Your message dated Tue, 20 Mar 2012 12:19:58 +0100 (CET)
with message-id <[email protected]>
and subject line believed fixed
has caused the Debian Bug report #504509,
regarding amstatus exits with "insecure dependency" warning
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
504509: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504509
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: amanda-server
Version: 1:2.5.2p1-4
Severity: normal
Regardless of configuration or parameters, /usr/sbin/amstatus exits with a
taint perl warning and a bit of garbled output. Example:
>>>
keldon:~# amstatus CAPCom
Using /etc/amanda/CAPCom/log/amdump.1 from Mon Nov 3 21:00:01 CET 2008
Insecure dependency in printf while running with -T switch at
/usr/sbin/amstatus line 1024.
146.140.209.8:/dev/md1 1 keldon:~#
<<<
While this is probably the right reaction from "perl -T"'s perspective, it
also makes amstatus impossible to use. Line 1024 sees the use of $unit,
which is taken from the output of an external program (call to amgetconf in
line 118), and hence is tainted, as an argument to an external program,
printf. Possible solutions are dropping the "-T" from the first line to
disable taint mode, replacing the calls to external printf by the internal
formatting functions, or "laundering" the tainted variables as per
perlsec(1). While the latter is a pain in general, it is doable here.
Concept code (not tested):
#118
$unit=`$sbindir/amgetconf$suf displayunit`;
chomp($unit);
# insert value checking / laundering code:
if ( !($unit =~ /^[kKMGT]$/) )
{
# complain about bad output from amgetconf; exit
}
$unit = lcfirst($1);
# $unit is now untainted
#120
$unitdivisor=1;
I have not evaluated how many more calls to printf have additional problems
with variables derived in a similar fashion; it might be more practical to
just drop the -T flag instead of cleaning a lot of variables in the above
way.
However it is done, I would like to see amstatus returned to working
condition.
Side note: The same code (and problem) seems to persist in the current
2.6.0p2 upstream version.
Sincerely,
Ralph Rößner
--
Ralph Rößner
CAPCom AG < http://www.capcom.de >
Rundeturmstr. 10, 64283 Darmstadt, Germany
Phone +49 6151 155 900, Fax +49 6151 155 909
Vorstand: Luc Neumann (Vorsitzender)
Vorsitzender des Aufsichtsrats: Prof. Dr.-Ing. José L. Encarnação
Sitz der Gesellschaft: Darmstadt, Registergericht: Darmstadt HRB 8090
--- End Message ---
--- Begin Message ---
The root cause of this problem is believed to be fixed in more recent versions
of amanda in Debian.
Bdale
--- End Message ---
