|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2003-0886: remote root vuln in hylafax | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Sebastian Krahmer <krahmer> |
| Component: | Incidents | Assignee: | Karsten Keil <karsten.keil> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Major | ||
| Priority: | P3 - Medium | CC: | rf, security-team |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | CVE-2003-0886: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
<!-- SBZ_reproduce --> Enter on port 4559: site trigger %s%s%s%s%s%s%s%s OK I can fix it. How important is it, e.g. which SL version should be updated ? We should update 7.3-9.0 if affected. Is this maintained? Good question, the package is in maintained products, but I really don't know if that is enough to be maintained. At all I would suggest if we fix all these version to update all to the same base version, that reduce work and also make maintainance lot easier in future. Comments ? To answer the first question: Yes, it is enough, unfortunately. To the second question: Since these bugs are rather easy to fix, the answer will simply be no. It is conceivable that a newer version will bring about more hassles and testing complexity/cost than the old packages with the fix applied. For clarification, I'm adding rf@ to Cc: to make it possible to add a comment here. Roman. OK, I have make packages for 7.3 8.0 8.1 sles8 8.2 9.0 (inclusiv bugfix 32136) based on current versions of these dists. All are building (execept sles8-ppc64 which also not build with the original package). I only tested 9.0 for normal function. Should I put them into done ? 9.0, too, yes. You need putonftp files to turn in with the packages, like the following (do not forget to change the string to match the distribution version!): ALL 7.3-ALL %UPDATE7.3 dxp Security update: This update fixes some format string errors in the hylafax package that may allow an attacker to gain root privileges. EOT Sicherheitsupdate für das hylafax Paket: Einige format string Fehler, die einem Angreifer zu root-Rechten verhelfen können, wurden behoben. EOT Thanks for the packages! They are in done now with putonftp, is for SLES8 a second putonftp needed or is the 8.1 version enough ? I will create the patchinfo now. Sebastian, is there a laufzettel for hylafax? yes. We wait for QA. CAN-2003-0886 should be used. Advisory send out. Case closed :) CVE-2003-0886: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) |
Several format string bugs, at least one of them exploitable: --- FileTransfer.c++.orig 2003-10-06 05:13:15.000000000 -0700 +++ FileTransfer.c++ 2003-10-06 05:30:11.000000000 -0700 @@ -556,7 +556,7 @@ } else perror_reply(553, filename, errno); } else - reply(553, emsg); + reply(553, "%s", (const char*)emsg); } /* --- Parser.c++.orig 2003-10-06 05:13:01.000000000 -0700 +++ Parser.c++ 2003-10-06 05:29:14.000000000 -0700 @@ -963,7 +963,7 @@ break; case T_TRIGGER: if (string_param(s, "trigger-spec")) { - logcmd(t, s); + logcmd(t, "%s", (const char*)s); triggerCmd("%s", (const char*) s); return (true); } --- SNPPServer.c++.orig 2003-10-06 05:13:48.000000000 -0700 +++ SNPPServer.c++ 2003-10-06 05:13:37.000000000 -0700 @@ -849,7 +849,7 @@ fxStr emsg; u_int seqnum = getDocumentNumbers(1, emsg); if (seqnum == (u_int) -1) { - reply(554, emsg); + reply(554, "%s", (const char*)emsg); return; } msgFile = fxStr::format("/%s/doc%u.page", FAX_TMPDIR, seqnum); @@ -1053,7 +1053,7 @@ fxStr emsg; u_int seqnum = getDocumentNumbers(1, emsg); if (seqnum == (u_int) -1) { - reply(554, emsg); + reply(554, "%s", (const char*)emsg); return; }