Subject: Re: Insecure dependency in eval
To: Martti Kuparinen <firstname.lastname@example.org>
From: Roland Illig <rillig@NetBSD.org>
Date: 11/22/2005 14:07:51
Roland Illig wrote:
> Roland Illig wrote:
>> Martti Kuparinen wrote:
>>> Any ideas what this is?
>>> Unusual System Events
>>> Nov 22 04:26:36 p130 spamd: spamd: Insecure dependency in eval
>>> while running setuid at
>>> line 913.
>> The code there looks quite ugly, but _seems_ secure to me (I'll
>> continue trying). It tries to distinguish a "safe" regular expression
>> from a non-safe, while not adhering to the coding guidelines for
>> Perl's tainted mode at all.
>> You should report this as an upstream bug.
> I have just committed a fix (it's patch-ar) and bumped the PKGREVISION.
> Please update.
Please DON'T update. The is_regexp_valid() contains a vulnerability. I'm
going to prepare a good patch and put that up here for discussion.