Bug#350954: [rob@tigertech.com: Bug#350954: DSA-960-1 security update breaks libmail-audit-perl when $ENV{HOME} is not set]

Martin Schulze joey at infodrom.org
Sat Feb 4 13:59:25 UTC 2006 

Niko Tyni wrote:
> Hi security team,
> 
> I'm very sorry that you have to hear from me again :(
> 
> There's a regression in the patch for DSA-960-1, for both woody and sarge.
> When $HOME is not set, Mail::Audit is now creating logfiles in cwd and
> dying if it's not writable.  This happens even if logging is turned off,
> which makes the problem much more serious.

Doo, I have to agree that it is confusing to have tempdir() use different
parameters as tempfile(), but only partially.

> I have not yet had a proper look at the proposed patches in #350954 and
> the last message of #344029, but I wanted to make you aware of this.
> 
> Again, my apologies for the bad handling of this.

Comments to the attached patch, which are least intrusive to the
update we're already distributing?

Regards,

	Joey

-- 
MIME - broken solution for a broken design.  -- Ralf Baechle

Please always Cc to me when replying to me on the lists.
-------------- next part --------------
diff -u libmail-audit-perl-2.1/Audit.pm libmail-audit-perl-2.1/Audit.pm
--- libmail-audit-perl-2.1/Audit.pm
+++ libmail-audit-perl-2.1/Audit.pm
@@ -4,7 +4,13 @@
 
 my $logging;
 my $loglevel=3;
-my $logfile = "/tmp/".getpwuid($>)."-audit.log";
+my $logfile;
+if (exists $ENV{HOME} and defined $ENV{HOME} and -d $ENV{HOME}) {
+     $logfile = "$ENV{HOME}/.mail_audit.log";
+}
+else {
+     (undef,$logfile) = tempfile("mail_audit.log-XXXXX", DIR => File::Spec->tmpdir);
+}
 
 # ----------------------------------------------------------
 # no user-modifiable parts below this line.
@@ -18,6 +24,8 @@
 use vars qw($VERSION @ISA @EXPORT @EXPORT_OK $ASSUME_MSGPREFIX);
 # @ISA will depend on whether the message is MIME; if it is, we'll be MIME::Entity.  if not, we'll be Mail::Internet.
 use Fcntl ':flock';
+use File::Spec;
+use File::Temp qw(tempfile);
 
 $ASSUME_MSGPREFIX = 0;
 
--- libmail-audit-perl-2.1.orig/Audit/MimeEntity.pm
+++ libmail-audit-perl-2.1/Audit/MimeEntity.pm
@@ -4,6 +4,7 @@
 
 use strict;
 use File::Path;
+use File::Temp qw(tempdir);
 use MIME::Parser;
 use MIME::Entity;
 use Mail::Audit::MailInternet;
@@ -12,10 +13,12 @@
 
 $VERSION = '2.0';
 
-$MIME_PARSER_TMPDIR = "/tmp/".getpwuid($>)."-mailaudit";
-
 my $parser = MIME::Parser->new();
 
+# Create a tempdir using File::Temp::tempdir, have it be destroyed at
+# END{} time.
+$MIME_PARSER_TMPDIR = tempdir(CLEANUP => 1);
+
 my @to_rmdir;
 
 sub autotype_new { 
@@ -23,8 +26,6 @@
     my $mailinternet = shift;
 
     $parser->ignore_errors(1);
-    mkdir ($MIME_PARSER_TMPDIR, 0777);
-    if (! -d $MIME_PARSER_TMPDIR) { $MIME_PARSER_TMPDIR = "/tmp" }
     $parser->output_under($MIME_PARSER_TMPDIR);
 
     # todo: add eval error trapping.  if there's a problem, return Mail::Audit::MailInternet as a fallback.
-------------- next part --------------
diff -u libmail-audit-perl-2.1/Audit.pm libmail-audit-perl-2.1/Audit.pm
--- libmail-audit-perl-2.1/Audit.pm
+++ libmail-audit-perl-2.1/Audit.pm
@@ -6,10 +6,10 @@
 my $loglevel=3;
 my $logfile;
 if (exists $ENV{HOME} and defined $ENV{HOME} and -d $ENV{HOME}) {
-     $logfile = "$ENV{HOME}/.mail_audit.log"
+     $logfile = "$ENV{HOME}/.mail_audit.log";
 }
 else {
-     (undef,$logfile) = tempfile("mail_audit.log-XXXXX",TMPDIR=>1);
+     (undef,$logfile) = tempfile("mail_audit.log-XXXXX", DIR => File::Spec->tmpdir);
 }
 
 # ----------------------------------------------------------
@@ -24,6 +24,7 @@
 use vars qw($VERSION @ISA @EXPORT @EXPORT_OK $ASSUME_MSGPREFIX);
 # @ISA will depend on whether the message is MIME; if it is, we'll be MIME::Entity.  if not, we'll be Mail::Internet.
 use Fcntl ':flock';
+use File::Spec;
 use File::Temp qw(tempfile);
 
 $ASSUME_MSGPREFIX = 0;

More information about the pkg-perl-maintainers mailing list