rpms/spamassassin
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix SA#5574 which cripples dcc/pyzor users

Browse Source
This commit is contained in:
Warren Togami 2007-08-02 20:02:47 +00:00
parent c225981590
commit d940be6613
2 changed files with 180 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

174
Mail-SpamAssassin-3.2.2-bug5574-setuid.patch Normal file
View File

@ -0,0 +1,174 @@
Index: MANIFEST
===================================================================
--- MANIFEST (revision 558745)
+++ MANIFEST (working copy)
@@ -502,3 +502,5 @@
t/spamc_H.t
t/spamc_x_E_R.t
t/spamc_x_e.t
+t/root_spamd_u.t
+t/root_spamd_u_dcc.t
Index: lib/Mail/SpamAssassin/Util.pm
===================================================================
--- lib/Mail/SpamAssassin/Util.pm (revision 558745)
+++ lib/Mail/SpamAssassin/Util.pm (working copy)
@@ -1336,6 +1336,7 @@
# bug 3586: kludges needed to work around platform dependent behavior assigning to $<
# The POSIX functions deal with that so just use it here
POSIX::setuid($touid);
+ $< = $touid; $> = $touid; # bug 5574
# Check that we have now accomplished the setuid: catch bug 3586 if it comes back
if ($< != $touid) {
Index: t/root_spamd_u_dcc.t
===================================================================
--- t/root_spamd_u_dcc.t (revision 0)
+++ t/root_spamd_u_dcc.t (revision 0)
@@ -0,0 +1,65 @@
+#!/usr/bin/perl
+#
+# test for http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5574#c12 .
+# run with: sudo prove -v t/root_spamd*
+
+use lib '.'; use lib 't';
+use SATest; sa_t_init("root_spamd_u_dcc");
+use Test;
+
+use constant TEST_ENABLED => conf_bool('run_root_tests');
+use constant DCC_TEST_ENABLED => conf_bool('run_dcc_tests');
+use constant IS_ROOT => eval { ($> == 0); };
+use constant RUN_TESTS => (TEST_ENABLED && DCC_TEST_ENABLED && IS_ROOT);
+
+BEGIN { plan tests => (RUN_TESTS ? 23 : 0) };
+exit unless RUN_TESTS;
+
+# ---------------------------------------------------------------------------
+
+%patterns = (
+ q{ spam reported to DCC }, 'dcc report',
+ );
+
+tstpre ("
+
+ loadplugin Mail::SpamAssassin::Plugin::DCC
+ dcc_timeout 30
+
+");
+
+ok sarun ("-t -D info -r < data/spam/gtubedcc.eml 2>&1", \&patterns_run_cb);
+# ok_all_patterns();
+
+# ---------------------------------------------------------------------------
+
+%patterns = (
+
+q{ X-Spam-Status: Yes, score=}, 'status',
+q{ X-Spam-Flag: YES}, 'flag',
+q{ X-Spam-Level: **********}, 'stars',
+
+);
+
+# run spamc as unpriv uid
+$spamc = "sudo -u nobody $spamc";
+
+$SIG{ALRM} = sub { stop_spamd(); die "timed out"; };
+alarm 60;
+ok(start_spamd("-c -H -m1"));
+alarm 0;
+
+# run a few times to ensure that the child can process more than
+# one message successfully. do not bother looking for the dcc
+# result; we just want to ensure that the check did not cause
+# the spamd kids to get hung
+for my $try (1 .. 5) {
+ $SIG{ALRM} = sub { stop_spamd(); die "timed out"; };
+ alarm 30;
+ ok(spamcrun("< data/spam/gtubedcc.eml", \&patterns_run_cb));
+ alarm 0;
+ ok_all_patterns();
+}
+
+ok(stop_spamd());
+
Property changes on: t/root_spamd_u_dcc.t
___________________________________________________________________
Name: svn:executable
+ *
Index: t/root_spamd_u.t
===================================================================
--- t/root_spamd_u.t (revision 0)
+++ t/root_spamd_u.t (revision 0)
@@ -0,0 +1,48 @@
+#!/usr/bin/perl
+
+# run with: sudo prove -v t/root_spamd*
+
+use lib '.'; use lib 't';
+use SATest; sa_t_init("root_spamd_u");
+use Test;
+
+use constant TEST_ENABLED => conf_bool('run_root_tests');
+use constant IS_ROOT => eval { ($> == 0); };
+use constant RUN_TESTS => (TEST_ENABLED && IS_ROOT);
+
+BEGIN { plan tests => (RUN_TESTS ? 14 : 0) };
+exit unless RUN_TESTS;
+
+# ---------------------------------------------------------------------------
+
+%patterns = (
+
+q{ Return-Path: sb55sb55@yahoo.com}, 'firstline',
+q{ Subject: There yours for FREE!}, 'subj',
+q{ X-Spam-Status: Yes, score=}, 'status',
+q{ X-Spam-Flag: YES}, 'flag',
+q{ X-Spam-Level: **********}, 'stars',
+q{ TEST_ENDSNUMS}, 'endsinnums',
+q{ TEST_NOREALNAME}, 'noreal',
+q{ This must be the very last line}, 'lastline',
+
+);
+
+# run spamc as unpriv uid
+$spamc = "sudo -u nobody $spamc";
+
+ok(start_spamd("-L -u nobody"));
+
+ok(spamcrun("< data/spam/001", \&patterns_run_cb));
+ok_all_patterns();
+
+%patterns = (
+q{ X-Spam-Status: Yes, score=}, 'status',
+q{ X-Spam-Flag: YES}, 'flag',
+ );
+
+
+ok (spamcrun("< data/spam/018", \&patterns_run_cb));
+ok_all_patterns();
+
+ok(stop_spamd());
Property changes on: t/root_spamd_u.t
___________________________________________________________________
Name: svn:executable
+ *
Index: spamd/spamd.raw
===================================================================
--- spamd/spamd.raw (revision 558745)
+++ spamd/spamd.raw (working copy)
@@ -1024,10 +1024,11 @@
# use the POSIX functions to hide the platform specific workarounds
POSIX::setgid($ugid); # set effective and real gid
POSIX::setuid($uuid); # set effective and real UID
+ $< = $uuid; $> = $uuid; # bug 5574
# keep the sanity check to catch problems like bug 3900 just in case
if ( $> != $uuid and $> != ( $uuid - 2**32 ) ) {
- die "spamd: setuid to uid $uuid failed\n";
+ die "spamd: setuid to uid $uuid failed (> = $>, < = $<)\n";
}
}

7
spamassassin.spec
View File

@ -14,7 +14,7 @@
Summary: Spam filter for email which can be invoked from mail delivery agents. Summary: Spam filter for email which can be invoked from mail delivery agents.
Name: spamassassin Name: spamassassin
Version: 3.2.2 Version: 3.2.2
Release: 1%{?dist} Release: 2%{?dist}
License: Apache License License: Apache License
Group: Applications/Internet Group: Applications/Internet
URL: http://spamassassin.apache.org/ URL: http://spamassassin.apache.org/
@ -30,6 +30,7 @@ Source10: spamassassin-helper.sh
# Patches 0-99 are RH specific # Patches 0-99 are RH specific
# none yet # none yet
# Patches 100+ are SVN backports (DO NOT REUSE!) # Patches 100+ are SVN backports (DO NOT REUSE!)
Patch100: Mail-SpamAssassin-3.2.2-bug5574-setuid.patch
# end of patches # end of patches
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
Buildroot: %{_tmppath}/%{name}-root Buildroot: %{_tmppath}/%{name}-root
@ -92,6 +93,7 @@ To filter spam for all users, add that line to /etc/procmailrc
# Patches 0-99 are RH specific # Patches 0-99 are RH specific
# none yet # none yet
# Patches 100+ are SVN backports (DO NOT REUSE!) # Patches 100+ are SVN backports (DO NOT REUSE!)
%patch100 -p0
# end of patches # end of patches
%build %build
@ -193,6 +195,9 @@ fi
exit 0 exit 0
%changelog %changelog
* Thu Aug 2 2007 Warren Togami <wtogami@redhat.com> 3.2.2-2
- Fix SA#5574 which cripples dcc/pyzor users
* Wed Jul 25 2007 Warren Togami <wtogami@redhat.com> 3.2.2-1 * Wed Jul 25 2007 Warren Togami <wtogami@redhat.com> 3.2.2-1
- 3.2.2 minor bugfix release - 3.2.2 minor bugfix release