rpms/spamassassin/F-7 Mail-SpamAssassin-3.2.2-bug5574-setuid.patch, NONE, 1.1 spamassassin.spec, 1.97, 1.98

Warren Togami (wtogami) fedora-extras-commits at redhat.com
Thu Aug 2 20:18:03 UTC 2007 

Author: wtogami

Update of /cvs/pkgs/rpms/spamassassin/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv27280

Modified Files:
	spamassassin.spec 
Added Files:
	Mail-SpamAssassin-3.2.2-bug5574-setuid.patch 
Log Message:
Fix SA#5574 which cripples dcc/pyzor users


Mail-SpamAssassin-3.2.2-bug5574-setuid.patch:

--- NEW FILE Mail-SpamAssassin-3.2.2-bug5574-setuid.patch ---
Index: MANIFEST
===================================================================
--- MANIFEST	(revision 558745)
+++ MANIFEST	(working copy)
@@ -502,3 +502,5 @@
 t/spamc_H.t
 t/spamc_x_E_R.t
 t/spamc_x_e.t
+t/root_spamd_u.t
+t/root_spamd_u_dcc.t
Index: lib/Mail/SpamAssassin/Util.pm
===================================================================
--- lib/Mail/SpamAssassin/Util.pm	(revision 558745)
+++ lib/Mail/SpamAssassin/Util.pm	(working copy)
@@ -1336,6 +1336,7 @@
     # bug 3586: kludges needed to work around platform dependent behavior assigning to $<
     #  The POSIX functions deal with that so just use it here
     POSIX::setuid($touid);
+    $< = $touid; $> = $touid;       # bug 5574
 
     # Check that we have now accomplished the setuid: catch bug 3586 if it comes back
     if ($< != $touid) {
Index: t/root_spamd_u_dcc.t
===================================================================
--- t/root_spamd_u_dcc.t	(revision 0)
+++ t/root_spamd_u_dcc.t	(revision 0)
@@ -0,0 +1,65 @@
+#!/usr/bin/perl
+#
+# test for http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5574#c12 .
+# run with:   sudo prove -v t/root_spamd*
+
+use lib '.'; use lib 't';
+use SATest; sa_t_init("root_spamd_u_dcc");
+use Test;
+
+use constant TEST_ENABLED => conf_bool('run_root_tests');
+use constant DCC_TEST_ENABLED => conf_bool('run_dcc_tests');
+use constant IS_ROOT => eval { ($> == 0); };
+use constant RUN_TESTS => (TEST_ENABLED && DCC_TEST_ENABLED && IS_ROOT);
+
+BEGIN { plan tests => (RUN_TESTS ? 23 : 0) };
+exit unless RUN_TESTS;
+
+# ---------------------------------------------------------------------------
+
+%patterns = (
+        q{ spam reported to DCC }, 'dcc report',
+            );
+
+tstpre ("
+
+  loadplugin Mail::SpamAssassin::Plugin::DCC
+  dcc_timeout 30
+
+");
+
+ok sarun ("-t -D info -r < data/spam/gtubedcc.eml 2>&1", \&patterns_run_cb);
+# ok_all_patterns();
+
+# ---------------------------------------------------------------------------
+
+%patterns = (
+
+q{ X-Spam-Status: Yes, score=}, 'status',
+q{ X-Spam-Flag: YES}, 'flag',
+q{ X-Spam-Level: **********}, 'stars',
+
+);
+
+# run spamc as unpriv uid
+$spamc = "sudo -u nobody $spamc";
+
+$SIG{ALRM} = sub { stop_spamd(); die "timed out"; };
+alarm 60;
+ok(start_spamd("-c -H -m1"));
+alarm 0;
+
+# run a few times to ensure that the child can process more than
+# one message successfully. do not bother looking for the dcc
+# result; we just want to ensure that the check did not cause
+# the spamd kids to get hung
+for my $try (1 .. 5) {
+  $SIG{ALRM} = sub { stop_spamd(); die "timed out"; };
+  alarm 30;
+  ok(spamcrun("< data/spam/gtubedcc.eml", \&patterns_run_cb));
+  alarm 0;
+  ok_all_patterns();
+}
+
+ok(stop_spamd());
+

Property changes on: t/root_spamd_u_dcc.t
___________________________________________________________________
Name: svn:executable
   + *

Index: t/root_spamd_u.t
===================================================================
--- t/root_spamd_u.t	(revision 0)
+++ t/root_spamd_u.t	(revision 0)
@@ -0,0 +1,48 @@
+#!/usr/bin/perl
+
+# run with:   sudo prove -v t/root_spamd*
+
+use lib '.'; use lib 't';
+use SATest; sa_t_init("root_spamd_u");
+use Test;
+
+use constant TEST_ENABLED => conf_bool('run_root_tests');
+use constant IS_ROOT => eval { ($> == 0); };
+use constant RUN_TESTS => (TEST_ENABLED && IS_ROOT);
+
+BEGIN { plan tests => (RUN_TESTS ? 14 : 0) };
+exit unless RUN_TESTS;
+
+# ---------------------------------------------------------------------------
+
+%patterns = (
+
+q{ Return-Path: sb55sb55 at yahoo.com}, 'firstline',
+q{ Subject: There yours for FREE!}, 'subj',
+q{ X-Spam-Status: Yes, score=}, 'status',
+q{ X-Spam-Flag: YES}, 'flag',
+q{ X-Spam-Level: **********}, 'stars',
+q{ TEST_ENDSNUMS}, 'endsinnums',
+q{ TEST_NOREALNAME}, 'noreal',
+q{ This must be the very last line}, 'lastline',
+
+);
+
+# run spamc as unpriv uid
+$spamc = "sudo -u nobody $spamc";
+
+ok(start_spamd("-L -u nobody"));
+
+ok(spamcrun("< data/spam/001", \&patterns_run_cb));
+ok_all_patterns();
+
+%patterns = (
+q{ X-Spam-Status: Yes, score=}, 'status',
+q{ X-Spam-Flag: YES}, 'flag',
+             );
+
+
+ok (spamcrun("< data/spam/018", \&patterns_run_cb));
+ok_all_patterns();
+
+ok(stop_spamd());

Property changes on: t/root_spamd_u.t
___________________________________________________________________
Name: svn:executable
   + *

Index: spamd/spamd.raw
===================================================================
--- spamd/spamd.raw	(revision 558745)
+++ spamd/spamd.raw	(working copy)
@@ -1024,10 +1024,11 @@
       # use the POSIX functions to hide the platform specific workarounds 
       POSIX::setgid($ugid);  # set effective and real gid
       POSIX::setuid($uuid);  # set effective and real UID
+      $< = $uuid; $> = $uuid;   # bug 5574
 
       # keep the sanity check to catch problems like bug 3900 just in case
       if ( $> != $uuid and $> != ( $uuid - 2**32 ) ) {
-        die "spamd: setuid to uid $uuid failed\n";
+        die "spamd: setuid to uid $uuid failed (> = $>, < = $<)\n";
       }
     }
 


Index: spamassassin.spec
===================================================================
RCS file: /cvs/pkgs/rpms/spamassassin/F-7/spamassassin.spec,v
retrieving revision 1.97
retrieving revision 1.98
diff -u -r1.97 -r1.98
--- spamassassin.spec	25 Jul 2007 14:20:16 -0000	1.97
+++ spamassassin.spec	2 Aug 2007 20:17:30 -0000	1.98
@@ -14,7 +14,7 @@
 Summary: Spam filter for email which can be invoked from mail delivery agents.
 Name: spamassassin
 Version: 3.2.2
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: Apache License
 Group: Applications/Internet
 URL: http://spamassassin.apache.org/
@@ -30,6 +30,7 @@
 # Patches 0-99 are RH specific
 # none yet
 # Patches 100+ are SVN backports (DO NOT REUSE!)
+Patch100: Mail-SpamAssassin-3.2.2-bug5574-setuid.patch
 # end of patches
 Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
 Buildroot: %{_tmppath}/%{name}-root
@@ -51,6 +52,10 @@
 Requires: procmail
 Requires: gnupg
 
+# Hard requirement
+BuildRequires: perl-HTML-Parser >= 3.43
+Requires: perl-HTML-Parser >= 3.43
+
 %if %{option_archive_tar}
 Requires: perl(Archive::Tar)
 %endif
@@ -88,6 +93,7 @@
 # Patches 0-99 are RH specific
 # none yet
 # Patches 100+ are SVN backports (DO NOT REUSE!)
+%patch100 -p0
 # end of patches
 
 %build
@@ -189,6 +195,9 @@
 exit 0
 
 %changelog
+* Thu Aug 2 2007 Warren Togami <wtogami at redhat.com> 3.2.2-2
+- Fix SA#5574 which cripples dcc/pyzor users
+
 * Wed Jul 25 2007 Warren Togami <wtogami at redhat.com> 3.2.2-1
 - 3.2.2 minor bugfix release

More information about the fedora-extras-commits mailing list