CVE-2018-11805 fix and sa-exim

Wed, 18 Dec 2019 06:58:12 -0800 


I'm still using sa-exim in my servers:

        https://sourceforge.net/projects/sa-exim/
        https://packages.debian.org/search?keywords=sa-exim

recently i've upgraded spamassassin with the fix to CVE-2018-11805, and
suddenly i've started to receive:

 Dec 16 10:04:53 vdmpp1 spamd[15196]: rules: failed to run GREYLIST_ISWHITE 
test, skipping:
 Dec 16 10:04:53 vdmpp1 spamd[15196]:  (Insecure dependency in eval while 
running with -T switch at 
/usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm line 76.
 Dec 16 10:04:53 vdmpp1 spamd[15196]: )

Currently in local.cf i use sa-exim with:

 ifplugin Greylisting
   header GREYLIST_ISWHITE eval:greylisting("( 'dir' => 
'/var/spool/sa-exim/tuplets'; 'method' => 'dir'; 'greylistsecs' => '1800'; 
'dontgreylistthreshold' => 10; 'connectiphdr' => 'X-SA-Exim-Connect-IP'; 
'envfromhdr' => 'X-SA-Exim-Mail-From'; 'rcpttohdr' => 'X-SA-Exim-Rcpt-To'; 
'greylistnullfrom' => 1; 'greylistfourthbyte' => 0 )")
   describe GREYLIST_ISWHITE The incoming server has been whitelisted for this 
recipient and sender
   score GREYLIST_ISWHITE  -1.5
   priority GREYLIST_ISWHITE 99999
 endif # Greylisting


Looking at the plugin code, the culprit come from:

    $optionhash  =~ s/;/,/g;
    # This is safe, right? (users shouldn't be able to set it in their config)
    %option=eval $optionhash;

So seems to me that the CVE fix 'broke' the options handling of the
plugin ('eval' is not permitted anymore?!). If i substitute the former with:

    #$optionhash  =~ s/;/,/g;
    # This is safe, right? (users shouldn't be able to set it in their config)
    #%option=eval $optionhash;
    %option = ('dir' => '/var/spool/sa-exim/tuplets',
        'method' => 'dir',
        'greylistsecs' => '1800',
        'dontgreylistthreshold' => 10,
        'connectiphdr' => 'X-SA-Exim-Connect-IP',
        'envfromhdr' => 'X-SA-Exim-Mail-From',
        'rcpttohdr' => 'X-SA-Exim-Rcpt-To',
        'greylistnullfrom' => 1,
        'greylistfourthbyte' => 0 );
    $self->{'rangreylisting'}=1;

the plugin works as expected.


Probably, in these years, SA changed a bit the way options are passed
to the plugin, and finally CVE-2018-11805 broke the old method.


I've tried to look at other plugin, to try to understand how options
works now, but iknow little perl and i get puzzled.


Someone can help me to fix the plugin? Thanks.

-- 
dott. Marco Gaiarin                                     GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

Reply via email to