Skip Menu |
 

This queue is for tickets about the MailTools CPAN distribution.

Report information
The Basics
Id: 37849
Status: resolved
Priority: 0/
Queue: MailTools

People
Owner: Nobody in particular
Requestors: jkosin [...] beta.intcomgrp.com
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: 2.03
Fixed in: (no value)



Subject: Insecure Dependancy with sendmail.pm
Download (untitled) / with headers
text/plain 366b
I'm using perl-5.10.0 with Bugzilla-2.22.4 and emails have stopped flowing. I'm getting the error below when trying to get email flowing again. Insecure dependency in exec while running with -T switch at /usr/lib/perl5/vendor_perl/5.10.0/Mail/Mailer/sendmail.pm line 22. Any ideas? The Bugzilla people are a bit unresponsive on the topic. Thanks, James Kosin
Subject: Re: [rt.cpan.org #37849] Insecure Dependancy with sendmail.pm
Date: Tue, 22 Jul 2008 21:21:31 +0200
To: James Kosin via RT <bug-MailTools [...] rt.cpan.org>
From: Mark Overmeer <mark [...] overmeer.net>
* James Kosin via RT (bug-MailTools@rt.cpan.org) [080722 15:07]: Show quoted text
> Tue Jul 22 11:07:05 2008: Request 37849 was acted upon. > Queue: MailTools > Subject: Insecure Dependancy with sendmail.pm > Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=37849 > > > Insecure dependency in exec while running with -T switch > at /usr/lib/perl5/vendor_perl/5.10.0/Mail/Mailer/sendmail.pm line 22. > Any ideas? The Bugzilla people are a bit unresponsive on the topic.
Tainting is very nice, but the cause of a violation complaint is not easy to find: very application dependent. Apparenty, the $exe variable is tainted because it arrived from an environment variable, command-line parameter or such. My module is not setting the tainting, nor cleaning input values. -- Regards, MarkOv ------------------------------------------------------------------------ Mark Overmeer MSc MARKOV Solutions Mark@Overmeer.net solutions@overmeer.net http://Mark.Overmeer.net http://solutions.overmeer.net
Subject: Re: [rt.cpan.org #37849] Insecure Dependancy with sendmail.pm
Date: Tue, 22 Jul 2008 16:41:07 -0400
To: bug-MailTools [...] rt.cpan.org
From: James Kosin <jkosin [...] beta.intcomgrp.com>
Mark Overmeer via RT wrote: Show quoted text
> <URL: http://rt.cpan.org/Ticket/Display.html?id=37849 > > > * James Kosin via RT (bug-MailTools@rt.cpan.org) [080722 15:07]:
>> Tue Jul 22 11:07:05 2008: Request 37849 was acted upon. >> Queue: MailTools >> Subject: Insecure Dependancy with sendmail.pm >> Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=37849 > >> >> Insecure dependency in exec while running with -T switch >> at /usr/lib/perl5/vendor_perl/5.10.0/Mail/Mailer/sendmail.pm line 22. >> Any ideas? The Bugzilla people are a bit unresponsive on the topic.
> > Tainting is very nice, but the cause of a violation complaint is not > easy to find: very application dependent. Apparenty, the $exe variable > is tainted because it arrived from an environment variable, command-line > parameter or such. My module is not setting the tainting, nor cleaning > input values.
How would one go about setting and/or clearing the tainting of the $exe variable? Is there a way to permit this in this specific case (cleaning up the reason for the tainting) ? Or am I doomed.... James
Download signature.asc
application/pgp-signature 258b

Message body not shown because it is not plain text.

Subject: Re: [rt.cpan.org #37849] Insecure Dependancy with sendmail.pm
Date: Tue, 22 Jul 2008 23:02:26 +0200
To: James Kosin via RT <bug-MailTools [...] rt.cpan.org>
From: Mark Overmeer <solutions [...] overmeer.net>
Download (untitled) / with headers
text/plain 1016b
* James Kosin via RT (bug-MailTools@rt.cpan.org) [080722 20:41]: Show quoted text
> How would one go about setting and/or clearing the tainting of the $exe > variable?
The reason why I cannot solve this problem for you the right way, is that you have to inspect the source of the $exe variable. And that source is not in my module. Show quoted text
> Is there a way to permit this in this specific case (cleaning up the > reason for the tainting) ?
Tainting is a protection for you, that (other) bugs in your program can be ablused. You can, of course, disable all protection by removing the -T flag in the first line of the start-up script. You can also replace $exe by the absolute path to the sendmail binary. -- Regards, MarkOv ------------------------------------------------------------------------ Mark Overmeer MSc MARKOV Solutions Mark@Overmeer.net solutions@overmeer.net http://Mark.Overmeer.net http://solutions.overmeer.net
Subject: Re: [rt.cpan.org #37849] Insecure Dependancy with sendmail.pm
Date: Wed, 23 Jul 2008 08:57:17 -0400
To: bug-MailTools [...] rt.cpan.org
From: James Kosin <jkosin [...] beta.intcomgrp.com>
Download (untitled) / with headers
text/plain 994b
Mark Overmeer via RT wrote: Show quoted text
> <URL: http://rt.cpan.org/Ticket/Display.html?id=37849 > > > * James Kosin via RT (bug-MailTools@rt.cpan.org) [080722 20:41]:
>> How would one go about setting and/or clearing the tainting of the $exe >> variable?
> > The reason why I cannot solve this problem for you the right way, is > that you have to inspect the source of the $exe variable. And that > source is not in my module. >
>> Is there a way to permit this in this specific case (cleaning up the >> reason for the tainting) ?
> > Tainting is a protection for you, that (other) bugs in your program > can be ablused. You can, of course, disable all protection by removing > the -T flag in the first line of the start-up script. You can also > replace $exe by the absolute path to the sendmail binary.
Could I help inspect these values by using print? If so, How? I tried the absolute path to the sendmail binary and it still reports the same error; so, it may be tainting elsewhere. James
Download signature.asc
application/pgp-signature 258b

Message body not shown because it is not plain text.

Subject: Re: [rt.cpan.org #37849] Insecure Dependancy with sendmail.pm
Date: Wed, 23 Jul 2008 09:27:14 -0400
To: bug-MailTools [...] rt.cpan.org
From: James Kosin <jkosin [...] beta.intcomgrp.com>
Download (untitled) / with headers
text/plain 2.7k
Mark Overmeer via RT wrote: Show quoted text
> <URL: http://rt.cpan.org/Ticket/Display.html?id=37849 > > > * James Kosin via RT (bug-MailTools@rt.cpan.org) [080722 20:41]:
>> How would one go about setting and/or clearing the tainting of the $exe >> variable?
> > The reason why I cannot solve this problem for you the right way, is > that you have to inspect the source of the $exe variable. And that > source is not in my module. >
>> Is there a way to permit this in this specific case (cleaning up the >> reason for the tainting) ?
> > Tainting is a protection for you, that (other) bugs in your program > can be ablused. You can, of course, disable all protection by removing > the -T flag in the first line of the start-up script. You can also > replace $exe by the absolute path to the sendmail binary.
I managed to get the output working. Below is the output of $self, $exe and @$args. The ',' and text before the '=' was added by me to tell where the fields started. This is what I added to sendmail.pm to output the values. print 'Mailer=', $self, ', '; print 'Exe=', $exe, ', '; print @$args; Would you need any more information??? ---- Bugzilla Sanity CheckOK, now attempting to send unsent mail 11 bugs found with possibly unsent mail. Mailer=Mail::Mailer::sendmail=GLOB(0x8c53624), Exe=/usr/lib/sendmail, -i-fbugzilla-daemon Software error: Insecure dependency in exec while running with -T switch at /usr/lib/perl5/vendor_perl/5.10.0/Mail/Mailer/sendmail.pm line 25. For help, please send mail to the webmaster (root@support.intcomgrp.com), giving this error message and the time and date of the error. Software error: DBD::Pg::db selectrow_array failed: server closed the connection unexpectedly This probably means the server terminated abnormally before or while processing the request. [for Statement "SELECT userid, login_name, realname, disabledtext, mybugslink FROM profiles WHERE userid=?"] at Bugzilla/User.pm line 132 Bugzilla::User::_create('Bugzilla::User', 'userid=?', 4) called at Bugzilla/User.pm line 82 Bugzilla::User::new('Bugzilla::User', 4) called at Bugzilla/BugMail.pm line 416 Bugzilla::BugMail::ProcessOneBug(188, undef) called at Bugzilla/BugMail.pm line 115 Bugzilla::BugMail::Send(188) called at /var/www/html/bugzilla-2.22.2/sanitycheck.cgi line 245 For help, please send mail to the webmaster (root@support.intcomgrp.com), giving this error message and the time and date of the error.
Download signature.asc
application/pgp-signature 258b

Message body not shown because it is not plain text.

Subject: Re: [rt.cpan.org #37849] Insecure Dependancy with sendmail.pm
Date: Wed, 23 Jul 2008 22:34:06 +0200
To: James Kosin via RT <bug-MailTools [...] rt.cpan.org>
From: Mark Overmeer <mark [...] overmeer.net>
Download (untitled) / with headers
text/plain 725b
* James Kosin via RT (bug-MailTools@rt.cpan.org) [080723 13:27]: Show quoted text
> Would you need any more information???
Again "tainting" is a complex subject. I expect in your case the message is tainted, because it is collected from the database, which is external and therefore untrusted. See the manual page of DBI about Taint and Programming Perl. It is a much too complex matter to explain in emails. -- Regards, MarkOv ------------------------------------------------------------------------ Mark Overmeer MSc MARKOV Solutions Mark@Overmeer.net solutions@overmeer.net http://Mark.Overmeer.net http://solutions.overmeer.net
Subject: Re: [rt.cpan.org #37849] Insecure Dependancy with sendmail.pm
Date: Thu, 24 Jul 2008 08:57:58 -0400
To: bug-MailTools [...] rt.cpan.org
From: James Kosin <jkosin [...] beta.intcomgrp.com>
Download (untitled) / with headers
text/plain 628b
Mark Overmeer via RT wrote: Show quoted text
> <URL: http://rt.cpan.org/Ticket/Display.html?id=37849 > > > * James Kosin via RT (bug-MailTools@rt.cpan.org) [080723 13:27]:
>> Would you need any more information???
> > Again "tainting" is a complex subject. I expect in your case the message > is tainted, because it is collected from the database, which is external > and therefore untrusted. > > See the manual page of DBI about Taint and Programming Perl. It is a much > too complex matter to explain in emails.
Thanks, I guess I have some deep reading to do... Know anyone at Bugzilla who may know how to fix this? Thanks again, James
Download signature.asc
application/pgp-signature 258b

Message body not shown because it is not plain text.

Subject: Re: [rt.cpan.org #37849] Resolved: Insecure Dependancy with sendmail.pm
Date: Tue, 02 Sep 2008 09:59:00 -0400
To: bug-MailTools [...] rt.cpan.org
From: James Kosin <jkosin [...] beta.intcomgrp.com>
Download (untitled) / with headers
text/plain 433b
Mark Overmeer via RT wrote: Show quoted text
> <URL: http://rt.cpan.org/Ticket/Display.html?id=37849 > > > According to our records, your request has been resolved. If you have any > further questions or concerns, please respond to this message. >
Thanks, Yes, the problem was resolved. It appears bugzilla 2.22.4-5 are not supporting themselves anymore; so, any tainting is getting in the way with newer modules and perl versions. James Kosin
Download signature.asc
application/pgp-signature 258b

Message body not shown because it is not plain text.

closed again


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.