Bug #37849 for MailTools: Insecure Dependancy with sendmail.pm

Tue Jul 22 11:07:05 2008 jkosin [...] beta.intcomgrp.com - Ticket created

Subject:

Insecure Dependancy with sendmail.pm

I'm using perl-5.10.0 with Bugzilla-2.22.4 and emails have stopped flowing. I'm getting the error below when trying to get email flowing again. Insecure dependency in exec while running with -T switch at /usr/lib/perl5/vendor_perl/5.10.0/Mail/Mailer/sendmail.pm line 22. Any ideas? The Bugzilla people are a bit unresponsive on the topic. Thanks, James Kosin

Tue Jul 22 15:24:28 2008 Mark [...] Overmeer.net - Correspondence added

Subject:	Re: [rt.cpan.org #37849] Insecure Dependancy with sendmail.pm
Date:	Tue, 22 Jul 2008 21:21:31 +0200
To:	James Kosin via RT <bug-MailTools [...] rt.cpan.org>
From:	Mark Overmeer <mark [...] overmeer.net>

* James Kosin via RT (bug-MailTools@rt.cpan.org) [080722 15:07]: Show quoted text

> Tue Jul 22 11:07:05 2008: Request 37849 was acted upon. > Queue: MailTools > Subject: Insecure Dependancy with sendmail.pm > Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=37849 > > > Insecure dependency in exec while running with -T switch > at /usr/lib/perl5/vendor_perl/5.10.0/Mail/Mailer/sendmail.pm line 22. > Any ideas? The Bugzilla people are a bit unresponsive on the topic.

Tainting is very nice, but the cause of a violation complaint is not easy to find: very application dependent. Apparenty, the $exe variable is tainted because it arrived from an environment variable, command-line parameter or such. My module is not setting the tainting, nor cleaning input values. -- Regards, MarkOv ------------------------------------------------------------------------ Mark Overmeer MSc MARKOV Solutions Mark@Overmeer.net solutions@overmeer.net http://Mark.Overmeer.net http://solutions.overmeer.net

Tue Jul 22 15:24:32 2008 The RT System itself - Status changed from 'new' to 'open'

Tue Jul 22 16:41:28 2008 jkosin [...] beta.intcomgrp.com - Correspondence added

Subject:	Re: [rt.cpan.org #37849] Insecure Dependancy with sendmail.pm
Date:	Tue, 22 Jul 2008 16:41:07 -0400
To:	bug-MailTools [...] rt.cpan.org
From:	James Kosin <jkosin [...] beta.intcomgrp.com>

Mark Overmeer via RT wrote: Show quoted text

> <URL: http://rt.cpan.org/Ticket/Display.html?id=37849 > > > * James Kosin via RT (bug-MailTools@rt.cpan.org) [080722 15:07]:

>> Tue Jul 22 11:07:05 2008: Request 37849 was acted upon. >> Queue: MailTools >> Subject: Insecure Dependancy with sendmail.pm >> Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=37849 > >> >> Insecure dependency in exec while running with -T switch >> at /usr/lib/perl5/vendor_perl/5.10.0/Mail/Mailer/sendmail.pm line 22. >> Any ideas? The Bugzilla people are a bit unresponsive on the topic.

> > Tainting is very nice, but the cause of a violation complaint is not > easy to find: very application dependent. Apparenty, the $exe variable > is tainted because it arrived from an environment variable, command-line > parameter or such. My module is not setting the tainting, nor cleaning > input values.

How would one go about setting and/or clearing the tainting of the $exe variable? Is there a way to permit this in this specific case (cleaning up the reason for the tainting) ? Or am I doomed.... James

Download signature.asc
application/pgp-signature 258b

Message body not shown because it is not plain text.

Tue Jul 22 17:02:41 2008 solutions [...] overmeer.net - Correspondence added

Subject:	Re: [rt.cpan.org #37849] Insecure Dependancy with sendmail.pm
Date:	Tue, 22 Jul 2008 23:02:26 +0200
To:	James Kosin via RT <bug-MailTools [...] rt.cpan.org>
From:	Mark Overmeer <solutions [...] overmeer.net>

* James Kosin via RT (bug-MailTools@rt.cpan.org) [080722 20:41]: Show quoted text

> How would one go about setting and/or clearing the tainting of the $exe > variable?

The reason why I cannot solve this problem for you the right way, is that you have to inspect the source of the $exe variable. And that source is not in my module. Show quoted text

> Is there a way to permit this in this specific case (cleaning up the > reason for the tainting) ?

Tainting is a protection for you, that (other) bugs in your program can be ablused. You can, of course, disable all protection by removing the -T flag in the first line of the start-up script. You can also replace $exe by the absolute path to the sendmail binary. -- Regards, MarkOv ------------------------------------------------------------------------ Mark Overmeer MSc MARKOV Solutions Mark@Overmeer.net solutions@overmeer.net http://Mark.Overmeer.net http://solutions.overmeer.net

Wed Jul 23 08:57:37 2008 jkosin [...] beta.intcomgrp.com - Correspondence added

Subject:	Re: [rt.cpan.org #37849] Insecure Dependancy with sendmail.pm
Date:	Wed, 23 Jul 2008 08:57:17 -0400
To:	bug-MailTools [...] rt.cpan.org
From:	James Kosin <jkosin [...] beta.intcomgrp.com>

Mark Overmeer via RT wrote: Show quoted text

> <URL: http://rt.cpan.org/Ticket/Display.html?id=37849 > > > * James Kosin via RT (bug-MailTools@rt.cpan.org) [080722 20:41]:

>> How would one go about setting and/or clearing the tainting of the $exe >> variable?

> > The reason why I cannot solve this problem for you the right way, is > that you have to inspect the source of the $exe variable. And that > source is not in my module. >

>> Is there a way to permit this in this specific case (cleaning up the >> reason for the tainting) ?

> > Tainting is a protection for you, that (other) bugs in your program > can be ablused. You can, of course, disable all protection by removing > the -T flag in the first line of the start-up script. You can also > replace $exe by the absolute path to the sendmail binary.

Could I help inspect these values by using print? If so, How? I tried the absolute path to the sendmail binary and it still reports the same error; so, it may be tainting elsewhere. James

Download signature.asc
application/pgp-signature 258b

Message body not shown because it is not plain text.

Wed Jul 23 09:27:31 2008 jkosin [...] beta.intcomgrp.com - Correspondence added

Subject:	Re: [rt.cpan.org #37849] Insecure Dependancy with sendmail.pm
Date:	Wed, 23 Jul 2008 09:27:14 -0400
To:	bug-MailTools [...] rt.cpan.org
From:	James Kosin <jkosin [...] beta.intcomgrp.com>

Mark Overmeer via RT wrote: Show quoted text

> <URL: http://rt.cpan.org/Ticket/Display.html?id=37849 > > > * James Kosin via RT (bug-MailTools@rt.cpan.org) [080722 20:41]:

>> How would one go about setting and/or clearing the tainting of the $exe >> variable?

> > The reason why I cannot solve this problem for you the right way, is > that you have to inspect the source of the $exe variable. And that > source is not in my module. >

>> Is there a way to permit this in this specific case (cleaning up the >> reason for the tainting) ?

> > Tainting is a protection for you, that (other) bugs in your program > can be ablused. You can, of course, disable all protection by removing > the -T flag in the first line of the start-up script. You can also > replace $exe by the absolute path to the sendmail binary.

I managed to get the output working. Below is the output of $self, $exe and @$args. The ',' and text before the '=' was added by me to tell where the fields started. This is what I added to sendmail.pm to output the values. print 'Mailer=', $self, ', '; print 'Exe=', $exe, ', '; print @$args; Would you need any more information??? ---- Bugzilla Sanity CheckOK, now attempting to send unsent mail 11 bugs found with possibly unsent mail. Mailer=Mail::Mailer::sendmail=GLOB(0x8c53624), Exe=/usr/lib/sendmail, -i-fbugzilla-daemon Software error: Insecure dependency in exec while running with -T switch at /usr/lib/perl5/vendor_perl/5.10.0/Mail/Mailer/sendmail.pm line 25. For help, please send mail to the webmaster (root@support.intcomgrp.com), giving this error message and the time and date of the error. Software error: DBD::Pg::db selectrow_array failed: server closed the connection unexpectedly This probably means the server terminated abnormally before or while processing the request. [for Statement "SELECT userid, login_name, realname, disabledtext, mybugslink FROM profiles WHERE userid=?"] at Bugzilla/User.pm line 132 Bugzilla::User::_create('Bugzilla::User', 'userid=?', 4) called at Bugzilla/User.pm line 82 Bugzilla::User::new('Bugzilla::User', 4) called at Bugzilla/BugMail.pm line 416 Bugzilla::BugMail::ProcessOneBug(188, undef) called at Bugzilla/BugMail.pm line 115 Bugzilla::BugMail::Send(188) called at /var/www/html/bugzilla-2.22.2/sanitycheck.cgi line 245 For help, please send mail to the webmaster (root@support.intcomgrp.com), giving this error message and the time and date of the error.

Download signature.asc
application/pgp-signature 258b

Message body not shown because it is not plain text.

Wed Jul 23 16:34:33 2008 Mark [...] Overmeer.net - Correspondence added

Subject:	Re: [rt.cpan.org #37849] Insecure Dependancy with sendmail.pm
Date:	Wed, 23 Jul 2008 22:34:06 +0200
To:	James Kosin via RT <bug-MailTools [...] rt.cpan.org>
From:	Mark Overmeer <mark [...] overmeer.net>

* James Kosin via RT (bug-MailTools@rt.cpan.org) [080723 13:27]: Show quoted text

> Would you need any more information???

Again "tainting" is a complex subject. I expect in your case the message is tainted, because it is collected from the database, which is external and therefore untrusted. See the manual page of DBI about Taint and Programming Perl. It is a much too complex matter to explain in emails. -- Regards, MarkOv ------------------------------------------------------------------------ Mark Overmeer MSc MARKOV Solutions Mark@Overmeer.net solutions@overmeer.net http://Mark.Overmeer.net http://solutions.overmeer.net

Thu Jul 24 08:58:05 2008 jkosin [...] beta.intcomgrp.com - Correspondence added

Subject:	Re: [rt.cpan.org #37849] Insecure Dependancy with sendmail.pm
Date:	Thu, 24 Jul 2008 08:57:58 -0400
To:	bug-MailTools [...] rt.cpan.org
From:	James Kosin <jkosin [...] beta.intcomgrp.com>

Mark Overmeer via RT wrote: Show quoted text

> <URL: http://rt.cpan.org/Ticket/Display.html?id=37849 > > > * James Kosin via RT (bug-MailTools@rt.cpan.org) [080723 13:27]:

>> Would you need any more information???

> > Again "tainting" is a complex subject. I expect in your case the message > is tainted, because it is collected from the database, which is external > and therefore untrusted. > > See the manual page of DBI about Taint and Programming Perl. It is a much > too complex matter to explain in emails.

Thanks, I guess I have some deep reading to do... Know anyone at Bugzilla who may know how to fix this? Thanks again, James

Download signature.asc
application/pgp-signature 258b

Message body not shown because it is not plain text.

Tue Sep 02 04:07:09 2008 MARKOV [...] cpan.org - Status changed from 'open' to 'resolved'

Tue Sep 02 09:58:15 2008 jkosin [...] beta.intcomgrp.com - Correspondence added

Subject:	Re: [rt.cpan.org #37849] Resolved: Insecure Dependancy with sendmail.pm
Date:	Tue, 02 Sep 2008 09:59:00 -0400
To:	bug-MailTools [...] rt.cpan.org
From:	James Kosin <jkosin [...] beta.intcomgrp.com>

Mark Overmeer via RT wrote: Show quoted text

> <URL: http://rt.cpan.org/Ticket/Display.html?id=37849 > > > According to our records, your request has been resolved. If you have any > further questions or concerns, please respond to this message. >

Thanks, Yes, the problem was resolved. It appears bugzilla 2.22.4-5 are not supporting themselves anymore; so, any tainting is getting in the way with newer modules and perl versions. James Kosin

Download signature.asc
application/pgp-signature 258b

Message body not shown because it is not plain text.

Tue Sep 02 09:58:18 2008 The RT System itself - Status changed from 'resolved' to 'open'

Wed Oct 01 04:34:02 2008 MARKOV [...] cpan.org - Correspondence added

closed again

Wed Oct 01 04:34:04 2008 MARKOV [...] cpan.org - Status changed from 'open' to 'resolved'