Skip to Content.
Sympa Menu

en - Re: [sympa-users] Re: Getting lots of "mod_fcgid: stderr: Insecure dependency in" errors

Subject: The mailing list for listmasters using Sympa

List archive

Chronological Thread  
  • From: Olaf Menkens <address@concealed>
  • To: address@concealed
  • Subject: Re: [sympa-users] Re: Getting lots of "mod_fcgid: stderr: Insecure dependency in" errors
  • Date: Tue, 23 Aug 2011 23:30:14 +0200

Hello Omen,

I had the same problem here with my sympa 6.1.6 installation, I'm currently trying to set up (cross upgrading to a new - currently testing - machine from an old sympa 5.1.2).
Google teached me, that "man perlsec" describes the reason for the "Insecure dependency" error messages. So I learned, that the functions reported in the log file work with "tainted" parameters.

I analyzed the problem a little further and realized, that many error messages fill the logfile, when I open the web interface (lists view) for the first time after restarting the web server. Debug logging showed, that the initial "do_lists" command calls List::get_lists() and this function reads information about all existing mailing list. For each list, the function Lock::_lock_file() is called 4 times, and the function List::_save_stats_file() is called once. The problem is, that the parameter "$dir" is considered to be tainted.

I found a bug fix (in List::new()):

/home/sympa/bin # diff List.pm.orig List.pm
1545c1545
< unless ($name and ($name =~ /^$listname_regexp$/io) ) {
---
unless ($name and ($name =~ /^($listname_regexp)$/io) ) {
1548a1549,1550
## Untaint and lowercase the list name.
$name = $1;

I hope, that some sympa developer will add this (or something better) to the next sympa release...

Omen, please tell me, whether it helps for you as well !

Olaf Menkens.

P.S.: I found another "Insecure dependency" error: in tools.pm, line 2750 & 2746 (unlink() and rmdir()). This occurs, when I purge old list archives. Currently I do not have a fix for that problem, but it's interesting, that the directories are deleted nevertheless, so the error message is obviously only handled like a warning, which is in my opinion helpful but quite insecure ;-)

Am 13.08.2011 01:16, schrieb Omen Wild:
[ I emailed about this back in April. The problem seemed to go away
for a while, but it is back now. ]

Back in April we migrated an instance of Sympa 6.0.1 running on Solaris
to 6.1.4 running on RHEL 6. We are seeing a large number of `mod_fcgid:
stderr: Insecure dependency' errors in the Apache error log. The
errors do not happen all the time, but seem to go in bursts.

For example, since midnight last night (16 hours ago) there have been
almost 900,000 errors logged.

Count File
201196 /usr/share/sympa/lib/List.pm line 9709.
604787 /usr/share/sympa/lib/Lock.pm line 253.

Line 9709 is "open(L, "> $file") || return undef;" in
"sub _save_stats_file {".

Line 253 is "unless (open $fh, $open_mode.$lock_file) {" in
"sub _lock_file {".

We are running sympa-6.1.4-1.20110407.RHEL6.src.rpm from
'http://sympa-ja.org/download/RHEL6.testing/SRPMS/?C=M;O=D'. Thereare
some custom patches, but nothing in the Lock.pm module or around that
line of List.pm

I have attached the Apache config file if it helps.

Does anyone have any thoughts about how to fix this?

Thanks,
Omen






Archive powered by MHonArc 2.6.19+.

Top of Page