196458 – fix mail/spampd insecure options with perl5.18

Bug 196458 - fix mail/spampd insecure options with perl5.18

Summary: fix mail/spampd insecure options with perl5.18

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	freebsd-ports-bugs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-01-03 08:21 UTC by vfx9as
Modified:	2015-01-06 06:53 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description vfx9as 2015-01-03 08:21:30 UTC

Error log
 Insecure dependency in open while running with -T switch at /usr/local/lib/perl5/site_perl/Net/Server/Daemonize.pm line 75.    at line 179 in file /usr/local/lib/perl5/site_perl/Net/Server.pm 

patch
--- spampd.org 2015-01-03 16:30:31.000000000 +0900
+++ spampd 2015-01-03 17:17:23.000000000 +0900
@@ -819,6 +819,22 @@
 
 usage(0) if $options{help};
 
+# Untaint some options provided by admin command line.
+$pidfile =~ /^(.*)$/;
+$pidfile = $1;
+
+$relayhost =~ /^(.*)$/;
+$relayhost = $1;
+
+$relayport =~ /^(.*)$/;
+$relayport = $1;
+
+$host =~ /^(.*)$/;
+$host = $1;
+
+$port =~ /^(.*)$/;
+$port = $1;
+
 if ( $logsock !~ /^(unix|inet)$/ ) {
 	print "--logsock parameter needs to be either unix or inet\n\n";
 	usage(0);

Comment 1 Kurt Jaeger freebsd_committer

2015-01-05 10:22:48 UTC

The new version 2.42 is on github. Can you provide a patch to update and
check whether the issue is still in 2.42 ?

Comment 2 vfx9as 2015-01-06 06:53:26 UTC

Bug 196534 - mail/spampd: update to spampd-2.42
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=196534