| This information is originally from http://www.ijs.si/software/amavisd/ |
| (Thanks to amavisd-new, Mark Martinec, and Vivek Khera!) |
| |
| If SpamAssassin is running in taint-mode (the default) and is configured to |
| call Vipul's Razor 2.22 or higher, then Razor2 checks will fail because the |
| Razor2 code is not quite taint-safe. The problem is still present in 2.36 |
| and the SpamAssassin developers do not know when or how this will be |
| addressed so please don't ask us! |
| |
| To apply: cd to the directory /usr/{lib,share}/perl5/.../Razor2 (wherever |
| the Client subdirectory is located) and apply the patch directly with: |
| |
| patch -p0 < Razor2.patch |
| |
| or apply to the Razor2 source tree with: |
| |
| patch -p0 -d lib/Razor2 < Razor2.patch |
| |
| Please make sure that no unpatched copies of Razor are installed on your |
| system. Sometimes, there is more than one installed copy. |
| |
| --- Client/Agent.pm~ Tue Nov 19 16:26:05 2002 |
| +++ Client/Agent.pm Sun Sep 21 23:20:47 2003 |
| @@ -969,6 +969,7 @@ |
| my @fns; |
| if (opendir D,$self->{razorhome}) { |
| @fns = map "$self->{razorhome}/$_", grep /^server\.[\S]+\.conf$/, readdir D; |
| + @fns = map { /^(\S+)$/, $1 } @fns; # untaint |
| closedir D; |
| } |
| foreach (@fns) { |
| --- Client/Config.pm~ Thu Nov 14 14:47:01 2002 |
| +++ Client/Config.pm Sun Sep 21 23:18:52 2003 |
| @@ -323,9 +323,11 @@ |
| if ($fn =~ /^(.*)\/([^\/]+)$/) { |
| my $dir = $1; |
| $fn = readlink $fn; |
| + $fn = $1 if $fn =~ /^(\S+)$/; # untaint readlink |
| $fn = "$dir/$fn" unless $fn =~ /^\//; |
| } else { |
| $fn = readlink $fn; |
| + $fn = $1 if $fn =~ /^(\S+)$/; # untaint readlink |
| } |
| } |
| } |
| @@ -366,13 +368,13 @@ |
| chomp; |
| next if /^\s*#/; |
| if ($nothash) { |
| - s/^\s+//; s/\s+$//; |
| + next unless s/^\s*(.+?)\s*$/$1/; # untaint |
| $conf->{$_} = 7; |
| push @lines, $_; |
| } else { |
| next unless /=/; |
| - my ($attribute, $value) = split /\=/, $_, 2; |
| - $attribute =~ s/^\s+//; $attribute =~ s/\s+$//; |
| + my ($attribute, $value) = /^\s*(.+?)\s*=\s*(.+?)\s*$/; # untaint |
| + next unless (defined $attribute && defined $value); |
| $conf->{$attribute} = $self->parse_value($value); |
| } |
| $total++; |
| --- Client/Core.pm~ Wed Nov 13 12:01:10 2002 |
| +++ Client/Core.pm Sun Sep 21 23:20:21 2003 |
| @@ -216,8 +216,10 @@ |
| foreach $rr ($query->answer) { |
| my $pushed = 0; |
| if ($rr->type eq "A") { |
| - push @list, $rr->address; |
| - $pushed = 1; |
| + if ($rr->address =~ m/^(\d+\.\d+\.\d+\.\d+)$/) { |
| + push @list, $1; |
| + $pushed = 1; |
| + } |
| } elsif ($rr->type eq "CNAME") { |
| if ($rr->cname eq 'list.terminator') { |
| pop @list if $pushed; |