Package: twiki Version: 20040902-3 Severity: normal
When TWiki uses Net::SMTP for mailing, /usr/lib/cgi-bin/twiki/register script breaks with message Insecure dependency in connect while running with -T switch at /usr/lib/perl/5.8/IO/Socket.pm line 114. Quick analysis of code shows that TWiki::Net module code isn't taint-ready at all. It doesn't properly run user-supplied input through the regexpes. Somebody have to teach upstream authors, that s/// operator doesn't untaint. Only $1 $2 etc variables after match of tainted data are not tainted. It seems that -T switch should be removed from scripts, because they have to be thouroughly audited and tested before they would be able to work in taint mode under perl 5.8. -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.4.27-xeon Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R) Versions of packages twiki depends on: ii apache-common 1.3.33-6 support files for all Apache webse ii debconf 1.4.30.13 Debian configuration management sy ii libalgorithm-diff-perl 1.19.01-1 a perl library for finding Longest ii libdigest-sha1-perl 2.10-1 NIST SHA-1 message digest algorith ii libnet-perl 1:1.19-1 Implementation of Internet protoco ii libtext-diff-perl 0.35-2 Perform diffs on files and record ii perl [libmime-base64-perl] 5.8.4-8 Larry Wall's Practical Extraction ii perl-modules [libnet-perl] 5.8.4-8 Core Perl modules ii rcs 5.7-15 The GNU Revision Control System -- debconf information excluded -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
