COMMAND
HylaFAX
SYSTEMS AFFECTED
HylaFAX server v4.1 beta2
PROBLEM
Marcin Dawcewicz found following. He has found classical format
bug while hge was playing with HylaFAX server (v4.1 beta2):
$ [ -u /usr/sbin/hfaxd ] && /usr/sbin/hfaxd -q '%n%n'
Segmentation fault
It crashes while calling syslog() with user supplied fmt. Looks
nasty.
No working exploit,
SOLUTION
A patch to address the problem may be found at:
http://www.hylafax.org/patches/hfaxd-vulnerability.patch
This patch fixes the problem, and also removes the suid bit from
the hfaxd binary. Anyone experiencing problems as a result of
this change please contact bugs@hylafax.org.
They intend to release a beta-4 very soon which will include the
above fix. In the meantime, if you are unable to upgrade or
rebuild HylaFAX from patched source, they recommend that you
remove the suid root bit from the hfaxd executable:
chmod a-s /usr/sbin/hfaxd (or whatever your path is)
For SuSE Linux:
ftp://ftp.suse.com/pub/suse/i386/update/7.1/n3/hylafax-4.1beta2-251.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/hylafax-4.1beta2-251.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.0/n2/hylafax-4.1beta2-254.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/hylafax-4.1beta2-254.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/n2/hylafax-4.1beta2-253.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/hylafax-4.1beta2-253.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/n2/hylafax-4.1beta2-252.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/hylafax-4.1beta2-252.src.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/n3/hylafax-4.1beta2-218.sparc.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/hylafax-4.1beta2-218.src.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n2/hylafax-4.1beta2-218.sparc.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/hylafax-4.1beta2-218.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/7.0/n2/hylafax-4.1beta2-211.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/hylafax-4.1beta2-211.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/n2/hylafax-4.1beta2-211.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/hylafax-4.1beta2-211.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.3/n2/hylafax-4.1beta2-211.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/hylafax-4.1beta2-211.src.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n3/hylafax-4.1beta2-164.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/hylafax-4.1beta2-164.src.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n2/hylafax-4.1beta2-165.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/hylafax-4.1beta2-165.src.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n2/hylafax-4.1beta2-165.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/hylafax-4.1beta2-165.src.rpm
For Linux Mandrake:
Linux-Mandrake 7.1: 7.1/RPMS/hylafax-4.1-0.10mdk.i586.rpm
7.1/RPMS/hylafax-client-4.1-0.10mdk.i586.rpm
7.1/RPMS/hylafax-server-4.1-0.10mdk.i586.rpm
7.1/SRPMS/hylafax-4.1-0.10mdk.src.rpm
Linux-Mandrake 7.2: 7.2/RPMS/hylafax-4.1-0.9mdk.i586.rpm
7.2/RPMS/hylafax-client-4.1-0.9mdk.i586.rpm
7.2/RPMS/hylafax-server-4.1-0.9mdk.i586.rpm
7.2/SRPMS/hylafax-4.1-0.9mdk.src.rpm
Corporate Server 1.0.1: 1.0.1/RPMS/hylafax-4.1-0.10mdk.i586.rpm
1.0.1/RPMS/hylafax-client-4.1-0.10mdk.i586.rpm
1.0.1/RPMS/hylafax-server-4.1-0.10mdk.i586.rpm
1.0.1/SRPMS/hylafax-4.1-0.10mdk.src.rpm
For FreeBSD:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/comms/hylafax-4.1.b2_2.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/comms/hylafax-4.1.b2_2.tgz