On Mon, 25 Apr 2022, Kirill Miazine via Exim-dev wrote:
> Beware that the just released RC0 for Exim 4.96 may break your Dovecot
> LDA delivery. It did break mine, which is similar to what is described
> on https://wiki.dovecot.org/LDA/Exim
>
> Here is the relevant ChangeLog entry:
>
> JH/25 Taint-check exec arguments for transport-initiated external processes.
> Previously, tainted values could be used. This affects "pipe", "lmtp" and
> "queryprogram" transport, transport-filter, and ETRN commands.
> The ${run} expansion is also affected: in "preexpand" mode no part of
> the command line may be tainted, in default mode the executable name
> may not be tainted.
> Jeremy Harris via Exim-announce [2022-04-23 20:23]:
> > Notable removals since 4.95:
> >
> > - the "allow_insecure_tainted_data" main config option and the
> > "taint" log_selector. These were previously deprecated.
That seemed like an unfortunate combination to me, so over on the
exim-dev list
https://lists.exim.org/lurker/message/20220426.072833.c68602fb.en.html
I asked:
> That?isn't?a?good?combination.?Please?could?we?keep?the?option?to
> allow_insecure_tainted_data?if?there?are?new?taint?features??
>
> That?way?we?can?continue?to?run?live?systems?while?we?resolve
> these?sort?of?problems.
To which Jeremy replied:
> The trouble with that is that it means the coverage of tracking
> tainted data use can never be extended.
>
> The commit for that removal is fairly extensive:
- see
https://lists.exim.org/lurker/message/20220427.174941.443df2eb.en.html
for the 27 reverts and 35 files changed.
Given that taint checking appeared in Exim 4.93
and allow_insecure_tainted_data in Exim 4.95,
this (Exim 4.96) would be the first time that allow_insecure_tainted_data
would actually be helpful.
Is it just me, or are others worried about the new taint checking
having unexpected consequences and no way to disable it for debugging ?
--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
> Beware that the just released RC0 for Exim 4.96 may break your Dovecot
> LDA delivery. It did break mine, which is similar to what is described
> on https://wiki.dovecot.org/LDA/Exim
>
> Here is the relevant ChangeLog entry:
>
> JH/25 Taint-check exec arguments for transport-initiated external processes.
> Previously, tainted values could be used. This affects "pipe", "lmtp" and
> "queryprogram" transport, transport-filter, and ETRN commands.
> The ${run} expansion is also affected: in "preexpand" mode no part of
> the command line may be tainted, in default mode the executable name
> may not be tainted.
> Jeremy Harris via Exim-announce [2022-04-23 20:23]:
> > Notable removals since 4.95:
> >
> > - the "allow_insecure_tainted_data" main config option and the
> > "taint" log_selector. These were previously deprecated.
That seemed like an unfortunate combination to me, so over on the
exim-dev list
https://lists.exim.org/lurker/message/20220426.072833.c68602fb.en.html
I asked:
> That?isn't?a?good?combination.?Please?could?we?keep?the?option?to
> allow_insecure_tainted_data?if?there?are?new?taint?features??
>
> That?way?we?can?continue?to?run?live?systems?while?we?resolve
> these?sort?of?problems.
To which Jeremy replied:
> The trouble with that is that it means the coverage of tracking
> tainted data use can never be extended.
>
> The commit for that removal is fairly extensive:
- see
https://lists.exim.org/lurker/message/20220427.174941.443df2eb.en.html
for the 27 reverts and 35 files changed.
Given that taint checking appeared in Exim 4.93
and allow_insecure_tainted_data in Exim 4.95,
this (Exim 4.96) would be the first time that allow_insecure_tainted_data
would actually be helpful.
Is it just me, or are others worried about the new taint checking
having unexpected consequences and no way to disable it for debugging ?
--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/