Niko Tyni wrote:
> Hi security team,
>
> I'm very sorry that you have to hear from me again :(
>
> There's a regression in the patch for DSA-960-1, for both woody and sarge.
> When $HOME is not set, Mail::Audit is now creating logfiles in cwd and
> dying if it's not writable. This happens even if logging is turned off,
> which makes the problem much more serious.
Doo, I have to agree that it is confusing to have tempdir() use different
parameters as tempfile(), but only partially.
> I have not yet had a proper look at the proposed patches in #350954 and
> the last message of #344029, but I wanted to make you aware of this.
>
> Again, my apologies for the bad handling of this.
Comments to the attached patch, which are least intrusive to the
update we're already distributing?
Regards,
Joey
--
MIME - broken solution for a broken design. -- Ralf Baechle
Please always Cc to me when replying to me on the lists.
diff -u libmail-audit-perl-2.1/Audit.pm libmail-audit-perl-2.1/Audit.pm
--- libmail-audit-perl-2.1/Audit.pm
+++ libmail-audit-perl-2.1/Audit.pm
@@ -4,7 +4,13 @@
my $logging;
my $loglevel=3;
-my $logfile = "/tmp/".getpwuid($>)."-audit.log";
+my $logfile;
+if (exists $ENV{HOME} and defined $ENV{HOME} and -d $ENV{HOME}) {
+ $logfile = "$ENV{HOME}/.mail_audit.log";
+}
+else {
+ (undef,$logfile) = tempfile("mail_audit.log-XXXXX", DIR =>
File::Spec->tmpdir);
+}
# ----------------------------------------------------------
# no user-modifiable parts below this line.
@@ -18,6 +24,8 @@
use vars qw($VERSION @ISA @EXPORT @EXPORT_OK $ASSUME_MSGPREFIX);
# @ISA will depend on whether the message is MIME; if it is, we'll be
MIME::Entity. if not, we'll be Mail::Internet.
use Fcntl ':flock';
+use File::Spec;
+use File::Temp qw(tempfile);
$ASSUME_MSGPREFIX = 0;
--- libmail-audit-perl-2.1.orig/Audit/MimeEntity.pm
+++ libmail-audit-perl-2.1/Audit/MimeEntity.pm
@@ -4,6 +4,7 @@
use strict;
use File::Path;
+use File::Temp qw(tempdir);
use MIME::Parser;
use MIME::Entity;
use Mail::Audit::MailInternet;
@@ -12,10 +13,12 @@
$VERSION = '2.0';
-$MIME_PARSER_TMPDIR = "/tmp/".getpwuid($>)."-mailaudit";
-
my $parser = MIME::Parser->new();
+# Create a tempdir using File::Temp::tempdir, have it be destroyed at
+# END{} time.
+$MIME_PARSER_TMPDIR = tempdir(CLEANUP => 1);
+
my @to_rmdir;
sub autotype_new {
@@ -23,8 +26,6 @@
my $mailinternet = shift;
$parser->ignore_errors(1);
- mkdir ($MIME_PARSER_TMPDIR, 0777);
- if (! -d $MIME_PARSER_TMPDIR) { $MIME_PARSER_TMPDIR = "/tmp" }
$parser->output_under($MIME_PARSER_TMPDIR);
# todo: add eval error trapping. if there's a problem, return
Mail::Audit::MailInternet as a fallback.
diff -u libmail-audit-perl-2.1/Audit.pm libmail-audit-perl-2.1/Audit.pm
--- libmail-audit-perl-2.1/Audit.pm
+++ libmail-audit-perl-2.1/Audit.pm
@@ -6,10 +6,10 @@
my $loglevel=3;
my $logfile;
if (exists $ENV{HOME} and defined $ENV{HOME} and -d $ENV{HOME}) {
- $logfile = "$ENV{HOME}/.mail_audit.log"
+ $logfile = "$ENV{HOME}/.mail_audit.log";
}
else {
- (undef,$logfile) = tempfile("mail_audit.log-XXXXX",TMPDIR=>1);
+ (undef,$logfile) = tempfile("mail_audit.log-XXXXX", DIR =>
File::Spec->tmpdir);
}
# ----------------------------------------------------------
@@ -24,6 +24,7 @@
use vars qw($VERSION @ISA @EXPORT @EXPORT_OK $ASSUME_MSGPREFIX);
# @ISA will depend on whether the message is MIME; if it is, we'll be
MIME::Entity. if not, we'll be Mail::Internet.
use Fcntl ':flock';
+use File::Spec;
use File::Temp qw(tempfile);
$ASSUME_MSGPREFIX = 0;
