The HylaFax program hfaxd(8c) implements the server part of the HylaFax package. It is started either by inetd(8) or runs in standalone mode. hfaxd(8c) offers three different protocols to process fax jobs. When hfaxd(8c) tries to change to it's queue directory and fails, it prints an error message via syslog by directly passing user supplied data as format string. As long as hfaxd(8c) is installed setuid root, this behavior could be exploited to gain root access locally.
|
|
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: hylafax
Announcement-ID: SuSE-SA:2001:15
Date: Friday, April 20th, 2001 10.26 MEST
Affected SuSE versions: [6.1, 6.2,] 6.3, 6.4, 7.0, 7.1
Vulnerability Type: local root compromise
Severity (1-10): 7
SuSE default package: no
Other affected systems: all systems using hylafax
Content of this advisory:
1) security vulnerability resolved: hylafax
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
The HylaFax program hfaxd(8c) implements the server part of the
HylaFax package. It is started either by inetd(8) or runs in
standalone mode. hfaxd(8c) offers three different protocols to
process fax jobs.
When hfaxd(8c) tries to change to it's queue directory and fails,
it prints an error message via syslog by directly passing user
supplied data as format string. As long as hfaxd(8c) is installed
setuid root, this behavior could be exploited to gain root access
locally.
As a workaround remove the setuid bit:
/bin/chmod u-s /usr/lib/fax/hfaxd
or restrict access to trusted users only:
/bin/chown root.trusted /usr/lib/fax/hfaxd
/bin/chmod 4750 /usr/lib/fax/hfaxd
Download the update package from locations described below and install
the package with the command `rpm -Uhv file.rpm'. The md5sum for each
file is in the line below. You can verify the integrity of the rpm
files using the command
`rpm --checksig --nogpg file.rpm',
independently from the md5 signatures below.
i386 Intel Platform:
SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/n3/hylafax-4.1beta2-251.i386.rpm
a3d5d0d5a8977852b02dc9b7352054aa
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/hylafax-4.1beta2-251.src.rpm
b5c8877de53db86eabfae932142221d7
SuSE-7.0
ftp://ftp.suse.com/pub/suse/i386/update/7.0/n2/hylafax-4.1beta2-254.i386.rpm
5be3094195a789d83b02d59ab343d7b5
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/hylafax-4.1beta2-254.src.rpm
87ee1d77eea95eac74c6b8355912ad9f
SuSE-6.4
ftp://ftp.suse.com/pub/suse/i386/update/6.4/n2/hylafax-4.1beta2-253.i386.rpm
90a894b8d47a94125992f3a64a6ada44
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/hylafax-4.1beta2-253.src.rpm
7b53ca017efdd9371c9a6207095a8c2f
SuSE-6.3
ftp://ftp.suse.com/pub/suse/i386/update/6.3/n2/hylafax-4.1beta2-252.i386.rpm
340e64a902a2e3f73b7d1771739c5b59
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/hylafax-4.1beta2-252.src.rpm
edb05a6191ab7d5533d1d9eb9ef0d255
Sparc Platform:
SuSE-7.1
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/n3/hylafax-4.1beta2-218.sparc.rpm
1449e568071f5fb6080efebb8f2a7a2b
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/hylafax-4.1beta2-218.src.rpm
bf8c780206da51bc548e9fd4264b9bfc
SuSE-7.0
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n2/hylafax-4.1beta2-218.sparc.rpm
bb265465ea8b84ca31b5c954266daf1d
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/hylafax-4.1beta2-218.src.rpm
b5bcae601fe056f399fc8696aa156529
AXP Alpha Platform:
SuSE-7.0
ftp://ftp.suse.com/pub/suse/axp/update/7.0/n2/hylafax-4.1beta2-211.alpha.rpm
2ee3176e2b425c494bd37d22f2ea090c
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/hylafax-4.1beta2-211.src.rpm
f89c3771432d84a3e7c3ab2f4331d73c
SuSE-6.4
ftp://ftp.suse.com/pub/suse/axp/update/6.4/n2/hylafax-4.1beta2-211.alpha.rpm
5aecfb997867f8f72164f27dc220f95b
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/hylafax-4.1beta2-211.src.rpm
09f1cbb3714dfe75e1aa3ff2a52c13a3
SuSE-6.3
ftp://ftp.suse.com/pub/suse/axp/update/6.3/n2/hylafax-4.1beta2-211.alpha.rpm
39f12bc3f09bab26c60df98a2b52b64e
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/hylafax-4.1beta2-211.src.rpm
6a48eac9982dfca01a1ed904cacfb2c8
PPC PowerPC Platform:
SuSE-7.1
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n3/hylafax-4.1beta2-164.ppc.rpm
a42c7bc70e25a6725d8e2a76870be1d4
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/hylafax-4.1beta2-164.src.rpm
9c064b869fb7c73f453a254b5f3780be
SuSE-7.0
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n2/hylafax-4.1beta2-165.ppc.rpm
81387d514f089a7060bc6dacb15358a8
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/hylafax-4.1beta2-165.src.rpm
35ec2293fb0390cb827935499506ed89
SuSE-6.4
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n2/hylafax-4.1beta2-165.ppc.rpm
be20c8f1ef2488c8db711744eab2233b
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/hylafax-4.1beta2-165.src.rpm
4af4d6b8e948b39a1d4040adaad27c0a
______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
- Updated man RPMs will be available in a few days.
- In the past weeks, some security related bugs in the Linux kernel 2.2
and 2.4 were found. An announcement, that addresses this will be
released asap.
- Samba has serveral security problems, which could lead to local root
access. Samba 2.0.8 fixes these problems. New RPMs are currently being
built.
______________________________________________________________________________
3) standard appendix:
SuSE runs two security mailing lists to which any interested party may
subscribe:
suse-security@suse.com
- general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list.
To subscribe, send an email to
<suse-security-subscribe@suse.com>.
suse-security-announce@suse.com
- SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent to this list.
To subscribe, send an email to
<suse-security-announce-subscribe@suse.com>.
For general information or the frequently asked questions (faq)
send mail to:
<suse-security-info@suse.com> or
<suse-security-faq@suse.com> respectively.
===============================================
SuSE's security contact is <security@suse.com>.
===============================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way.
SuSE GmbH makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQEVAwUBOuACUHey5gA9JdPZAQHrdwf/TIjn3G879Q4Vb5im5T7CkHr+YF6pGbp4
NjxEM8j8lSPnXy1iJwYRuSV7UT7Jrcqe2lm008IUMD9xN73ybUjnjiG2dzCYfI52
xYImtlzTiAlaGVHtnPGBBj7K3MOLqCQsgr2FkjJ6/LOsdFrBSa2BNEcl+fy/9n72
2+fZN04hdgpkd9uGrbkZPch0XbYYG5Ij54lM2LKBqZ7RcAgtGToR8nJ/vyMCv9kJ
ivPmPX6Jr/CYxw1gKNprpEAV9GiaI70rGDazW7bM9s94LVuEJmOt4bJzVnYzY3wK
cz1UAnHZ3MWM8HmYj3Awl4elBmtFpiYJR8tfrc9pyOPSZir78ZvCdA==
=KFNn
-----END PGP SIGNATURE-----
Bye,
Thomas
--
Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E@mail: thomas@suse.de Function: Security Support & Auditing
"lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka"
Key fingerprint = 51 AD B9 C7 34 FC F2 54 01 4A 1C D4 66 64 09 84 |