Re: [AMaViS-user] Insecure dependency in exec (amavisd-new)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Sam,

| For some reason the patch failed. Seems the line numbers didn't match the 
| amavisd file I had even the one from the tarball. So I've applied the changes 
| manually. 

Ok. Sorry for line numbers mismatch, I made a diff against my current code.

| The result being that it fixed the problem and the insecure
| dependency error has gone. Thanks muchly.
| Is this a workaround for a perl bug or was there actually a tainted
| variable there?

This one was a genuine tainted variable, not a workaround for a perl bug.

With amavisd-new-20030616 the taintedness is intentionally carried
into program flow much deeper - previously untaintaing was done at several
places unintentionaly way too early (like in other variants of amavis*).

Perl taint checking is now a better safety net then before.
The problem you discovered way one piece of code where I didn't
take care of the change.

  Mark