Bug#344083: Perl 5.8.7-10 breaks amavisd-new

Mon, 19 Dec 2005 14:34:25 -0800 

Package: libnet-server-perl
Version: 0.89-1

On Mon, Dec 19, 2005 at 10:03:33AM +0100, Jacco van Koll wrote:
>I'm sorry to inform you that perl 5.8.7-10 breaks amavisd-new. I have 2 
>machines running at this time, both on 'unstable'. One is running perl 
>5.8.7-9 and amavisd-new, which is running like a charm. The other, is 
>having perl-5.8.7-10, which gives errors like:
>
>Starting amavisd: Insecure dependency in `` while running with -T switch 
>at /usr/share/perl5/Net/Server/Daemonize.pm line 67.amavisd-new.
>
>Only difference beteween the both is the (sub) version of perl 
>installed. Hope you can figure out what the differences are, so i can 
>start using amavis on this machine as well :-)

Thanks,

I believe that the problem is with Net::Server::Daemonize (bug
follows).

The code around that line does something like this:

    if (-d '/proc' && -e "/proc/$current_pid") {
        $exists = 1;
    } elsif (ps finds $$) {
        $exists = `ps h o pid p $current_pid`; # tainted
    }

The failure occurs because $current_pid is tainted (read from a file).

I'm guessing that the problem is that amavisd-new has died at some
stage, so -e "/proc/$current_pid" fails and falls through to the ps
test.  If you remove the old amavisd-new pid file I think you'll find
that the process will start.

A patch (untested) for Net::Server::Daemonize follows which:

  * untaints the value from pid file, and
  * does not fall back to the ps check if /proc is mounted

--bod

--- Daemonize.pm.orig   2005-11-23 19:09:13.000000000 +1100
+++ Daemonize.pm        2005-12-20 08:46:06.000000000 +1100
@@ -58,14 +58,19 @@
   }
   my $current_pid = <_PID>;
   close _PID;
-  chomp($current_pid);
 
+  unless( defined $current_pid and $current_pid =~ /^\s*(\d+)/ ){
+    warn "Couldn't find a PID in \"$pid_file\"\n";
+    return 1;
+  }
+
+  ($current_pid) = $1; # untaint
 
   my $exists = undef;
 
   ### try a proc file system
-  if( -d '/proc' && -e "/proc/$current_pid" ){
-    $exists = 1;
+  if( -d '/proc' ){
+    $exists = -e "/proc/$current_pid";
 
   ### try ps
   #}elsif( -x '/bin/ps' ){ # not as portable


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to