Re: [AMaViS-user] taint checking problems?

Tony,

> We are having problems with amavis checking RAR, LHA, ARC and ZOO
> files. Some debugging shows that it's barfing at the exec() in
> fh_copy(), called by store_mgr(), called by do_unrar() and buddies.

> Aug 7 22:11:05 mymailserver-mail amavis[27962]: Decoding of
> msg-27957-2.rar (RAR archive data, v1d, os: Unix) failed, leaving it
> unpacked: Insecure dependency in exec while running with -T switch at
> /root/amavis line 1073. (message-id=<42EF4535.9040800@mydomain.com>)

> The problem seems to be that there is no detainting of the filenames
> derived from the archives, so Perl rightly dies when before it tries to
> exec something. Consider this: if there was a RAR file that had a
> compressed file called "MyDoc ; rm -rf /" (yes, can be done - tested
> something similar with an LHA file). This would be bad if not detainted.
>
> Is this a bug with amavis? As far as I can tell, no RAR et al files are
> going to get through virus-free or not.

> Our system:
> OS: Mandrake Linux 10.0 Community
> Amavis: 0.3.12 (hand-rolled, not RPM)

Amavis: 0.3.12 hasn't received any updates or security fixes for the last two
years and a half. I guess nobody bothers to fix it because few people still
use it. The only version in active maintenance nowadays is amavisd-new.

Mark


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/...fo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/