[Bug 7782] New: Insecure dependency in connect while running with -T switch at /usr/lib64/perl5/IO/Socket.pm line 114

Tue, 07 Jan 2020 02:01:46 -0800 

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7782

            Bug ID: 7782
           Summary: Insecure dependency in connect while running with -T
                    switch at /usr/lib64/perl5/IO/Socket.pm line 114
           Product: Spamassassin
           Version: 3.4.3
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Plugins
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: Undefined

that's somehow a showstopper for upgrade to 3.4.3
how would someone abuse the hardcoded socket path from the config?

---------------------------------------

clamav.cf:

ifplugin Mail::SpamAssassin::Plugin::ClamAV
 full      CLAMAV_JNK  eval:check_clamav('/run/clamd/clamd-sa.sock')
 describe  CLAMAV_JNK  ClamAV detected malware/phishing/junk
 priority  CLAMAV_JNK  800
 score     CLAMAV_JNK  5.5

 full      CLAMAV_MLW  eval:check_clamav('/run/clamd/clamd.sock')
 describe  CLAMAV_MLW  ClamAV detected malware/phishing
 priority  CLAMAV_MLW  800
 score     CLAMAV_MLW  9.9
endif

---------------------------------------

clamav.pm:

package Mail::SpamAssassin::Plugin::ClamAV;
use strict;

use Mail::SpamAssassin;
use Mail::SpamAssassin::Plugin;
use Mail::SpamAssassin::Logger;
use File::Scan::ClamAV;
our @ISA = qw(Mail::SpamAssassin::Plugin);

sub new
{
 my ($class, $mailsa) = @_;
 $class = ref($class) || $class;
 my $self = $class->SUPER::new($mailsa);
 bless($self, $class);
 $self->register_eval_rule('check_clamav');
 return $self;
}

sub check_clamav
{
 my($self, $pms, $fulltext, $socket) = @_;
 dbg("ClamAV: File::Scan::ClamAV over %s", $socket);
 my $clamav = new File::Scan::ClamAV(port => $socket);
 my($code, $virus) = $clamav->streamscan(${$fulltext});
 my $isspam = 0;
 if(!$code)
 {
  my $errstr = $clamav->errstr();
  dbg("ClamAV: $errstr");
 }
 elsif($code eq 'FOUND')
 {
  $isspam = 1;
  $pms->test_log($virus);
  dbg("ClamAV: $virus");
 }
 return $isspam;
}

1;

---------------------------------------

Jan  7 10:56:39 testserver spamd[1393]: spamd: server killed by SIGTERM,
shutting down
Jan  7 10:56:42 testserver spamd[128349]: util: setuid: ruid=189 euid=189
rgid=188 188 egid=188 188
Jan  7 10:56:42 testserver spamd[128343]: rules: failed to run CLAMAV_JNK test,
skipping:
Jan  7 10:56:42 testserver spamd[128343]: (Insecure dependency in connect while
running with -T switch at /usr/lib64/perl5/IO/Socket.pm line 114.
Jan  7 10:56:42 testserver spamd[128343]: )
Jan  7 10:56:42 testserver spamd[128343]: rules: failed to run CLAMAV_MLW test,
skipping:
Jan  7 10:56:42 testserver spamd[128343]: (Insecure dependency in connect while
running with -T switch at /usr/lib64/perl5/IO/Socket.pm line 114.
Jan  7 10:56:42 testserver spamd[128343]: )
Jan  7 10:56:42 testserver spamd[128350]: util: setuid: ruid=189 euid=189
rgid=188 188 egid=188 188
Jan  7 10:56:42 testserver spamd[128343]: spamd: server started on UNIX domain
socket /run/spamassassin/spamassassin.sock (running version 3.4.3)
Jan  7 10:56:42 testserver spamd[128343]: spamd: server pid: 128343

---------------------------------------

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to