Bug 1379993

Summary: warn: plugin: eval failed: Insecure dependency in sprintf while running with -T switch at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Logger.pm line 241.
Product: Red Hat Enterprise Linux 7 Reporter: Brian J. Murrell <brian>
Component: spamassassinAssignee: Ondřej Lysoněk <olysonek>
Status: CLOSED WONTFIX QA Contact: qe-baseos-daemons
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 7.2CC: ajb, amahdal, phil, psklenar, thozza, toracat
Target Milestone: rcKeywords: Patch, Upstream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-06 16:06:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1534569    

Description Brian J. Murrell 2016-09-28 11:49:25 UTC
Description of problem:
Bayesian classification is not working due to a bug already fixed upstream

Version-Release number of selected component (if applicable):
spamassassin-3.4.0-2.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Set up a mail server with spamassassin
2. Run an e-mail through spamassassin -D

Actual results:
warn: plugin: eval failed: Insecure dependency in sprintf while running with -T switch at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Logger.pm line 241.
and no bayesian classification

Expected results:
Should not get an error and bayesian classification should work

Additional info:

Here's the snippit where the problem happens.

Sep 28 07:44:54.705 [13763] dbg: plugin: Mail::SpamAssassin::Plugin::Bayes=HASH(0x2a3a6c8) implements 'learner_new', priority 0
Sep 28 07:44:54.705 [13763] dbg: bayes: learner_new self=Mail::SpamAssassin::Plugin::Bayes=HASH(0x2a3a6c8), bayes_store_module=Mail::SpamAssassin::BayesStore::DBM
Sep 28 07:44:54.720 [13763] dbg: bayes: learner_new: got store=Mail::SpamAssassin::BayesStore::DBM=HASH(0x2dbb710)
Sep 28 07:44:54.721 [13763] dbg: plugin: Mail::SpamAssassin::Plugin::Bayes=HASH(0x2a3a6c8) implements 'learner_is_scan_available', priority 0
Sep 28 07:44:54.721 [13763] dbg: config: using "/home/brian.real/.spamassassin" for user state dir
Sep 28 07:44:54.722 [13763] dbg: bayes: tie-ing to DB file R/O /home/brian.real/.spamassassin/bayes_toks
Sep 28 07:44:54.726 [13763] dbg: bayes: tie-ing to DB file R/O /home/brian.real/.spamassassin/bayes_seen
Sep 28 07:44:54.735 [13763] dbg: bayes: found bayes db version 3
Sep 28 07:44:54.737 [13763] warn: plugin: eval failed: Insecure dependency in sprintf while running with -T switch at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Logger.pm line 241.

This is fixed upstream with this commit: https://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/BayesStore/DBM.pm?r1=1608413&r2=1608412&pathrev=1608413 and presumably in 3.4.1.  The version that is in RHEL 7.2 right now is over 2 years old!

Comment 2 Jakub Jelen 2016-09-30 12:01:28 UTC
Can you verify that the problem gets fixed by applying the above mentioned patch for you?
I set up a Copr repo (epel7) with spamassassin with this patch:
https://copr.fedorainfracloud.org/coprs/jjelen/spamasassin-epel7/

Comment 3 Brian J. Murrell 2016-09-30 12:04:48 UTC
Yes, I already patched my local installation here with that and it's working fine.

Comment 4 Phil Perry 2017-04-13 23:20:49 UTC
I'm seeing the same issue on RHEL7.3

rpm -q spamassassin
spamassassin-3.4.0-2.el7.x86_64

Any idea when this might get fixed?

Comment 5 Phil Perry 2017-04-19 20:06:25 UTC
I have applied the above patch locally and can confirm it has fixed the issue for me.

Comment 6 Ondřej Lysoněk 2018-10-28 16:35:05 UTC
Simple reproducer:
[root@localhost]# yum install -y spamassassin
[root@localhost]# cat gen.sh 
#!/bin/bash

test -d spam || mkdir spam ham

for i in $(seq $1 $2); do
	cat << EOF > spam/$i
Subject: foo

$i bar
EOF

	cat << EOF > ham/$i
Subject: abc

$i def
EOF

done
[root@localhost]# bash gen.sh 1 200
[root@localhost]# sa-learn --spam spam
Learned tokens from 200 message(s) (200 message(s) examined)
[root@localhost]# sa-learn --ham ham
Learned tokens from 200 message(s) (200 message(s) examined)
[root@localhost]# cat mail
Subject: foo

bar
[root@localhost]# cat mail | spamassassin -D 2>&1 | grep Insecure
[root@localhost]# bash gen.sh 201 250
[root@localhost]# sa-learn --spam spam
Learned tokens from 50 message(s) (250 message(s) examined)
[root@localhost]# sa-learn --ham ham
Learned tokens from 50 message(s) (250 message(s) examined)
[root@localhost]# cat mail | spamassassin -D 2>&1 | grep Insecure
říj 28 12:29:46.590 [12945] warn: plugin: eval failed: Insecure dependency in sprintf while running with -T switch at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Logger.pm line 241.
říj 28 12:29:46.593 [12945] warn: plugin: eval failed: Insecure dependency in sprintf while running with -T switch at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Logger.pm line 241.

Comment 7 Tomáš Hozza 2019-12-06 16:06:18 UTC
Red Hat Enterprise Linux version 7 entered the Maintenance Support 1 Phase in August 2019. In this phase only qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. Other errata advisories may be delivered as appropriate.

This bug has been reviewed by Support and Engineering representative and does not meet the inclusion criteria for Maintenance Support 1 Phase. If this issue still exists in newer major version of Red Hat Enterprise Linux, it has been cloned there and work will continue in the cloned bug.

For more information about Red Hat Enterprise Linux Lifecycle, please see https://access.redhat.com/support/policy/updates/errata/

Comment 8 RHEL Program Management 2019-12-06 16:06:25 UTC
Development Management has reviewed and declined this request. You may appeal this decision by using your Red Hat support channels, who will make certain  the issue receives the proper prioritization with product and development management.

https://www.redhat.com/support/process/production/#howto