SuSE alert: hylafax

Posted by dave on Apr 20, 2001 1:34 AM EDT
Mailing list
Mail this story
Print this story

The HylaFax program hfaxd(8c) implements the server part of the HylaFax package. It is started either by inetd(8) or runs in standalone mode. hfaxd(8c) offers three different protocols to process fax jobs. When hfaxd(8c) tries to change to it's queue directory and fails, it prints an error message via syslog by directly passing user supplied data as format string. As long as hfaxd(8c) is installed setuid root, this behavior could be exploited to gain root access locally.

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________

                        SuSE Security Announcement

        Package: hylafax
        Announcement-ID: SuSE-SA:2001:15
        Date: Friday, April 20th, 2001 10.26 MEST
        Affected SuSE versions: [6.1, 6.2,] 6.3, 6.4, 7.0, 7.1
        Vulnerability Type: local root compromise
        Severity (1-10): 7
        SuSE default package: no
        Other affected systems: all systems using hylafax

        Content of this advisory:
        1) security vulnerability resolved: hylafax
           problem description, discussion, solution and upgrade information
        2) pending vulnerabilities, solutions, workarounds
        3) standard appendix (further information)

______________________________________________________________________________

1) problem description, brief discussion, solution, upgrade information

    The HylaFax program hfaxd(8c) implements the server part of the
    HylaFax package. It is started either by inetd(8) or runs in
    standalone mode. hfaxd(8c) offers three different protocols to
    process fax jobs.
    When hfaxd(8c) tries to change to it's queue directory and fails,
    it prints an error message via syslog by directly passing user
    supplied data as format string. As long as hfaxd(8c) is installed
    setuid root, this behavior could be exploited to gain root access
    locally.

    As a workaround remove the setuid bit:
      /bin/chmod u-s /usr/lib/fax/hfaxd
    or restrict access to trusted users only:
      /bin/chown root.trusted /usr/lib/fax/hfaxd
      /bin/chmod 4750 /usr/lib/fax/hfaxd

    Download the update package from locations described below and install
    the package with the command `rpm -Uhv file.rpm'. The md5sum for each
    file is in the line below. You can verify the integrity of the rpm
    files using the command
        `rpm --checksig --nogpg file.rpm',
    independently from the md5 signatures below.

    i386 Intel Platform:

    SuSE-7.1
    ftp://ftp.suse.com/pub/suse/i386/update/7.1/n3/hylafax-4.1beta2-251.i386.rpm
      a3d5d0d5a8977852b02dc9b7352054aa
    source rpm:
    ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/hylafax-4.1beta2-251.src.rpm
      b5c8877de53db86eabfae932142221d7

    SuSE-7.0
    ftp://ftp.suse.com/pub/suse/i386/update/7.0/n2/hylafax-4.1beta2-254.i386.rpm
      5be3094195a789d83b02d59ab343d7b5
    source rpm:
    ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/hylafax-4.1beta2-254.src.rpm
      87ee1d77eea95eac74c6b8355912ad9f

    SuSE-6.4
    ftp://ftp.suse.com/pub/suse/i386/update/6.4/n2/hylafax-4.1beta2-253.i386.rpm
      90a894b8d47a94125992f3a64a6ada44
    source rpm:
    ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/hylafax-4.1beta2-253.src.rpm
      7b53ca017efdd9371c9a6207095a8c2f

    SuSE-6.3
    ftp://ftp.suse.com/pub/suse/i386/update/6.3/n2/hylafax-4.1beta2-252.i386.rpm
      340e64a902a2e3f73b7d1771739c5b59
    source rpm:
    ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/hylafax-4.1beta2-252.src.rpm
      edb05a6191ab7d5533d1d9eb9ef0d255

    Sparc Platform:

    SuSE-7.1
    ftp://ftp.suse.com/pub/suse/sparc/update/7.1/n3/hylafax-4.1beta2-218.sparc.rpm
      1449e568071f5fb6080efebb8f2a7a2b
    source rpm:
    ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/hylafax-4.1beta2-218.src.rpm
      bf8c780206da51bc548e9fd4264b9bfc

    SuSE-7.0
    ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n2/hylafax-4.1beta2-218.sparc.rpm
      bb265465ea8b84ca31b5c954266daf1d
    source rpm:
    ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/hylafax-4.1beta2-218.src.rpm
      b5bcae601fe056f399fc8696aa156529

    AXP Alpha Platform:

    SuSE-7.0
    ftp://ftp.suse.com/pub/suse/axp/update/7.0/n2/hylafax-4.1beta2-211.alpha.rpm
      2ee3176e2b425c494bd37d22f2ea090c
    source rpm:
    ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/hylafax-4.1beta2-211.src.rpm
      f89c3771432d84a3e7c3ab2f4331d73c

    SuSE-6.4
    ftp://ftp.suse.com/pub/suse/axp/update/6.4/n2/hylafax-4.1beta2-211.alpha.rpm
      5aecfb997867f8f72164f27dc220f95b
    source rpm:
    ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/hylafax-4.1beta2-211.src.rpm
      09f1cbb3714dfe75e1aa3ff2a52c13a3

    SuSE-6.3
    ftp://ftp.suse.com/pub/suse/axp/update/6.3/n2/hylafax-4.1beta2-211.alpha.rpm
      39f12bc3f09bab26c60df98a2b52b64e
    source rpm:
    ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/hylafax-4.1beta2-211.src.rpm
      6a48eac9982dfca01a1ed904cacfb2c8

    PPC PowerPC Platform:

    SuSE-7.1
    ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n3/hylafax-4.1beta2-164.ppc.rpm
      a42c7bc70e25a6725d8e2a76870be1d4
    source rpm:
    ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/hylafax-4.1beta2-164.src.rpm
      9c064b869fb7c73f453a254b5f3780be

    SuSE-7.0
    ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n2/hylafax-4.1beta2-165.ppc.rpm
      81387d514f089a7060bc6dacb15358a8
    source rpm:
    ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/hylafax-4.1beta2-165.src.rpm
      35ec2293fb0390cb827935499506ed89

    SuSE-6.4
    ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n2/hylafax-4.1beta2-165.ppc.rpm
      be20c8f1ef2488c8db711744eab2233b
    source rpm:
    ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/hylafax-4.1beta2-165.src.rpm
      4af4d6b8e948b39a1d4040adaad27c0a

______________________________________________________________________________

2) Pending vulnerabilities in SuSE Distributions and Workarounds:

    - Updated man RPMs will be available in a few days.

    - In the past weeks, some security related bugs in the Linux kernel 2.2
      and 2.4 were found. An announcement, that addresses this will be
      released asap.

    - Samba has serveral security problems, which could lead to local root
      access. Samba 2.0.8 fixes these problems. New RPMs are currently being
      built.

______________________________________________________________________________

3) standard appendix:

    SuSE runs two security mailing lists to which any interested party may
    subscribe:

    suse-security@suse.com
        - general/linux/SuSE security discussion.
            All SuSE security announcements are sent to this list.
            To subscribe, send an email to
                <suse-security-subscribe@suse.com>.

    suse-security-announce@suse.com
        - SuSE's announce-only mailing list.
            Only SuSE's security annoucements are sent to this list.
            To subscribe, send an email to
                <suse-security-announce-subscribe@suse.com>.

    For general information or the frequently asked questions (faq)
    send mail to:
        <suse-security-info@suse.com> or
        <suse-security-faq@suse.com> respectively.

    ===============================================
    SuSE's security contact is <security@suse.com>.
    ===============================================

______________________________________________________________________________

    The information in this advisory may be distributed or reproduced,
    provided that the advisory is not modified in any way.
    SuSE GmbH makes no warranties of any kind whatsoever with respect
    to the information contained in this security advisory.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQEVAwUBOuACUHey5gA9JdPZAQHrdwf/TIjn3G879Q4Vb5im5T7CkHr+YF6pGbp4
NjxEM8j8lSPnXy1iJwYRuSV7UT7Jrcqe2lm008IUMD9xN73ybUjnjiG2dzCYfI52
xYImtlzTiAlaGVHtnPGBBj7K3MOLqCQsgr2FkjJ6/LOsdFrBSa2BNEcl+fy/9n72
2+fZN04hdgpkd9uGrbkZPch0XbYYG5Ij54lM2LKBqZ7RcAgtGToR8nJ/vyMCv9kJ
ivPmPX6Jr/CYxw1gKNprpEAV9GiaI70rGDazW7bM9s94LVuEJmOt4bJzVnYzY3wK
cz1UAnHZ3MWM8HmYj3Awl4elBmtFpiYJR8tfrc9pyOPSZir78ZvCdA==
=KFNn
-----END PGP SIGNATURE-----

Bye,
     Thomas

-- 
  Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
  E@mail: thomas@suse.de      Function: Security Support & Auditing
  "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka"
  Key fingerprint = 51 AD B9 C7 34 FC F2 54  01 4A 1C D4 66 64 09 84

  Nav
» Read more about: Story Type: Security; Groups: SUSE

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.