The mailing list for listmasters using Sympa

[Olaf Menkens <address@concealed>]

Hello Omen,

I had the same problem here with my sympa 6.1.6 installation, I'm 
currently trying to set up (cross upgrading to a new - currently testing 
- machine from an old sympa 5.1.2).
Google teached me, that "man perlsec" describes the reason for the 
"Insecure dependency" error messages. So I learned, that the functions 
reported in the log file work with "tainted" parameters.

I analyzed the problem a little further and realized, that many error 
messages fill the logfile, when I open the web interface (lists view) 
for the first time after restarting the web server. Debug logging 
showed, that the initial "do_lists" command calls List::get_lists() and 
this function reads information about all existing mailing list. For 
each list, the function Lock::_lock_file() is called 4 times, and the 
function List::_save_stats_file() is called once. The problem is, that 
the parameter "$dir" is considered to be tainted.

I found a bug fix (in List::new()):

/home/sympa/bin # diff List.pm.orig List.pm
1545c1545
<     unless ($name and ($name =~ /^$listname_regexp$/io) ) {
---
>     unless ($name and ($name =~ /^($listname_regexp)$/io) ) {
1548a1549,1550
>     ## Untaint and lowercase the list name.
>     $name = $1;

I hope, that some sympa developer will add this (or something better) to 
the next sympa release...

Omen, please tell me, whether it helps for you as well !

Olaf Menkens.

P.S.: I found another "Insecure dependency" error: in tools.pm, line 
2750 & 2746 (unlink() and rmdir()). This occurs, when I purge old list 
archives. Currently I do not have a fix for that problem, but it's 
interesting, that the directories are deleted nevertheless, so the error 
message is obviously only handled like a warning, which is in my opinion 
helpful but quite insecure ;-)

Am 13.08.2011 01:16, schrieb Omen Wild:
> [ I emailed about this back in April.  The problem seemed to go away
> for a while, but it is back now. ]
>
> Back in April we migrated an instance of Sympa 6.0.1 running on Solaris
> to 6.1.4 running on RHEL 6.  We are seeing a large number of `mod_fcgid:
> stderr: Insecure dependency' errors in the Apache error log.  The
> errors do not happen all the time, but seem to go in bursts.
>
> For example, since midnight last night (16 hours ago) there have been
> almost 900,000 errors logged.
>
>    Count   File
>   201196   /usr/share/sympa/lib/List.pm line 9709.
>   604787   /usr/share/sympa/lib/Lock.pm line 253.
>
> Line 9709 is "open(L, ">  $file") || return undef;" in
> "sub _save_stats_file {".
>
> Line 253 is "unless (open $fh, $open_mode.$lock_file) {" in
> "sub _lock_file {".
>
> We are running sympa-6.1.4-1.20110407.RHEL6.src.rpm from
> 'http://sympa-ja.org/download/RHEL6.testing/SRPMS/?C=M;O=D'.  Thereare
> some custom patches, but nothing in the Lock.pm module or around that
> line of List.pm
>
> I have attached the Apache config file if it helps.
>
> Does anyone have any thoughts about how to fix this?
>
> Thanks,
>     Omen