Bug#350954: [rob@tigertech.com: Bug#350954: DSA-960-2 security update breaks libmail-audit-perl when $ENV{HOME} is not set]

Niko Tyni ntyni at iki.fi
Thu Feb 2 18:34:46 UTC 2006

On Thu, Feb 02, 2006 at 09:00:14AM +0200, Niko Tyni wrote:
> There's a regression in the patch for DSA-960-1, for both woody and sarge.
> When $HOME is not set, Mail::Audit is now creating logfiles in cwd and
> dying if it's not writable.  This happens even if logging is turned off,
> which makes the problem much more serious.
> I have not yet had a proper look at the proposed patches in #350954 and
> the last message of #344029, but I wanted to make you aware of this.

Following up on myself: now that I have looked at the patches, the one
in #350954 by Robert L Mathews <rob at tigertech.com> looks good to me.
Of course, a second opinion would be welcome. I'm Cc'ing #350954 in the
hope that somebody else from the Debian Perl Group will comment as well.

To save you at least some work, I'm attaching a backported version of
the patch against the woody version (2.0-4woody1).

(Obviously, this concerns DSA-960-2 rather than the unfortunate
syntactically incorrect DSA-960-1 update.)
Niko Tyni	ntyni at iki.fi
-------------- next part --------------
--- Audit.pm	2006/02/02 18:10:09	1.1
+++ Audit.pm	2006/02/02 18:15:07
@@ -7,17 +7,12 @@
 use Fcntl ':flock';
 use File::Temp qw(tempfile);
+use File::Spec;
 use constant REJECTED => 100;
 use constant DELIVERED => 0;
 my $loglevel=3;
 my $logging =0;
 my $logfile;
-if (exists $ENV{HOME} and defined $ENV{HOME} and -d $ENV{HOME}) {
-     $logfile = "$ENV{HOME}/.mail_audit.log"
-else {
-     (undef,$logfile) = tempfile("mail_audit.log-XXXXX",TMPDIR=>1);
 $VERSION = '2.0';
@@ -52,6 +47,15 @@
         $logfile = $self->{log};
     if ($logging) {
+        unless (defined $logfile) {
+            if (exists $ENV{HOME} and defined $ENV{HOME} and -d $ENV{HOME}) {
+                $logfile = "$ENV{HOME}/.mail_audit.log"
+            }
+            else {
+                (undef,$logfile) =
+                    tempfile("mail_audit.log-XXXXX", DIR => File::Spec->tmpdir);
+            }
+        }
         open LOG, ">>$logfile" or die $!;
         _log(1,"Logging started at ".scalar localtime);
         _log(2,"Incoming mail from ".$self->from);
@@ -225,8 +229,10 @@
 You may also specify C<< log => $logfile >> to write a debugging log; you
 can set the verbosity of the log with the C<loglevel> key, on a scale of
 1 to 4. If you specify a log level without a log file, logging will be
-written to F</tmp/you-audit.log> where F<you> is replaced by your user
-name. If you specify C<< noexit => 1 >>, C<Mail::Audit> will not exit
+written to F<.mail_audit.log> in your home directory if the HOME
+environment variable is set, or to F</tmp/mail_audit.log-XXXXX> (where
+F<XXXXX> contains random characters) if not. 
+If you specify C<< noexit => 1 >>, C<Mail::Audit> will not exit
 after delivering the mail, but continue running your filter. 

More information about the pkg-perl-maintainers mailing list