Tony, > We are having problems with amavis checking RAR, LHA, ARC and ZOO > files. Some debugging shows that it's barfing at the exec() in > fh_copy(), called by store_mgr(), called by do_unrar() and buddies.
> Aug 7 22:11:05 mymailserver-mail amavis[27962]: Decoding of > msg-27957-2.rar (RAR archive data, v1d, os: Unix) failed, leaving it > unpacked: Insecure dependency in exec while running with -T switch at > /root/amavis line 1073. (message-id=<[EMAIL PROTECTED]>) > The problem seems to be that there is no detainting of the filenames > derived from the archives, so Perl rightly dies when before it tries to > exec something. Consider this: if there was a RAR file that had a > compressed file called "MyDoc ; rm -rf /" (yes, can be done - tested > something similar with an LHA file). This would be bad if not detainted. > > Is this a bug with amavis? As far as I can tell, no RAR et al files are > going to get through virus-free or not. > Our system: > OS: Mandrake Linux 10.0 Community > Amavis: 0.3.12 (hand-rolled, not RPM) Amavis: 0.3.12 hasn't received any updates or security fixes for the last two years and a half. I guess nobody bothers to fix it because few people still use it. The only version in active maintenance nowadays is amavisd-new. Mark ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/