From owner-freebsd-ports-bugs@FreeBSD.ORG Fri Mar 29 04:50:01 2013 Return-Path: Delivered-To: freebsd-ports-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 994333C1 for ; Fri, 29 Mar 2013 04:50:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 7130CB17 for ; Fri, 29 Mar 2013 04:50:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r2T4o13c055797 for ; Fri, 29 Mar 2013 04:50:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r2T4o1Ll055796; Fri, 29 Mar 2013 04:50:01 GMT (envelope-from gnats) Date: Fri, 29 Mar 2013 04:50:01 GMT Message-Id: <201303290450.r2T4o1Ll055796@freefall.freebsd.org> To: freebsd-ports-bugs@FreeBSD.org Cc: From: Paul Beard Subject: Re: ports/177416: mail/postgrey has surfaced a bug in perl's taint checking X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Paul Beard List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Mar 2013 04:50:01 -0000 The following reply was made to PR ports/177416; it has been noted by GNATS. From: Paul Beard To: Darren Pilgrim Cc: "bug-followup@FreeBSD.org" Subject: Re: ports/177416: mail/postgrey has surfaced a bug in perl's taint checking Date: Thu, 28 Mar 2013 21:43:12 -0700 On Mar 28, 2013, at 5:52 PM, Darren Pilgrim w= rote: > To me this screams broken install, broken/corrupt ports and/or a damaged p= ackage database. After close to two decades of using perl, it wouldn't surp= rise me at all if some module stomped on other base/module code and a slight= ly broken or improperly linted port missed the conflict. FWIW, on all of my= systems, even EOL'd ones, pkg/pkgng tells me that file is owned by lang/per= l5.14 and the timestamp is consistent with the last time the port was instal= led. >=20 I have rebuilt/reinstalled the lot since then and get the same result. So th= at's not it. Unless the implication is that a new system could exhibit this b= ehavior.=20 > Postgrey is a network-enabled daemon. Running with tainted-variable check= ing enabled is best practice. Postgrey itself has had taint-mode enabled si= nce 2005. I'm not going to hang everyone's tails out in the wind by disabli= ng it by default. I can't ethically support even a port option to disable i= t given the circumstances of the error report. If Paul wants to disable tai= nt-checking on his system, he can, of course, remove the -T flag from the ha= shbang in the installed script. As noted, there are other instances of this reported though they are vanishi= ngly rare. So there may be something in the almost 20 year old code (some of= the modules have comment/copyright dates from the mid 90s) that only shows u= p under rare confluences of events.=20 And to be clear, it's not the taint check alone: it's the fact that the daem= onize option no longer works. There's no runtime argument or config option f= or that. It just doesn't work at all. So running it as a service fails.=20 As noted in the email thread that preceded the PR, this is moot, as my ISP j= ust killed inbound smtp service so postgrey isn't actually doing anything. I= f my perl fu was of any strength at all, I would have tried building a test c= ase that tested the socket, taint checking, and daemonize capabilities of th= is environment. So I can't even claim this is a show stopping bug unless I c= onvince my ISP that they're doing it wrong (blocking inbound while allowing o= utbound as a defense against spam/botnets is nonsense).=20 I don't think this is a bug in postgrey which is why I worded the subject as= I did. I think the misfeature is in the modules or perhaps in some unique a= spect of my kernel/userland.=20=