Bug 3899 - "Insecure dependency" error from SA3
Summary: "Insecure dependency" error from SA3
Status: RESOLVED WORKSFORME
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: spamassassin (show other bugs)
Version: 3.0.1
Hardware: Other Linux
: P5 normal
Target Milestone: Undefined
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-10-13 14:29 UTC by Robert Berlinger
Modified: 2005-02-15 07:31 UTC (History)
0 users


Attachment Type Modified Status Actions Submitter/CLA Status
Debug log text/plain None Robert Berlinger [NoCLA]
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Berlinger 2004-10-13 14:29:21 UTC 
On a Red Hat Linux 9 PC, with SA3 installed (upgraded over 2.64, no patches or 
custom rules), I'm seeing the following error:

1 message(s) examined.
Insecure dependency in connect while running with -T switch 
at /usr/lib/perl5/5.8.0/i386-linux-thread-multi/IO/Socket.pm line 114.

This particular instance was from a spamassassin --report run, but it happens 
on plain spamassassin invocations as well.  This is not the razor2 problem, 
I'm running the latest 2.61.

How do I track down what's tainted?
Comment 1 Theo Van Dinter 2004-10-13 14:32:50 UTC 
Subject: Re:  New: "Insecure dependency" error from SA3

On Wed, Oct 13, 2004 at 02:29:22PM -0700, bugzilla-daemon@bugzilla.spamassassin.org wrote:
> 1 message(s) examined.
> Insecure dependency in connect while running with -T switch 
> at /usr/lib/perl5/5.8.0/i386-linux-thread-multi/IO/Socket.pm line 114.
> 
> This particular instance was from a spamassassin --report run, but it happens 
> on plain spamassassin invocations as well.  This is not the razor2 problem, 
> I'm running the latest 2.61.

IIRC, that message is caused by the Razor code as well, which calls
IO::Socket, which isn't completely taint friendly.
Comment 2 Robert Berlinger 2004-10-13 14:42:27 UTC 
Is there a simple way to temporarily "fool" SpamAssassin into thinking razor2 
is not present?  I can then do that and see if it runs clean...

Thanks.
Comment 3 Theo Van Dinter 2004-10-14 09:00:35 UTC 
Subject: Re:  "Insecure dependency" error from SA3

On Wed, Oct 13, 2004 at 02:42:28PM -0700, bugzilla-daemon@bugzilla.spamassassin.org wrote:
> Is there a simple way to temporarily "fool" SpamAssassin into thinking razor2 
> is not present?  I can then do that and see if it runs clean...

I don't know about fooling it, but you can just disable it.  "use_razor2 0"
Comment 4 Robert Berlinger 2004-10-14 10:49:38 UTC 
Thanks, tried that, razor2 disabled and still get the error.  Any other 
suggestions?
Comment 5 Justin Mason 2004-10-14 11:32:34 UTC 
could you attach a debug log of that command or commands?  just re-run them with
"-D".  that will include plenty of extra info we need ;)
Comment 6 Robert Berlinger 2004-10-14 11:56:48 UTC 
Created attachment 2453 [details]
Debug log

OK, here's the debug log.
Comment 7 Robert Berlinger 2004-10-19 07:33:08 UTC 
Any ideas on what's my next step on this?  Does the debug log show anything 
anomolous?

Thanks...
Comment 8 Robert Berlinger 2004-10-27 09:16:51 UTC 
I now find that SA does not report the insecure dependency error when SpamCop 
reporting is not run.  That is, when a message is older than 3 days, I get 
the "message older than 3 days not reporting to spamcop" error and no insecure 
dependency error.  That suggests to me the issue may be with the spamcop 
reporting.  I tried to find a way to turn that off but apparently there's 
no "use_spamcop" configuration item, which seems inconsistent since it exists 
for the other three reporting services.  The API does have an option though
("dont_report_to_spamcop").

Does this trigger any thoughts?  Or can you suggest how I could disable 
spamcop reporting to see if that works around the issue?  FYI, I upgraded to 
3.01 with no change of behavior in this regard.

Thanks.
Comment 9 Robert Berlinger 2004-11-02 07:12:22 UTC 
I upgraded the system in question to Fedora Core 2 and the problem 
disappeared.  Weird!  Perhaps there was something funky in a Perl library?  
Anyway, this is solved for me.
Comment 10 Theo Van Dinter 2004-11-02 08:56:22 UTC 
looks like a non-taint friendly library outside of SA.
Comment 11 Ken Bass 2005-02-15 16:31:07 UTC 
Workaround:

Add 'score RCVD_IN_BL_SPAMCOP_NET 0' to your scoring prefs. This will disable
spamcop reporting and eliminate the 

'Insecure dependency in connect while running with -T switch 
at /usr/lib/perl5/5.8.0/i386-linux-thread-multi/IO/Socket.pm line 114.'

I can reproduce this with RHEL3 and SA 3.0.2