[Secure-testing-team] Bug#744921: spamassassin: Daily cron script wants to set a shared library world writable

Roger Dover roger at fbo2.mooo.com
Wed Apr 16 09:19:52 UTC 2014 

Package: spamassassin
Version: 3.3.2-5
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,
I get the following output from /etc/cron.daily/spamassassin:

-------------------------------------------------------------
/etc/cron.daily/spamassassin:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: WARNING: Failed chmod(0666, /var/lib/spamassassin/compiled/5.014/3.003002/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so): Operation not permitted

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
------------------------------------------------------------

The script wants to set a shared library world writable.
This is a security risk.


-- System Information:
Debian Release: 7.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages spamassassin depends on:
ii  adduser                         3.113+nmu3
pn  libarchive-tar-perl             <none>
ii  libhtml-parser-perl             3.69-2
ii  libnet-dns-perl                 0.66-2+b2
ii  libnetaddr-ip-perl              4.062+dfsg-1
ii  libsocket6-perl                 0.23-1+b2
ii  libsys-hostname-long-perl       1.4-2
ii  libwww-perl                     6.04-1
ii  perl                            5.14.2-21+deb7u1
ii  perl-modules [libio-zlib-perl]  5.14.2-21+deb7u1

Versions of packages spamassassin recommends:
ii  gcc                        4:4.7.2-1
ii  gnupg                      1.4.12-7+deb7u3
ii  libc6-dev                  2.13-38+deb7u1
ii  libio-socket-inet6-perl    2.69-2
ii  libmail-spf-perl           2.8.0-1
ii  make                       3.81-8.2
ii  perl [libsys-syslog-perl]  5.14.2-21+deb7u1
ii  re2c                       0.13.5-1
ii  spamc                      3.3.2-5

Versions of packages spamassassin suggests:
pn  libdbi-perl                   <none>
ii  libio-socket-ssl-perl         1.76-2
pn  libmail-dkim-perl             <none>
pn  libnet-ident-perl             <none>
ii  perl [libcompress-zlib-perl]  5.14.2-21+deb7u1
ii  pyzor                         1:0.5.0-2
ii  razor                         1:2.85-4+b1

-- Configuration Files:
/etc/default/spamassassin changed:
ENABLED=1
OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
PIDFILE="/var/run/spamd.pid"
CRON=1

/etc/spamassassin/v320.pre changed:
loadplugin Mail::SpamAssassin::Plugin::Check
loadplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
loadplugin Mail::SpamAssassin::Plugin::URIDetail
loadplugin Mail::SpamAssassin::Plugin::Bayes
loadplugin Mail::SpamAssassin::Plugin::BodyEval
loadplugin Mail::SpamAssassin::Plugin::DNSEval
loadplugin Mail::SpamAssassin::Plugin::HTMLEval
loadplugin Mail::SpamAssassin::Plugin::HeaderEval
loadplugin Mail::SpamAssassin::Plugin::MIMEEval
loadplugin Mail::SpamAssassin::Plugin::RelayEval
loadplugin Mail::SpamAssassin::Plugin::URIEval
loadplugin Mail::SpamAssassin::Plugin::WLBLEval
loadplugin Mail::SpamAssassin::Plugin::VBounce
loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody
loadplugin Mail::SpamAssassin::Plugin::ImageInfo


-- no debconf information

More information about the Secure-testing-team mailing list