diff --git a/.cvsignore b/.cvsignore index e2c9446..9bd48f0 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -Mail-SpamAssassin-3.2.5.tar.bz2 +Mail-SpamAssassin-3.3.0-alpha1.tar.bz2 diff --git a/Mail-SpamAssassin-3.3.0-missing-pre.patch b/Mail-SpamAssassin-3.3.0-missing-pre.patch new file mode 100644 index 0000000..cfd6668 --- /dev/null +++ b/Mail-SpamAssassin-3.3.0-missing-pre.patch @@ -0,0 +1,250 @@ +diff -urN Mail-SpamAssassin-3.3.0.orig/rules/init.pre Mail-SpamAssassin-3.3.0/rules/init.pre +--- Mail-SpamAssassin-3.3.0.orig/rules/init.pre 1969-12-31 19:00:00.000000000 -0500 ++++ Mail-SpamAssassin-3.3.0/rules/init.pre 2009-07-06 18:56:58.599173705 -0400 +@@ -0,0 +1,36 @@ ++# This is the right place to customize your installation of SpamAssassin. ++# ++# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be ++# tweaked. ++# ++# This file contains plugin activation commands for plugins included ++# in SpamAssassin 3.0.x releases. It will not be installed if you ++# already have a file in place called "init.pre". ++# ++# There are now multiple files read to enable plugins in the ++# /etc/mail/spamassassin directory; previously only one, "init.pre" was ++# read. Now both "init.pre", "v310.pre", and any other files ending in ++# ".pre" will be read. As future releases are made, new plugins will be ++# added to new files, named according to the release they're added in. ++########################################################################### ++ ++# RelayCountry - add metadata for Bayes learning, marking the countries ++# a message was relayed through ++# ++# Note: This requires the IP::Country::Fast Perl module ++# ++# loadplugin Mail::SpamAssassin::Plugin::RelayCountry ++ ++# URIDNSBL - look up URLs found in the message against several DNS ++# blocklists. ++# ++loadplugin Mail::SpamAssassin::Plugin::URIDNSBL ++ ++# Hashcash - perform hashcash verification. ++# ++loadplugin Mail::SpamAssassin::Plugin::Hashcash ++ ++# SPF - perform SPF verification. ++# ++loadplugin Mail::SpamAssassin::Plugin::SPF ++ +diff -urN Mail-SpamAssassin-3.3.0.orig/rules/v310.pre Mail-SpamAssassin-3.3.0/rules/v310.pre +--- Mail-SpamAssassin-3.3.0.orig/rules/v310.pre 1969-12-31 19:00:00.000000000 -0500 ++++ Mail-SpamAssassin-3.3.0/rules/v310.pre 2009-07-06 18:56:58.600173835 -0400 +@@ -0,0 +1,78 @@ ++# This is the right place to customize your installation of SpamAssassin. ++# ++# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be ++# tweaked. ++# ++# This file was installed during the installation of SpamAssassin 3.1.0, ++# and contains plugin loading commands for the new plugins added in that ++# release. It will not be overwritten during future SpamAssassin installs, ++# so you can modify it to enable some disabled-by-default plugins below, ++# if you so wish. ++# ++# There are now multiple files read to enable plugins in the ++# /etc/mail/spamassassin directory; previously only one, "init.pre" was ++# read. Now both "init.pre", "v310.pre", and any other files ending in ++# ".pre" will be read. As future releases are made, new plugins will be ++# added to new files, named according to the release they're added in. ++########################################################################### ++ ++# DCC - perform DCC message checks. ++# ++# DCC is disabled here because it is not open source. See the DCC ++# license for more details. ++# ++#loadplugin Mail::SpamAssassin::Plugin::DCC ++ ++# Pyzor - perform Pyzor message checks. ++# ++loadplugin Mail::SpamAssassin::Plugin::Pyzor ++ ++# Razor2 - perform Razor2 message checks. ++# ++loadplugin Mail::SpamAssassin::Plugin::Razor2 ++ ++# SpamCop - perform SpamCop message reporting ++# ++loadplugin Mail::SpamAssassin::Plugin::SpamCop ++ ++# AntiVirus - some simple anti-virus checks, this is not a replacement ++# for an anti-virus filter like Clam AntiVirus ++# ++#loadplugin Mail::SpamAssassin::Plugin::AntiVirus ++ ++# AWL - do auto-whitelist checks ++# ++#loadplugin Mail::SpamAssassin::Plugin::AWL ++ ++# AutoLearnThreshold - threshold-based discriminator for Bayes auto-learning ++# ++loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold ++ ++# TextCat - language guesser ++# ++#loadplugin Mail::SpamAssassin::Plugin::TextCat ++ ++# AccessDB - lookup from-addresses in access database ++# ++#loadplugin Mail::SpamAssassin::Plugin::AccessDB ++ ++# WhitelistSubject - Whitelist/Blacklist certain subject regular expressions ++# ++loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject ++ ++########################################################################### ++# experimental plugins ++ ++# DomainKeys - perform DomainKeys verification ++# ++# This plugin has been removed as of v3.3.0. Use the DKIM plugin instead, ++# which supports both Domain Keys and DKIM. ++ ++# MIMEHeader - apply regexp rules against MIME headers in the message ++# ++loadplugin Mail::SpamAssassin::Plugin::MIMEHeader ++ ++# ReplaceTags ++# ++loadplugin Mail::SpamAssassin::Plugin::ReplaceTags ++ +diff -urN Mail-SpamAssassin-3.3.0.orig/rules/v312.pre Mail-SpamAssassin-3.3.0/rules/v312.pre +--- Mail-SpamAssassin-3.3.0.orig/rules/v312.pre 1969-12-31 19:00:00.000000000 -0500 ++++ Mail-SpamAssassin-3.3.0/rules/v312.pre 2009-07-06 18:56:58.600173835 -0400 +@@ -0,0 +1,29 @@ ++# This is the right place to customize your installation of SpamAssassin. ++# ++# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be ++# tweaked. ++# ++# This file was installed during the installation of SpamAssassin 3.1.2, ++# and contains plugin loading commands for the new plugins added in that ++# release. It will not be overwritten during future SpamAssassin installs, ++# so you can modify it to enable some disabled-by-default plugins below, ++# if you so wish. ++# ++# There are now multiple files read to enable plugins in the ++# /etc/mail/spamassassin directory; previously only one, "init.pre" was ++# read. Now both "init.pre", "v310.pre", and any other files ending in ++# ".pre" will be read. As future releases are made, new plugins will be ++# added to new files, named according to the release they're added in. ++ ++########################################################################### ++# experimental plugins ++ ++# DKIM - perform DKIM verification ++# ++# Mail::DKIM module required for use, see INSTALL for more information. ++# ++# Note that if C version 0.20 or later is installed, this ++# renders the DomainKeys plugin redundant. ++# ++loadplugin Mail::SpamAssassin::Plugin::DKIM ++ +diff -urN Mail-SpamAssassin-3.3.0.orig/rules/v320.pre Mail-SpamAssassin-3.3.0/rules/v320.pre +--- Mail-SpamAssassin-3.3.0.orig/rules/v320.pre 1969-12-31 19:00:00.000000000 -0500 ++++ Mail-SpamAssassin-3.3.0/rules/v320.pre 2009-07-06 18:56:58.600173835 -0400 +@@ -0,0 +1,64 @@ ++# This is the right place to customize your installation of SpamAssassin. ++# ++# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be ++# tweaked. ++# ++# This file was installed during the installation of SpamAssassin 3.2.0, ++# and contains plugin loading commands for the new plugins added in that ++# release. It will not be overwritten during future SpamAssassin installs, ++# so you can modify it to enable some disabled-by-default plugins below, ++# if you so wish. ++# ++# There are now multiple files read to enable plugins in the ++# /etc/mail/spamassassin directory; previously only one, "init.pre" was ++# read. Now both "init.pre", "v310.pre", and any other files ending in ++# ".pre" will be read. As future releases are made, new plugins will be ++# added to new files, named according to the release they're added in. ++########################################################################### ++ ++# Check - Provides main check functionality ++# ++loadplugin Mail::SpamAssassin::Plugin::Check ++ ++# HTTPSMismatch - find URI mismatches between href and anchor text ++# ++loadplugin Mail::SpamAssassin::Plugin::HTTPSMismatch ++ ++# URIDetail - test URIs using detailed URI information ++# ++loadplugin Mail::SpamAssassin::Plugin::URIDetail ++ ++# Shortcircuit - stop evaluation early if high-accuracy rules fire ++# ++# loadplugin Mail::SpamAssassin::Plugin::Shortcircuit ++ ++# Plugins which used to be EvalTests.pm ++# broken out into separate plugins ++loadplugin Mail::SpamAssassin::Plugin::Bayes ++loadplugin Mail::SpamAssassin::Plugin::BodyEval ++loadplugin Mail::SpamAssassin::Plugin::DNSEval ++loadplugin Mail::SpamAssassin::Plugin::HTMLEval ++loadplugin Mail::SpamAssassin::Plugin::HeaderEval ++loadplugin Mail::SpamAssassin::Plugin::MIMEEval ++loadplugin Mail::SpamAssassin::Plugin::RelayEval ++loadplugin Mail::SpamAssassin::Plugin::URIEval ++loadplugin Mail::SpamAssassin::Plugin::WLBLEval ++ ++# VBounce - anti-bounce-message rules, see rules/20_vbounce.cf ++# ++loadplugin Mail::SpamAssassin::Plugin::VBounce ++ ++# Rule2XSBody - speedup by compilation of ruleset to native code ++# ++# loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody ++ ++# ASN - Look up the Autonomous System Number of the connecting IP ++# and create a header containing ASN data for bayes tokenization. ++# See plugin's POD docs for usage info. ++# ++# loadplugin Mail::SpamAssassin::Plugin::ASN ++ ++# ImageInfo - rules to match metadata of image attachments ++# ++loadplugin Mail::SpamAssassin::Plugin::ImageInfo ++ +diff -urN Mail-SpamAssassin-3.3.0.orig/rules/v330.pre Mail-SpamAssassin-3.3.0/rules/v330.pre +--- Mail-SpamAssassin-3.3.0.orig/rules/v330.pre 1969-12-31 19:00:00.000000000 -0500 ++++ Mail-SpamAssassin-3.3.0/rules/v330.pre 2009-07-06 18:56:58.600173835 -0400 +@@ -0,0 +1,23 @@ ++# This is the right place to customize your installation of SpamAssassin. ++# ++# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be ++# tweaked. ++# ++# This file was installed during the installation of SpamAssassin 3.3.0, ++# and contains plugin loading commands for the new plugins added in that ++# release. It will not be overwritten during future SpamAssassin installs, ++# so you can modify it to enable some disabled-by-default plugins below, ++# if you so wish. ++# ++# There are now multiple files read to enable plugins in the ++# /etc/mail/spamassassin directory; previously only one, "init.pre" was ++# read. Now both "init.pre", "v310.pre", and any other files ending in ++# ".pre" will be read. As future releases are made, new plugins will be ++# added to new files, named according to the release they're added in. ++########################################################################### ++ ++# PhishTag - allows sites to rewrite suspect phish-mail URLs ++# (Note: this requires configuration, see http://umut.topkara.org/PhishTag) ++# ++#loadplugin Mail::SpamAssassin::Plugin::PhishTag ++ diff --git a/Mail-SpamAssassin-3.3.0-perl-bug-taint.patch b/Mail-SpamAssassin-3.3.0-perl-bug-taint.patch new file mode 100644 index 0000000..8ccc257 --- /dev/null +++ b/Mail-SpamAssassin-3.3.0-perl-bug-taint.patch @@ -0,0 +1,163 @@ +Index: lib/Mail/SpamAssassin/PerMsgStatus.pm +=================================================================== +--- lib/Mail/SpamAssassin/PerMsgStatus.pm (revision 791769) ++++ lib/Mail/SpamAssassin/PerMsgStatus.pm (working copy) +@@ -2200,11 +2200,13 @@ + # default ruletype, if not specified: + $params{ruletype} ||= 'unknown'; + ++ my $rule_descr = $self->{conf}->get_description_for_rule($rule); ++ $rule_descr = $rule if !defined $rule_descr || $rule_descr eq ''; + $self->_handle_hit($rule, + $score, + $area, + $params{ruletype}, +- $self->{conf}->get_description_for_rule($rule) || $rule); ++ $rule_descr); + + # take care of duplicate rules, too (bug 5206) + my $dups = $self->{conf}->{duplicate_rules}->{$rule}; +Index: lib/Mail/SpamAssassin/Conf.pm +=================================================================== +--- lib/Mail/SpamAssassin/Conf.pm (revision 791769) ++++ lib/Mail/SpamAssassin/Conf.pm (working copy) +@@ -3571,7 +3571,11 @@ + + sub get_description_for_rule { + my ($self, $rule) = @_; +- return $self->{descriptions}->{$rule}; ++ # as silly as it looks, localized $1 here prevents an outer $1 from getting ++ # tainted by the expression or assignment in the next line, bug 6148 ++ local($1); ++ my $rule_descr = $self->{descriptions}->{$rule}; ++ return $rule_descr; + } + + ########################################################################### +Index: sa-update.raw +=================================================================== +--- sa-update.raw (revision 791769) ++++ sa-update.raw (working copy) +@@ -47,6 +47,7 @@ + use Config; + use strict; + use warnings; ++use re 'taint'; + + BEGIN { # see comments in "spamassassin.raw" for doco + my @bin = File::Spec->splitpath($0); +@@ -221,10 +222,7 @@ + # we're not a setuid script, we trust them + foreach my $optkey (keys %opt) { + next if ref $opt{$optkey}; +- my $untaint = $opt{$optkey}; +- next unless defined $untaint; +- $untaint =~ /^(.*)$/; +- $opt{$optkey} = $1; ++ Mail::SpamAssassin::Util::untaint_var(\$opt{$optkey}); + } + + ############################################################################## +@@ -344,9 +342,9 @@ + + # untaint the channel listing + for(my $ind = 0; $ind < @channels; $ind++) { +- local ($1); # bug 5061: prevent random taint flagging of $1 ++ local($1); # bug 5061: prevent random taint flagging of $1 + if ($channels[$ind] =~ /^([a-zA-Z0-9._-]+)$/) { +- $channels[$ind] = $1; ++ Mail::SpamAssassin::Util::untaint_var(\$channels[$ind]); + } + else { + dbg("channel: skipping invalid channel: $channels[$ind]"); +@@ -416,6 +414,7 @@ + my $currentV = -1; + if (open(CF, $CFFile)) { + while() { ++ local($1,$2); + last unless /^# UPDATE\s+([A-Za-z]+)\s+(\S+)/; + my($type, $value) = (lc $1,$2); + +@@ -435,6 +434,7 @@ + my $DNSQ = "$RevSAVersion.$channel"; + + my $dnsV = join(' ', do_txt_query($DNSQ)); ++ local($1); + if (defined $dnsV && $dnsV =~ /^(\d+)/) { + $newV = $1 if (!defined $newV || $1 > $newV); + dbg("dns: $DNSQ => $dnsV, parsed as $1"); +@@ -464,6 +464,7 @@ + } else { # $instfile + # the /.*/ ensures we use the 3-digit string nearest to the end of string, otherwise + # we might pick up something from the middle of the directory path ++ local($1); + if ($instfile !~ /(?:.*\D|^)(\d{3,})/) { + # this is a requirement + die "channel: $channel: --install file $instfile does not contain a 3-digit version number!\n"; +@@ -632,8 +633,10 @@ + # Validate the SHA1 signature before going forward with more complicated + # operations. + # The SHA1 file may be "signature filename" ala sha1sum, just use the signature +- $SHA1 =~ /^([a-fA-F0-9]{40})/; +- $SHA1 = $1 || 'INVALID'; ++ { local($1); ++ $SHA1 =~ /^([a-fA-F0-9]{40})/; ++ $SHA1 = $1 || 'INVALID'; ++ } + my $digest = sha1_hex($content); + dbg("sha1: verification wanted: $SHA1"); + dbg("sha1: verification result: $digest"); +@@ -690,6 +693,7 @@ + warn $GNUPG."\n"; # report bad news + } + ++ local($1); + if ($GNUPG =~ /^\Q[GNUPG:]\E NO_PUBKEY \S+(\S{8})$/) { + $missingkeys .= $1." "; + } +@@ -887,9 +891,7 @@ + my @files = (); + while(my $file = readdir(DIR)) { + next if $file eq '.' || $file eq '..'; +- local ($1); # avoid random taint flagging of $1 +- $file =~ /^(.+)$/; # untaint +- $file = $1; ++ Mail::SpamAssassin::Util::untaint_var(\$file); + my $path = File::Spec->catfile($UPDDir, $file); + next unless (-f $path); # shouldn't ever happen + push(@files, $file); +@@ -1039,6 +1041,7 @@ + foreach my $file (@files) { + next if ($file =~ /^\/$/); # ignore dirs + ++ local($1); + $file =~ /^([-\.\,\/a-zA-Z0-9_]+)$/; + my $outfname = $1; + $outfname =~ s/\.\.\//__\//gs; # avoid "../" dir traversal attacks +@@ -1050,6 +1053,7 @@ + + if ($outfname =~ /\.(?:pre|cf)$/) { + # replace macros in the update files if it's a .pre or .cf ++ local($1); + $content =~ s/\@\@([^\@]+)\@\@/$MACRO_VALUES{$1} || "\@\@$1\@\@"/ge; + + # also, if --allowplugins is not specified, comment out +@@ -1089,6 +1093,7 @@ + if ($RR) { + foreach my $rr ($RR->answer) { + my $text = $rr->rdatastr; ++ local($1); + $text =~ /^"(.*)"$/; + push @result, $1; + } +@@ -1311,9 +1316,7 @@ + } + while(my $file = readdir(DIR)) { + next if $file eq '.' || $file eq '..'; +- local ($1); # bug 5216: prevent random taint flagging of $1 +- $file =~ /^(.+)$/; # untaint +- $file = $1; ++ Mail::SpamAssassin::Util::untaint_var(\$file); + + my $path = File::Spec->catfile($dir, $file); + next unless (-f $path); diff --git a/sources b/sources index 333d97b..aa549e1 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -695f9107b240383e48df8938f2de334e Mail-SpamAssassin-3.2.5.tar.bz2 +04141392e1f20ea4a91bb63937351c65 Mail-SpamAssassin-3.3.0-alpha1.tar.bz2 diff --git a/spamassassin.spec b/spamassassin.spec index b167c5f..749f66b 100644 --- a/spamassassin.spec +++ b/spamassassin.spec @@ -40,12 +40,13 @@ Summary: Spam filter for email which can be invoked from mail delivery agents Name: spamassassin -Version: 3.2.5 -Release: 5%{?dist} +Version: 3.3.0 +%define prename alpha1 +Release: 0.1.alpha1%{?dist} License: ASL 2.0 Group: Applications/Internet URL: http://spamassassin.apache.org/ -Source0: http://www.apache.org/dist/%{name}/%{real_name}-%{version}.tar.bz2 +Source0: http://www.apache.org/dist/%{name}/%{real_name}-%{version}-%{prename}.tar.bz2 Source2: redhat_local.cf Source3: spamassassin-default.rc Source4: spamassassin-spamc.rc @@ -57,7 +58,8 @@ Source10: spamassassin-helper.sh # Patches 0-99 are RH specific # none yet # Patches 100+ are SVN backports (DO NOT REUSE!) -#Patch100: Mail-SpamAssassin-3.2.2-bug5574-setuid.patch +Patch100: Mail-SpamAssassin-3.3.0-missing-pre.patch +Patch101: Mail-SpamAssassin-3.3.0-perl-bug-taint.patch # end of patches Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) Buildroot: %{_tmppath}/%{name}-root @@ -68,6 +70,7 @@ BuildRequires: perl >= 2:5.8.0 BuildRequires: perl(Net::DNS) BuildRequires: perl(Time::HiRes) BuildRequires: perl(HTML::Parser) +BuildRequires: perl(NetAddr::IP) BuildRequires: openssl-devel Requires: perl(HTTP::Date) @@ -119,7 +122,8 @@ To filter spam for all users, add that line to /etc/procmailrc # Patches 0-99 are RH specific # none yet # Patches 100+ are SVN backports (DO NOT REUSE!) -#%patch100 -p0 +%patch100 -p1 +%patch101 -p0 # end of patches %build @@ -222,6 +226,14 @@ fi exit 0 %changelog +* Mon Jul 06 2009 Warren Togami - 3.3.0-0.1.alpha1 +- 3.3.0-alpha1 +- WARNING: spamassassin-3.3.0+ no longer ships with rules. + You must run sa-update to download rules before you use spamassassin. + Failure to download rules means spamassassin always returns unfiltered. + Should we ship a set of rules with spamassassin? Please discuss on + fedora-devel-list. + * Wed Feb 25 2009 Fedora Release Engineering - 3.2.5-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild