Skip Menu |
 

This queue is for tickets about the MailTools CPAN distribution.

Report information
The Basics
Id: 37849
Status: resolved
Priority: 0/
Queue: MailTools

People
Owner: Nobody in particular
Requestors: jkosin [...] beta.intcomgrp.com
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: 2.03
Fixed in: (no value)



Subject: Insecure Dependancy with sendmail.pm
MIME-Version: 1.0
X-Mailer: MIME-tools 5.426 (Entity 5.426)
Content-Type: text/plain
Charset: utf8
Content-Disposition: inline
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
Content-Length: 366
Download (untitled) / with headers
text/plain 366b
I'm using perl-5.10.0 with Bugzilla-2.22.4 and emails have stopped flowing. I'm getting the error below when trying to get email flowing again. Insecure dependency in exec while running with -T switch at /usr/lib/perl5/vendor_perl/5.10.0/Mail/Mailer/sendmail.pm line 22. Any ideas? The Bugzilla people are a bit unresponsive on the topic. Thanks, James Kosin
MIME-Version: 1.0
X-Spam-Status: No, hits=-2.6 required=8.0 tests=BAYES_00
In-Reply-To: <rt-3.6.HEAD-22997-1216739226-493.37849-4-0 [...] rt.cpan.org>
Content-Disposition: inline
References: <RT-Ticket-37849 [...] rt.cpan.org> <rt-3.6.HEAD-22997-1216739226-493.37849-4-0 [...] rt.cpan.org>
Content-Type: text/plain; charset="utf-8"
X-RT-Original-Encoding: utf-8
Received: from x1.develooper.com (x1.develooper.com [63.251.223.170]) by diesel.bestpractical.com (Postfix) with SMTP id AE9A54D816B for <bug-MailTools [...] rt.cpan.org>; Tue, 22 Jul 2008 15:21:39 -0400 (EDT)
Received: (qmail 18872 invoked from network); 22 Jul 2008 19:21:39 -0000
Received: from x16.dev (10.0.100.26) by x1.dev with QMQP; 22 Jul 2008 19:21:39 -0000
Received: from mail.overmeer.net (HELO earth.overmeer.net) (194.109.195.227) by 16.mx.develooper.com (qpsmtpd/0.43rc1) with ESMTP; Tue, 22 Jul 2008 12:21:35 -0700
Received: by earth.overmeer.net (Postfix, from userid 500) id 1733777198; Tue, 22 Jul 2008 21:21:31 +0200 (CEST)
Delivered-To: cpan-bug+MailTools [...] diesel.bestpractical.com
Subject: Re: [rt.cpan.org #37849] Insecure Dependancy with sendmail.pm
User-Agent: Mutt/1.5.9i
Return-Path: <markov [...] overmeer.net>
X-Spam-Check-BY: 16.mx.develooper.com
X-Original-To: bug-MailTools [...] rt.cpan.org
Date: Tue, 22 Jul 2008 21:21:31 +0200
X-Spam-Level: *
Message-Id: <20080722192131.GD23678 [...] earth.overmeer.net>
To: James Kosin via RT <bug-MailTools [...] rt.cpan.org>
From: Mark Overmeer <mark [...] overmeer.net>
RT-Message-ID: <rt-3.6.HEAD-23024-1216754667-214.37849-0-0 [...] rt.cpan.org>
Content-Length: 1104
* James Kosin via RT (bug-MailTools@rt.cpan.org) [080722 15:07]: Show quoted text
> Tue Jul 22 11:07:05 2008: Request 37849 was acted upon. > Queue: MailTools > Subject: Insecure Dependancy with sendmail.pm > Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=37849 > > > Insecure dependency in exec while running with -T switch > at /usr/lib/perl5/vendor_perl/5.10.0/Mail/Mailer/sendmail.pm line 22. > Any ideas? The Bugzilla people are a bit unresponsive on the topic.
Tainting is very nice, but the cause of a violation complaint is not easy to find: very application dependent. Apparenty, the $exe variable is tainted because it arrived from an environment variable, command-line parameter or such. My module is not setting the tainting, nor cleaning input values. -- Regards, MarkOv ------------------------------------------------------------------------ Mark Overmeer MSc MARKOV Solutions Mark@Overmeer.net solutions@overmeer.net http://Mark.Overmeer.net http://solutions.overmeer.net
MIME-Version: 1.0
X-Spam-Status: No, hits=-2.6 required=8.0 tests=BAYES_00
In-Reply-To: <rt-3.6.HEAD-23024-1216754667-214.37849-6-0 [...] rt.cpan.org>
References: <RT-Ticket-37849 [...] rt.cpan.org> <rt-3.6.HEAD-22997-1216739226-493.37849-4-0 [...] rt.cpan.org> <20080722192131.GD23678 [...] earth.overmeer.net> <rt-3.6.HEAD-23024-1216754667-214.37849-6-0 [...] rt.cpan.org>
X-Virus-Checked: Checked by ClamAV on 16.mx.develooper.com
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigDA9C5F6BF92B379B818E5D7A"
X-Virus-Scanned: ClamAV 0.93.3/7783/Tue Jul 22 15:01:53 2008 on beta.intcomgrp.com
Organization: International Communications Group, Inc.
Received: from x1.develooper.com (x1.develooper.com [63.251.223.170]) by diesel.bestpractical.com (Postfix) with SMTP id A6FDC4D8187 for <bug-MailTools [...] rt.cpan.org>; Tue, 22 Jul 2008 16:41:15 -0400 (EDT)
Received: (qmail 13056 invoked from network); 22 Jul 2008 20:41:14 -0000
Received: from x16.dev (10.0.100.26) by x1.dev with QMQP; 22 Jul 2008 20:41:14 -0000
Received: from intcomgrp.com (HELO beta.intcomgrp.com) (216.54.13.120) by 16.mx.develooper.com (qpsmtpd/0.43rc1) with ESMTP; Tue, 22 Jul 2008 13:40:57 -0700
Received: from [192.168.100.183] (dhcp183.support.intcomgrp.com [192.168.100.183]) by beta.intcomgrp.com (8.14.3/8.14.3) with ESMTP id m6MKeuR5009093 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <bug-MailTools [...] rt.cpan.org>; Tue, 22 Jul 2008 16:40:56 -0400
Delivered-To: cpan-bug+MailTools [...] diesel.bestpractical.com
Subject: Re: [rt.cpan.org #37849] Insecure Dependancy with sendmail.pm
User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)
Return-Path: <jkosin [...] beta.intcomgrp.com>
X-Spam-Check-BY: 16.mx.develooper.com
X-Original-To: bug-MailTools [...] rt.cpan.org
Openpgp: id=7BB59129
X-Old-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED autolearn=ham version=3.2.5
Date: Tue, 22 Jul 2008 16:41:07 -0400
X-Spam-Level: *
X-Virus-Status: Clean
Message-Id: <488645E3.90406 [...] beta.intcomgrp.com>
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on beta.intcomgrp.com
To: bug-MailTools [...] rt.cpan.org
X-Enigmail-Version: 0.95.6
From: James Kosin <jkosin [...] beta.intcomgrp.com>
RT-Message-ID: <rt-3.6.HEAD-22997-1216759288-1236.37849-0-0 [...] rt.cpan.org>
Content-Length: 0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
X-RT-Original-Encoding: utf-8
Content-Length: 1093
Mark Overmeer via RT wrote: Show quoted text
> <URL: http://rt.cpan.org/Ticket/Display.html?id=37849 > > > * James Kosin via RT (bug-MailTools@rt.cpan.org) [080722 15:07]:
>> Tue Jul 22 11:07:05 2008: Request 37849 was acted upon. >> Queue: MailTools >> Subject: Insecure Dependancy with sendmail.pm >> Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=37849 > >> >> Insecure dependency in exec while running with -T switch >> at /usr/lib/perl5/vendor_perl/5.10.0/Mail/Mailer/sendmail.pm line 22. >> Any ideas? The Bugzilla people are a bit unresponsive on the topic.
> > Tainting is very nice, but the cause of a violation complaint is not > easy to find: very application dependent. Apparenty, the $exe variable > is tainted because it arrived from an environment variable, command-line > parameter or such. My module is not setting the tainting, nor cleaning > input values.
How would one go about setting and/or clearing the tainting of the $exe variable? Is there a way to permit this in this specific case (cleaning up the reason for the tainting) ? Or am I doomed.... James
Content-Description: OpenPGP digital signature
content-type: application/pgp-signature; name="signature.asc"
content-disposition: attachment; filename="signature.asc"
Content-Length: 258
Download signature.asc
application/pgp-signature 258b

Message body not shown because it is not plain text.

MIME-Version: 1.0
X-Spam-Status: No, hits=-2.6 required=8.0 tests=BAYES_00
In-Reply-To: <rt-3.6.HEAD-22997-1216759288-1236.37849-5-0 [...] rt.cpan.org>
Content-Disposition: inline
References: <RT-Ticket-37849 [...] rt.cpan.org> <rt-3.6.HEAD-22997-1216739226-493.37849-4-0 [...] rt.cpan.org> <20080722192131.GD23678 [...] earth.overmeer.net> <rt-3.6.HEAD-23024-1216754667-214.37849-6-0 [...] rt.cpan.org> <488645E3.90406 [...] beta.intcomgrp.com> <rt-3.6.HEAD-22997-1216759288-1236.37849-5-0 [...] rt.cpan.org>
Content-Type: text/plain; charset="utf-8"
X-RT-Original-Encoding: utf-8
Received: from x1.develooper.com (x1.develooper.com [63.251.223.170]) by diesel.bestpractical.com (Postfix) with SMTP id 35CFD4D816B for <bug-MailTools [...] rt.cpan.org>; Tue, 22 Jul 2008 17:02:35 -0400 (EDT)
Received: (qmail 21243 invoked from network); 22 Jul 2008 21:02:34 -0000
Received: from x16.dev (10.0.100.26) by x1.dev with QMQP; 22 Jul 2008 21:02:34 -0000
Received: from mail.overmeer.net (HELO earth.overmeer.net) (194.109.195.227) by 16.mx.develooper.com (qpsmtpd/0.43rc1) with ESMTP; Tue, 22 Jul 2008 14:02:30 -0700
Received: by earth.overmeer.net (Postfix, from userid 500) id 4CA9F9A8DC; Tue, 22 Jul 2008 23:02:26 +0200 (CEST)
Delivered-To: cpan-bug+MailTools [...] diesel.bestpractical.com
Subject: Re: [rt.cpan.org #37849] Insecure Dependancy with sendmail.pm
User-Agent: Mutt/1.5.9i
Return-Path: <markov [...] overmeer.net>
X-Spam-Check-BY: 16.mx.develooper.com
X-Original-To: bug-MailTools [...] rt.cpan.org
Date: Tue, 22 Jul 2008 23:02:26 +0200
X-Spam-Level: *
Message-Id: <20080722210226.GH23678 [...] earth.overmeer.net>
To: James Kosin via RT <bug-MailTools [...] rt.cpan.org>
From: Mark Overmeer <solutions [...] overmeer.net>
RT-Message-ID: <rt-3.6.HEAD-22997-1216760561-1637.37849-0-0 [...] rt.cpan.org>
Content-Length: 1016
Download (untitled) / with headers
text/plain 1016b
* James Kosin via RT (bug-MailTools@rt.cpan.org) [080722 20:41]: Show quoted text
> How would one go about setting and/or clearing the tainting of the $exe > variable?
The reason why I cannot solve this problem for you the right way, is that you have to inspect the source of the $exe variable. And that source is not in my module. Show quoted text
> Is there a way to permit this in this specific case (cleaning up the > reason for the tainting) ?
Tainting is a protection for you, that (other) bugs in your program can be ablused. You can, of course, disable all protection by removing the -T flag in the first line of the start-up script. You can also replace $exe by the absolute path to the sendmail binary. -- Regards, MarkOv ------------------------------------------------------------------------ Mark Overmeer MSc MARKOV Solutions Mark@Overmeer.net solutions@overmeer.net http://Mark.Overmeer.net http://solutions.overmeer.net
MIME-Version: 1.0
X-Spam-Status: No, hits=-2.6 required=8.0 tests=BAYES_00
In-Reply-To: <rt-3.6.HEAD-22997-1216760561-1637.37849-6-0 [...] rt.cpan.org>
References: <RT-Ticket-37849 [...] rt.cpan.org> <rt-3.6.HEAD-22997-1216739226-493.37849-4-0 [...] rt.cpan.org> <20080722192131.GD23678 [...] earth.overmeer.net> <rt-3.6.HEAD-23024-1216754667-214.37849-6-0 [...] rt.cpan.org> <488645E3.90406 [...] beta.intcomgrp.com> <rt-3.6.HEAD-22997-1216759288-1236.37849-5-0 [...] rt.cpan.org> <20080722210226.GH23678 [...] earth.overmeer.net> <rt-3.6.HEAD-22997-1216760561-1637.37849-6-0 [...] rt.cpan.org>
X-Virus-Checked: Checked by ClamAV on 16.mx.develooper.com
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigC05934DDA7A77DA5A102D2B9"
X-Virus-Scanned: ClamAV 0.93.3/7796/Wed Jul 23 01:45:42 2008 on beta.intcomgrp.com
Organization: International Communications Group, Inc.
Received: from x1.develooper.com (x1.develooper.com [63.251.223.170]) by diesel.bestpractical.com (Postfix) with SMTP id 4C78C4D8227 for <bug-MailTools [...] rt.cpan.org>; Wed, 23 Jul 2008 08:57:23 -0400 (EDT)
Received: (qmail 30380 invoked from network); 23 Jul 2008 12:57:22 -0000
Received: from x16.dev (10.0.100.26) by x1.dev with QMQP; 23 Jul 2008 12:57:22 -0000
Received: from intcomgrp.com (HELO beta.intcomgrp.com) (216.54.13.120) by 16.mx.develooper.com (qpsmtpd/0.43rc1) with ESMTP; Wed, 23 Jul 2008 05:57:13 -0700
Received: from [192.168.100.183] (dhcp183.support.intcomgrp.com [192.168.100.183]) by beta.intcomgrp.com (8.14.3/8.14.3) with ESMTP id m6NCv87C013620 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <bug-MailTools [...] rt.cpan.org>; Wed, 23 Jul 2008 08:57:08 -0400
Delivered-To: cpan-bug+MailTools [...] diesel.bestpractical.com
Subject: Re: [rt.cpan.org #37849] Insecure Dependancy with sendmail.pm
User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)
Return-Path: <jkosin [...] beta.intcomgrp.com>
X-Spam-Check-BY: 16.mx.develooper.com
X-Original-To: bug-MailTools [...] rt.cpan.org
Openpgp: id=7BB59129
X-Old-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED autolearn=ham version=3.2.5
Date: Wed, 23 Jul 2008 08:57:17 -0400
X-Spam-Level: *
X-Virus-Status: Clean
Message-Id: <48872AAD.60709 [...] beta.intcomgrp.com>
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on beta.intcomgrp.com
To: bug-MailTools [...] rt.cpan.org
X-Enigmail-Version: 0.95.6
From: James Kosin <jkosin [...] beta.intcomgrp.com>
RT-Message-ID: <rt-3.6.HEAD-23024-1216817857-509.37849-0-0 [...] rt.cpan.org>
Content-Length: 0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
X-RT-Original-Encoding: utf-8
Content-Length: 994
Download (untitled) / with headers
text/plain 994b
Mark Overmeer via RT wrote: Show quoted text
> <URL: http://rt.cpan.org/Ticket/Display.html?id=37849 > > > * James Kosin via RT (bug-MailTools@rt.cpan.org) [080722 20:41]:
>> How would one go about setting and/or clearing the tainting of the $exe >> variable?
> > The reason why I cannot solve this problem for you the right way, is > that you have to inspect the source of the $exe variable. And that > source is not in my module. >
>> Is there a way to permit this in this specific case (cleaning up the >> reason for the tainting) ?
> > Tainting is a protection for you, that (other) bugs in your program > can be ablused. You can, of course, disable all protection by removing > the -T flag in the first line of the start-up script. You can also > replace $exe by the absolute path to the sendmail binary.
Could I help inspect these values by using print? If so, How? I tried the absolute path to the sendmail binary and it still reports the same error; so, it may be tainting elsewhere. James
Content-Description: OpenPGP digital signature
content-type: application/pgp-signature; name="signature.asc"
content-disposition: attachment; filename="signature.asc"
Content-Length: 258
Download signature.asc
application/pgp-signature 258b

Message body not shown because it is not plain text.

MIME-Version: 1.0
X-Spam-Status: No, hits=-2.6 required=8.0 tests=BAYES_00
In-Reply-To: <rt-3.6.HEAD-22997-1216760561-1637.37849-6-0 [...] rt.cpan.org>
References: <RT-Ticket-37849 [...] rt.cpan.org> <rt-3.6.HEAD-22997-1216739226-493.37849-4-0 [...] rt.cpan.org> <20080722192131.GD23678 [...] earth.overmeer.net> <rt-3.6.HEAD-23024-1216754667-214.37849-6-0 [...] rt.cpan.org> <488645E3.90406 [...] beta.intcomgrp.com> <rt-3.6.HEAD-22997-1216759288-1236.37849-5-0 [...] rt.cpan.org> <20080722210226.GH23678 [...] earth.overmeer.net> <rt-3.6.HEAD-22997-1216760561-1637.37849-6-0 [...] rt.cpan.org>
X-Virus-Checked: Checked by ClamAV on 16.mx.develooper.com
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig694A9713E64D665E19B08568"
X-Virus-Scanned: ClamAV 0.93.3/7796/Wed Jul 23 01:45:42 2008 on beta.intcomgrp.com
Organization: International Communications Group, Inc.
Received: from x1.develooper.com (x1.develooper.com [63.251.223.170]) by diesel.bestpractical.com (Postfix) with SMTP id 77C114D8070 for <bug-MailTools [...] rt.cpan.org>; Wed, 23 Jul 2008 09:27:22 -0400 (EDT)
Received: (qmail 8731 invoked from network); 23 Jul 2008 13:27:21 -0000
Received: from x16.dev (10.0.100.26) by x1.dev with QMQP; 23 Jul 2008 13:27:21 -0000
Received: from intcomgrp.com (HELO beta.intcomgrp.com) (216.54.13.120) by 16.mx.develooper.com (qpsmtpd/0.43rc1) with ESMTP; Wed, 23 Jul 2008 06:27:14 -0700
Received: from [192.168.100.183] (dhcp183.support.intcomgrp.com [192.168.100.183]) by beta.intcomgrp.com (8.14.3/8.14.3) with ESMTP id m6NDR1oq013837 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <bug-MailTools [...] rt.cpan.org>; Wed, 23 Jul 2008 09:27:01 -0400
Delivered-To: cpan-bug+MailTools [...] diesel.bestpractical.com
Subject: Re: [rt.cpan.org #37849] Insecure Dependancy with sendmail.pm
User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)
Return-Path: <jkosin [...] beta.intcomgrp.com>
X-Spam-Check-BY: 16.mx.develooper.com
X-Original-To: bug-MailTools [...] rt.cpan.org
Openpgp: id=7BB59129
X-Old-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED autolearn=ham version=3.2.5
Date: Wed, 23 Jul 2008 09:27:14 -0400
X-Spam-Level: *
X-Virus-Status: Clean
Message-Id: <488731B2.4050506 [...] beta.intcomgrp.com>
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on beta.intcomgrp.com
To: bug-MailTools [...] rt.cpan.org
X-Enigmail-Version: 0.95.6
From: James Kosin <jkosin [...] beta.intcomgrp.com>
RT-Message-ID: <rt-3.6.HEAD-22997-1216819651-1940.37849-0-0 [...] rt.cpan.org>
Content-Length: 0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
X-RT-Original-Encoding: utf-8
Content-Length: 2790
Download (untitled) / with headers
text/plain 2.7k
Mark Overmeer via RT wrote: Show quoted text
> <URL: http://rt.cpan.org/Ticket/Display.html?id=37849 > > > * James Kosin via RT (bug-MailTools@rt.cpan.org) [080722 20:41]:
>> How would one go about setting and/or clearing the tainting of the $exe >> variable?
> > The reason why I cannot solve this problem for you the right way, is > that you have to inspect the source of the $exe variable. And that > source is not in my module. >
>> Is there a way to permit this in this specific case (cleaning up the >> reason for the tainting) ?
> > Tainting is a protection for you, that (other) bugs in your program > can be ablused. You can, of course, disable all protection by removing > the -T flag in the first line of the start-up script. You can also > replace $exe by the absolute path to the sendmail binary.
I managed to get the output working. Below is the output of $self, $exe and @$args. The ',' and text before the '=' was added by me to tell where the fields started. This is what I added to sendmail.pm to output the values. print 'Mailer=', $self, ', '; print 'Exe=', $exe, ', '; print @$args; Would you need any more information??? ---- Bugzilla Sanity CheckOK, now attempting to send unsent mail 11 bugs found with possibly unsent mail. Mailer=Mail::Mailer::sendmail=GLOB(0x8c53624), Exe=/usr/lib/sendmail, -i-fbugzilla-daemon Software error: Insecure dependency in exec while running with -T switch at /usr/lib/perl5/vendor_perl/5.10.0/Mail/Mailer/sendmail.pm line 25. For help, please send mail to the webmaster (root@support.intcomgrp.com), giving this error message and the time and date of the error. Software error: DBD::Pg::db selectrow_array failed: server closed the connection unexpectedly This probably means the server terminated abnormally before or while processing the request. [for Statement "SELECT userid, login_name, realname, disabledtext, mybugslink FROM profiles WHERE userid=?"] at Bugzilla/User.pm line 132 Bugzilla::User::_create('Bugzilla::User', 'userid=?', 4) called at Bugzilla/User.pm line 82 Bugzilla::User::new('Bugzilla::User', 4) called at Bugzilla/BugMail.pm line 416 Bugzilla::BugMail::ProcessOneBug(188, undef) called at Bugzilla/BugMail.pm line 115 Bugzilla::BugMail::Send(188) called at /var/www/html/bugzilla-2.22.2/sanitycheck.cgi line 245 For help, please send mail to the webmaster (root@support.intcomgrp.com), giving this error message and the time and date of the error.
Content-Description: OpenPGP digital signature
content-type: application/pgp-signature; name="signature.asc"
content-disposition: attachment; filename="signature.asc"
Content-Length: 258
Download signature.asc
application/pgp-signature 258b

Message body not shown because it is not plain text.

MIME-Version: 1.0
X-Spam-Status: No, hits=-2.6 required=8.0 tests=BAYES_00
In-Reply-To: <rt-3.6.HEAD-22997-1216819651-1940.37849-5-0 [...] rt.cpan.org>
Content-Disposition: inline
References: <RT-Ticket-37849 [...] rt.cpan.org> <rt-3.6.HEAD-22997-1216739226-493.37849-4-0 [...] rt.cpan.org> <20080722192131.GD23678 [...] earth.overmeer.net> <rt-3.6.HEAD-23024-1216754667-214.37849-6-0 [...] rt.cpan.org> <488645E3.90406 [...] beta.intcomgrp.com> <rt-3.6.HEAD-22997-1216759288-1236.37849-5-0 [...] rt.cpan.org> <20080722210226.GH23678 [...] earth.overmeer.net> <rt-3.6.HEAD-22997-1216760561-1637.37849-6-0 [...] rt.cpan.org> <488731B2.4050506 [...] beta.intcomgrp.com> <rt-3.6.HEAD-22997-1216819651-1940.37849-5-0 [...] rt.cpan.org>
Content-Type: text/plain; charset="utf-8"
X-RT-Original-Encoding: utf-8
Received: from x1.develooper.com (x1.develooper.com [63.251.223.170]) by diesel.bestpractical.com (Postfix) with SMTP id 8B6E54D819B for <bug-MailTools [...] rt.cpan.org>; Wed, 23 Jul 2008 16:34:19 -0400 (EDT)
Received: (qmail 29868 invoked from network); 23 Jul 2008 20:34:18 -0000
Received: from x16.dev (10.0.100.26) by x1.dev with QMQP; 23 Jul 2008 20:34:18 -0000
Received: from mail.overmeer.net (HELO earth.overmeer.net) (194.109.195.227) by 16.mx.develooper.com (qpsmtpd/0.43rc1) with ESMTP; Wed, 23 Jul 2008 13:34:11 -0700
Received: by earth.overmeer.net (Postfix, from userid 500) id A42169AB39; Wed, 23 Jul 2008 22:34:06 +0200 (CEST)
Delivered-To: cpan-bug+MailTools [...] diesel.bestpractical.com
Subject: Re: [rt.cpan.org #37849] Insecure Dependancy with sendmail.pm
User-Agent: Mutt/1.5.9i
Return-Path: <markov [...] overmeer.net>
X-Spam-Check-BY: 16.mx.develooper.com
X-Original-To: bug-MailTools [...] rt.cpan.org
Date: Wed, 23 Jul 2008 22:34:06 +0200
X-Spam-Level: *
Message-Id: <20080723203406.GA29006 [...] earth.overmeer.net>
To: James Kosin via RT <bug-MailTools [...] rt.cpan.org>
From: Mark Overmeer <mark [...] overmeer.net>
RT-Message-ID: <rt-3.6.HEAD-22997-1216845273-399.37849-0-0 [...] rt.cpan.org>
Content-Length: 725
Download (untitled) / with headers
text/plain 725b
* James Kosin via RT (bug-MailTools@rt.cpan.org) [080723 13:27]: Show quoted text
> Would you need any more information???
Again "tainting" is a complex subject. I expect in your case the message is tainted, because it is collected from the database, which is external and therefore untrusted. See the manual page of DBI about Taint and Programming Perl. It is a much too complex matter to explain in emails. -- Regards, MarkOv ------------------------------------------------------------------------ Mark Overmeer MSc MARKOV Solutions Mark@Overmeer.net solutions@overmeer.net http://Mark.Overmeer.net http://solutions.overmeer.net
MIME-Version: 1.0
X-Spam-Status: No, hits=-2.6 required=8.0 tests=BAYES_00
In-Reply-To: <rt-3.6.HEAD-22997-1216845273-399.37849-6-0 [...] rt.cpan.org>
References: <RT-Ticket-37849 [...] rt.cpan.org> <rt-3.6.HEAD-22997-1216739226-493.37849-4-0 [...] rt.cpan.org> <20080722192131.GD23678 [...] earth.overmeer.net> <rt-3.6.HEAD-23024-1216754667-214.37849-6-0 [...] rt.cpan.org> <rt-3.6.HEAD-22997-1216759288-1236.37849-5-0 [...] rt.cpan.org> <20080722210226.GH23678 [...] earth.overmeer.net> <rt-3.6.HEAD-22997-1216760561-1637.37849-6-0 [...] rt.cpan.org> <488731B2.4050506 [...] beta.intcomgrp.com> <rt-3.6.HEAD-22997-1216819651-1940.37849-5-0 [...] rt.cpan.org> <20080723203406.GA29006 [...] earth.overmeer.net> <rt-3.6.HEAD-22997-1216845273-399.37849-6-0 [...] rt.cpan.org>
X-Virus-Checked: Checked by ClamAV on 16.mx.develooper.com
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig48DE6E7336AA86F8855FBD90"
X-Virus-Scanned: ClamAV 0.93.3/7810/Thu Jul 24 06:54:32 2008 on beta.intcomgrp.com
Organization: International Communications Group, Inc.
Received: from x1.develooper.com (x1.develooper.com [63.251.223.170]) by diesel.bestpractical.com (Postfix) with SMTP id 582044D8221 for <bug-MailTools [...] rt.cpan.org>; Thu, 24 Jul 2008 08:57:58 -0400 (EDT)
Received: (qmail 30116 invoked from network); 24 Jul 2008 12:57:58 -0000
Received: from x16.dev (10.0.100.26) by x1.dev with QMQP; 24 Jul 2008 12:57:58 -0000
Received: from intcomgrp.com (HELO beta.intcomgrp.com) (216.54.13.120) by 16.mx.develooper.com (qpsmtpd/0.43rc1) with ESMTP; Thu, 24 Jul 2008 05:57:52 -0700
Received: from [192.168.100.183] (dhcp183.support.intcomgrp.com [192.168.100.183]) by beta.intcomgrp.com (8.14.3/8.14.3) with ESMTP id m6OCvmTq022395 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <bug-MailTools [...] rt.cpan.org>; Thu, 24 Jul 2008 08:57:48 -0400
Delivered-To: cpan-bug+MailTools [...] diesel.bestpractical.com
Subject: Re: [rt.cpan.org #37849] Insecure Dependancy with sendmail.pm
User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)
Return-Path: <jkosin [...] beta.intcomgrp.com>
X-Spam-Check-BY: 16.mx.develooper.com
X-Original-To: bug-MailTools [...] rt.cpan.org
Openpgp: id=7BB59129
X-Old-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED,AWL autolearn=ham version=3.2.5
Date: Thu, 24 Jul 2008 08:57:58 -0400
X-Spam-Level: *
X-Virus-Status: Clean
Message-Id: <48887C56.7050907 [...] beta.intcomgrp.com>
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on beta.intcomgrp.com
To: bug-MailTools [...] rt.cpan.org
X-Enigmail-Version: 0.95.6
From: James Kosin <jkosin [...] beta.intcomgrp.com>
RT-Message-ID: <rt-3.6.HEAD-22997-1216904285-101.37849-0-0 [...] rt.cpan.org>
Content-Length: 0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
X-RT-Original-Encoding: utf-8
Content-Length: 628
Download (untitled) / with headers
text/plain 628b
Mark Overmeer via RT wrote: Show quoted text
> <URL: http://rt.cpan.org/Ticket/Display.html?id=37849 > > > * James Kosin via RT (bug-MailTools@rt.cpan.org) [080723 13:27]:
>> Would you need any more information???
> > Again "tainting" is a complex subject. I expect in your case the message > is tainted, because it is collected from the database, which is external > and therefore untrusted. > > See the manual page of DBI about Taint and Programming Perl. It is a much > too complex matter to explain in emails.
Thanks, I guess I have some deep reading to do... Know anyone at Bugzilla who may know how to fix this? Thanks again, James
Content-Description: OpenPGP digital signature
content-type: application/pgp-signature; name="signature.asc"
content-disposition: attachment; filename="signature.asc"
Content-Length: 258
Download signature.asc
application/pgp-signature 258b

Message body not shown because it is not plain text.

MIME-Version: 1.0
X-Spam-Status: No, hits=-2.6 required=8.0 tests=BAYES_00
In-Reply-To: <rt-3.6.HEAD-12457-1220342829-190.37849-10-0 [...] rt.cpan.org>
References: <rt-3.6.HEAD-12457-1220342829-190.37849-10-0 [...] rt.cpan.org>
X-Virus-Checked: Checked by ClamAV on 16.mx.develooper.com
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigF971D3B9906317E46DF32A9A"
X-Virus-Scanned: ClamAV 0.93.3/8138/Tue Sep 2 07:53:59 2008 on beta.intcomgrp.com
Organization: International Communications Group, Inc.
Received: from x1.develooper.com (x1.develooper.com [63.251.223.170]) by diesel.bestpractical.com (Postfix) with SMTP id 2A8984D8068 for <bug-MailTools [...] rt.cpan.org>; Tue, 2 Sep 2008 09:58:08 -0400 (EDT)
Received: (qmail 28978 invoked from network); 2 Sep 2008 13:58:07 -0000
Received: from x16.dev (10.0.100.26) by x1.dev with QMQP; 2 Sep 2008 13:58:07 -0000
Received: from intcomgrp.com (HELO beta.intcomgrp.com) (216.54.13.120) by 16.mx.develooper.com (qpsmtpd/0.43rc1) with ESMTP; Tue, 02 Sep 2008 06:58:03 -0700
Received: from [192.168.100.183] (dhcp183.support.intcomgrp.com [192.168.100.183]) by beta.intcomgrp.com (8.14.3/8.14.3) with ESMTP id m82DtWFo013985 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <bug-MailTools [...] rt.cpan.org>; Tue, 2 Sep 2008 09:55:32 -0400
Delivered-To: cpan-bug+MailTools [...] diesel.bestpractical.com
Subject: Re: [rt.cpan.org #37849] Resolved: Insecure Dependancy with sendmail.pm
User-Agent: Thunderbird 2.0.0.16 (Windows/20080708)
Return-Path: <jkosin [...] beta.intcomgrp.com>
X-Spam-Check-BY: 16.mx.develooper.com
X-Original-To: bug-MailTools [...] rt.cpan.org
Openpgp: id=7BB59129
Date: Tue, 02 Sep 2008 09:59:00 -0400
X-Spam-Level: *
X-Virus-Status: Clean
Message-Id: <48BD46A4.3080403 [...] beta.intcomgrp.com>
To: bug-MailTools [...] rt.cpan.org
X-Enigmail-Version: 0.95.7
From: James Kosin <jkosin [...] beta.intcomgrp.com>
RT-Message-ID: <rt-3.6.HEAD-12416-1220363895-708.37849-0-0 [...] rt.cpan.org>
Content-Length: 0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-RT-Original-Encoding: utf-8
Content-Length: 433
Download (untitled) / with headers
text/plain 433b
Mark Overmeer via RT wrote: Show quoted text
> <URL: http://rt.cpan.org/Ticket/Display.html?id=37849 > > > According to our records, your request has been resolved. If you have any > further questions or concerns, please respond to this message. >
Thanks, Yes, the problem was resolved. It appears bugzilla 2.22.4-5 are not supporting themselves anymore; so, any tainting is getting in the way with newer modules and perl versions. James Kosin
Content-Description: OpenPGP digital signature
content-type: application/pgp-signature; name="signature.asc"
content-disposition: attachment; filename="signature.asc"
Content-Length: 258
Download signature.asc
application/pgp-signature 258b

Message body not shown because it is not plain text.

MIME-Version: 1.0
X-Mailer: MIME-tools 5.426 (Entity 5.426)
Content-Disposition: inline
Charset: utf8
Message-Id: <rt-3.6.HEAD-2174-1222850042-966.37849-0-0 [...] rt.cpan.org>
Content-Type: text/plain
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
Content-Length: 12
closed again


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.