The code feeds the results of $session->config('me') to sprintf as part of the format string. In practice, this is probably not a problem since hostnames don't contain percent signs. However, it triggers a taint warning in perl 5.10, making cram-md5 auth unusable.
This patch rewrites the sprintf to insert the 'me' value using a %s format specifier. --- I don't know the usual practice for submitting patches to qpsmtpd, so please let me know if I should be doing something differently. I was a little confused by the test infrastructure, so no test, but hopefully this change is Obviously Correct. I can trigger it on my Debian testing and unstable boxen with just this plugin: sub hook_auth_cram_md5 { return (DECLINED); } which generates this in the log: 1732 XX: Insecure dependency in sprintf while running with -T switch at lib/Qpsmtpd/Auth.pm line 63, <STDIN> line 3. ./qpsmtpd[1732]: command 'auth' failed unexpectedly (Bad file descriptor) lib/Qpsmtpd/Auth.pm | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/Qpsmtpd/Auth.pm b/lib/Qpsmtpd/Auth.pm index 6e9a2a5..635491a 100644 --- a/lib/Qpsmtpd/Auth.pm +++ b/lib/Qpsmtpd/Auth.pm @@ -60,8 +60,8 @@ sub SASL { # rand() is not cryptographic, but we only need to generate a globally # unique number. The rand() is there in case the user logs in more than # once in the same second, of if the clock is skewed. - $ticket = sprintf( "<%x.%x\@" . $session->config("me") . ">", - rand(1000000), time() ); + $ticket = sprintf( '<%x...@%s>', + rand(1000000), time(), $session->config("me") ); # We send the ticket encoded in Base64 $session->respond( 334, encode_base64( $ticket, "" ) ); -- 1.6.1.62.g8269b