022-04-01 18:40:30 |
Sergio Durigan Junior |
bug task added |
|
spamassassin (Ubuntu Jammy) |
|
2022-04-01 18:40:30 |
Sergio Durigan Junior |
nominated for series |
|
Ubuntu Impish |
|
2022-04-01 18:40:30 |
Sergio Durigan Junior |
bug task added |
|
spamassassin (Ubuntu Impish) |
|
2022-04-01 18:40:37 |
Sergio Durigan Junior |
spamassassin (Ubuntu Bionic): status |
New |
Triaged |
|
2022-04-01 18:40:40 |
Sergio Durigan Junior |
spamassassin (Ubuntu Focal): status |
New |
Triaged |
|
2022-04-01 18:40:41 |
Sergio Durigan Junior |
spamassassin (Ubuntu Impish): status |
New |
Triaged |
|
2022-04-01 18:40:44 |
Sergio Durigan Junior |
spamassassin (Ubuntu Bionic): importance |
Undecided |
Medium |
|
2022-04-01 18:40:46 |
Sergio Durigan Junior |
spamassassin (Ubuntu Focal): importance |
Undecided |
Medium |
|
2022-04-01 18:40:47 |
Sergio Durigan Junior |
spamassassin (Ubuntu Impish): importance |
Undecided |
Medium |
|
2022-04-16 19:47:52 |
Bug Watch Updater |
spamassassin: status |
Confirmed |
Fix Released |
|
2022-06-24 20:55:29 |
Bryce Harrington |
description |
Hi,
I'm installing our new relay and as before I'm running spamd with --virtual-config-dir option enabled:
"spamd -d --pidfile=/var/run/spamd.pid -c -x --virtual-config-dir=/var/lib/spamassassin/vconfig/%u/ --allow-tell -u debian-spamd -g debian-spamd --max-children=5 --min-children=3 --max-spare=3"
It works well but it cannot create the vconfig dir if it's not existing.
I've put spamd in debug and the problem is with perl tainted:
config: mkdir /var/lib/spamassassin/vconfig/giuseppe/ failed: Insecure dependency in mkdir while running with -T switch at /usr/share/perl/5.26/File/Path.pm line 177, <GEN10> line 2.
I solved the problem running spamd without -T option (as arch linux is doing) but it could be great to fix this tainted variable.
Thanks
Giuseppe
PS: I reported the same bug to spamassassin bugtracking with ID 7646 |
[Test Case]
In one terminal, run:
$ sudo apt-get install spamassassin
$ sudo spamd -d --pidfile=/var/run/spamd.pid -c -x --virtual-config-dir=/var/lib/spamassassin/vconfig/%u/ --allow-te\
ll -u debian-spamd -g debian-spamd --max-children=5 --min-children=3 --max-spare=3 -D
$ sudo tail -f /var/log/mail.log | grep vconfig/
Next, create a testing `spam.mbox` file with one spam email.
Then, in another terminal:
$ spamc < spam.mbox
In the bugged case, the first terminal will show output like:
Jun 24 20:48:11 host spamd[1801774]: spamd: using default config for username: /var/lib/spamassassin/vconfig/username//user_prefs
Jun 24 20:48:11 host spamd[1801774]: config: using "/var/lib/spamassassin/vconfig/username/" for user state dir
Jun 24 20:48:11 host spamd[1801774]: config: mkdir /var/lib/spamassassin/vconfig/username/ failed: Insecure dependency in mkdir while running with -T switch at /usr/lib/x86_64-linux-gnu/perl-base/File/Path.pm line 198, <GEN14> line 2.
In the fixed case, that last line won't be printed.
[Original Report]
Hi,
I'm installing our new relay and as before I'm running spamd with --virtual-config-dir option enabled:
"spamd -d --pidfile=/var/run/spamd.pid -c -x --virtual-config-dir=/var/lib/spamassassin/vconfig/%u/ --allow-tell -u debian-spamd -g debian-spamd --max-children=5 --min-children=3 --max-spare=3"
It works well but it cannot create the vconfig dir if it's not existing.
I've put spamd in debug and the problem is with perl tainted:
config: mkdir /var/lib/spamassassin/vconfig/giuseppe/ failed: Insecure dependency in mkdir while running with -T switch at /usr/share/perl/5.26/File/Path.pm line 177, <GEN10> line 2.
I solved the problem running spamd without -T option (as arch linux is doing) but it could be great to fix this tainted variable.
Thanks
Giuseppe
PS: I reported the same bug to spamassassin bugtracking with ID 7646 |
|
2022-06-24 21:00:17 |
Bryce Harrington |
description |
[Test Case]
In one terminal, run:
$ sudo apt-get install spamassassin
$ sudo spamd -d --pidfile=/var/run/spamd.pid -c -x --virtual-config-dir=/var/lib/spamassassin/vconfig/%u/ --allow-te\
ll -u debian-spamd -g debian-spamd --max-children=5 --min-children=3 --max-spare=3 -D
$ sudo tail -f /var/log/mail.log | grep vconfig/
Next, create a testing `spam.mbox` file with one spam email.
Then, in another terminal:
$ spamc < spam.mbox
In the bugged case, the first terminal will show output like:
Jun 24 20:48:11 host spamd[1801774]: spamd: using default config for username: /var/lib/spamassassin/vconfig/username//user_prefs
Jun 24 20:48:11 host spamd[1801774]: config: using "/var/lib/spamassassin/vconfig/username/" for user state dir
Jun 24 20:48:11 host spamd[1801774]: config: mkdir /var/lib/spamassassin/vconfig/username/ failed: Insecure dependency in mkdir while running with -T switch at /usr/lib/x86_64-linux-gnu/perl-base/File/Path.pm line 198, <GEN14> line 2.
In the fixed case, that last line won't be printed.
[Original Report]
Hi,
I'm installing our new relay and as before I'm running spamd with --virtual-config-dir option enabled:
"spamd -d --pidfile=/var/run/spamd.pid -c -x --virtual-config-dir=/var/lib/spamassassin/vconfig/%u/ --allow-tell -u debian-spamd -g debian-spamd --max-children=5 --min-children=3 --max-spare=3"
It works well but it cannot create the vconfig dir if it's not existing.
I've put spamd in debug and the problem is with perl tainted:
config: mkdir /var/lib/spamassassin/vconfig/giuseppe/ failed: Insecure dependency in mkdir while running with -T switch at /usr/share/perl/5.26/File/Path.pm line 177, <GEN10> line 2.
I solved the problem running spamd without -T option (as arch linux is doing) but it could be great to fix this tainted variable.
Thanks
Giuseppe
PS: I reported the same bug to spamassassin bugtracking with ID 7646 |
[Test Case]
In one terminal, run:
$ sudo apt-get install spamassassin
$ sudo spamd -d --pidfile=/var/run/spamd.pid -c -x --virtual-config-dir=/var/lib/spamassassin/vconfig/%u/ --allow-te\
ll -u debian-spamd -g debian-spamd --max-children=5 --min-children=3 --max-spare=3 -D
$ sudo tail -f /var/log/mail.log | grep vconfig/
Then, in another terminal:
$ cat > test.mbox <<EOF
From: test
To: test
Subject: test
test
EOF
$ spamc < test.mbox
In the bugged case, the first terminal will show output like:
Jun 24 20:48:11 host spamd[1801774]: spamd: using default config for username: /var/lib/spamassassin/vconfig/username//user_prefs
Jun 24 20:48:11 host spamd[1801774]: config: using "/var/lib/spamassassin/vconfig/username/" for user state dir
Jun 24 20:48:11 host spamd[1801774]: config: mkdir /var/lib/spamassassin/vconfig/username/ failed: Insecure dependency in mkdir while running with -T switch at /usr/lib/x86_64-linux-gnu/perl-base/File/Path.pm line 198, <GEN14> line 2.
In the fixed case, that last line won't be printed.
[Original Report]
Hi,
I'm installing our new relay and as before I'm running spamd with --virtual-config-dir option enabled:
"spamd -d --pidfile=/var/run/spamd.pid -c -x --virtual-config-dir=/var/lib/spamassassin/vconfig/%u/ --allow-tell -u debian-spamd -g debian-spamd --max-children=5 --min-children=3 --max-spare=3"
It works well but it cannot create the vconfig dir if it's not existing.
I've put spamd in debug and the problem is with perl tainted:
config: mkdir /var/lib/spamassassin/vconfig/giuseppe/ failed: Insecure dependency in mkdir while running with -T switch at /usr/share/perl/5.26/File/Path.pm line 177, <GEN10> line 2.
I solved the problem running spamd without -T option (as arch linux is doing) but it could be great to fix this tainted variable.
Thanks
Giuseppe
PS: I reported the same bug to spamassassin bugtracking with ID 7646 |
|
2022-06-24 21:03:48 |
Bryce Harrington |
attachment added |
|
fix-mkpath-untainted.patch https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1799185/+attachment/5599594/+files/fix-mkpath-untainted.patch |
|
2022-06-25 00:32:49 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
2023-02-22 16:57:24 |
Sergio Durigan Junior |
spamassassin (Ubuntu): status |
Triaged |
Fix Released |
|
2023-02-22 16:57:34 |
Sergio Durigan Junior |
nominated for series |
|
Ubuntu Lunar |
|
2023-02-22 16:57:34 |
Sergio Durigan Junior |
bug task added |
|
spamassassin (Ubuntu Lunar) |
|
2023-03-23 19:04:35 |
Lena Voytek |
spamassassin (Ubuntu Impish): status |
Triaged |
Won't Fix |
|
2023-03-23 19:05:58 |
Lena Voytek |
nominated for series |
|
Ubuntu Kinetic |
|
2023-03-23 19:05:58 |
Lena Voytek |
bug task added |
|
spamassassin (Ubuntu Kinetic) |
|
2023-03-23 22:05:14 |
Mitchell Dzurick |
description |
[Test Case]
In one terminal, run:
$ sudo apt-get install spamassassin
$ sudo spamd -d --pidfile=/var/run/spamd.pid -c -x --virtual-config-dir=/var/lib/spamassassin/vconfig/%u/ --allow-te\
ll -u debian-spamd -g debian-spamd --max-children=5 --min-children=3 --max-spare=3 -D
$ sudo tail -f /var/log/mail.log | grep vconfig/
Then, in another terminal:
$ cat > test.mbox <<EOF
From: test
To: test
Subject: test
test
EOF
$ spamc < test.mbox
In the bugged case, the first terminal will show output like:
Jun 24 20:48:11 host spamd[1801774]: spamd: using default config for username: /var/lib/spamassassin/vconfig/username//user_prefs
Jun 24 20:48:11 host spamd[1801774]: config: using "/var/lib/spamassassin/vconfig/username/" for user state dir
Jun 24 20:48:11 host spamd[1801774]: config: mkdir /var/lib/spamassassin/vconfig/username/ failed: Insecure dependency in mkdir while running with -T switch at /usr/lib/x86_64-linux-gnu/perl-base/File/Path.pm line 198, <GEN14> line 2.
In the fixed case, that last line won't be printed.
[Original Report]
Hi,
I'm installing our new relay and as before I'm running spamd with --virtual-config-dir option enabled:
"spamd -d --pidfile=/var/run/spamd.pid -c -x --virtual-config-dir=/var/lib/spamassassin/vconfig/%u/ --allow-tell -u debian-spamd -g debian-spamd --max-children=5 --min-children=3 --max-spare=3"
It works well but it cannot create the vconfig dir if it's not existing.
I've put spamd in debug and the problem is with perl tainted:
config: mkdir /var/lib/spamassassin/vconfig/giuseppe/ failed: Insecure dependency in mkdir while running with -T switch at /usr/share/perl/5.26/File/Path.pm line 177, <GEN10> line 2.
I solved the problem running spamd without -T option (as arch linux is doing) but it could be great to fix this tainted variable.
Thanks
Giuseppe
PS: I reported the same bug to spamassassin bugtracking with ID 7646 |
[ Impact ]
The vconfig path could be tainted which would cause an error. This upload fixes that by untainting the path. This is done by a helper function to modify the path before attempting to use it.
This bug is low priority but is still helpful for certain users as it's easy to reproduce.
[ Where problems could occur ]
The only change here is to use a helper function Mail::SpamAssassin::Util::untaint_file_path which could introduce a regression if a bad filepath is returned.
[Test Plan]
In a terminal, run:
$ sudo apt-get install spamassassin
$ sudo spamd -d --pidfile=/var/run/spamd.pid -c -x --virtual-config-dir=/var/lib/spamassassin/vconfig/%u/ --allow-te\
ll -u debian-spamd -g debian-spamd --max-children=5 --min-children=3 --max-spare=3 -D
$ cat > test.mbox <<EOF
From: test
To: test
Subject: test
test
EOF
$ spamc < test.mbox
$ sudo grep vconfig/ /var/log/mail.log
In the bugged case, the first terminal will show output like:
Jun 24 20:48:11 host spamd[1801774]: spamd: using default config for username: /var/lib/spamassassin/vconfig/username//user_prefs
Jun 24 20:48:11 host spamd[1801774]: config: using "/var/lib/spamassassin/vconfig/username/" for user state dir
Jun 24 20:48:11 host spamd[1801774]: config: mkdir /var/lib/spamassassin/vconfig/username/ failed: Insecure dependency in mkdir while running with -T switch at /usr/lib/x86_64-linux-gnu/perl-base/File/Path.pm line 198, <GEN14> line 2.
In the fixed case, that last line won't be printed.
[Original Report]
Hi,
I'm installing our new relay and as before I'm running spamd with --virtual-config-dir option enabled:
"spamd -d --pidfile=/var/run/spamd.pid -c -x --virtual-config-dir=/var/lib/spamassassin/vconfig/%u/ --allow-tell -u debian-spamd -g debian-spamd --max-children=5 --min-children=3 --max-spare=3"
It works well but it cannot create the vconfig dir if it's not existing.
I've put spamd in debug and the problem is with perl tainted:
config: mkdir /var/lib/spamassassin/vconfig/giuseppe/ failed: Insecure dependency in mkdir while running with -T switch at /usr/share/perl/5.26/File/Path.pm line 177, <GEN10> line 2.
I solved the problem running spamd without -T option (as arch linux is doing) but it could be great to fix this tainted variable.
Thanks
Giuseppe
PS: I reported the same bug to spamassassin bugtracking with ID 7646 |
|
2023-03-23 22:05:39 |
Lena Voytek |
spamassassin (Ubuntu Kinetic): assignee |
|
Mitchell Dzurick (mitchdz) |
|
2023-03-23 22:05:53 |
Lena Voytek |
spamassassin (Ubuntu Jammy): assignee |
|
Mitchell Dzurick (mitchdz) |
|
2023-03-23 22:06:16 |
Lena Voytek |
spamassassin (Ubuntu Focal): assignee |
|
Mitchell Dzurick (mitchdz) |
|
2023-03-23 22:07:17 |
Mitchell Dzurick |
spamassassin (Ubuntu Kinetic): status |
New |
Incomplete |
|
2023-03-23 22:07:27 |
Mitchell Dzurick |
spamassassin (Ubuntu Kinetic): status |
Incomplete |
In Progress |
|
2023-03-23 22:07:29 |
Mitchell Dzurick |
spamassassin (Ubuntu Jammy): status |
Triaged |
In Progress |
|
2023-03-23 22:11:03 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~mitchdz/ubuntu/+source/spamassassin/+git/spamassassin/+merge/439584 |
|
2023-03-24 16:09:59 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~mitchdz/ubuntu/+source/spamassassin/+git/spamassassin/+merge/439640 |
|
2023-03-27 22:01:37 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~mitchdz/ubuntu/+source/spamassassin/+git/spamassassin/+merge/439776 |
|
2023-03-31 14:35:53 |
Timo Aaltonen |
spamassassin (Ubuntu Kinetic): status |
In Progress |
Fix Committed |
|
2023-03-31 14:35:56 |
Timo Aaltonen |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2023-03-31 14:35:58 |
Timo Aaltonen |
bug |
|
|
added subscriber SRU Verification |
2023-03-31 14:36:01 |
Timo Aaltonen |
tags |
patch |
patch verification-needed verification-needed-kinetic |
|
2023-03-31 14:36:54 |
Timo Aaltonen |
spamassassin (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
2023-03-31 14:37:00 |
Timo Aaltonen |
tags |
patch verification-needed verification-needed-kinetic |
patch verification-needed verification-needed-jammy verification-needed-kinetic |
|
2023-03-31 14:38:33 |
Timo Aaltonen |
spamassassin (Ubuntu Focal): status |
Triaged |
Fix Committed |
|
2023-03-31 14:38:39 |
Timo Aaltonen |
tags |
patch verification-needed verification-needed-jammy verification-needed-kinetic |
patch verification-needed verification-needed-focal verification-needed-jammy verification-needed-kinetic |
|
2023-04-03 19:22:09 |
Lena Voytek |
tags |
patch verification-needed verification-needed-focal verification-needed-jammy verification-needed-kinetic |
patch verification-done-kinetic verification-needed verification-needed-focal verification-needed-jammy |
|
2023-04-03 19:38:40 |
Mitchell Dzurick |
tags |
patch verification-done-kinetic verification-needed verification-needed-focal verification-needed-jammy |
patch verification-done-jammy verification-done-kinetic verification-needed verification-needed-focal |
|
2023-04-03 19:52:17 |
Mitchell Dzurick |
tags |
patch verification-done-jammy verification-done-kinetic verification-needed verification-needed-focal |
patch verification-done-focal verification-done-jammy verification-done-kinetic verification-needed |
|
2023-04-11 17:22:30 |
Launchpad Janitor |
spamassassin (Ubuntu Kinetic): status |
Fix Committed |
Fix Released |
|
2023-04-11 17:22:33 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2023-04-11 17:23:08 |
Launchpad Janitor |
spamassassin (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
2023-04-11 17:23:40 |
Launchpad Janitor |
spamassassin (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2023-06-12 12:24:37 |
Robie Basak |
spamassassin (Ubuntu Bionic): status |
Triaged |
Won't Fix |
|