Bugzilla – Bug 47036
VUL-0: CVE-2003-0886: remote root vuln in hylafax
Last modified: 2021-09-27 14:48:07 UTC
Several format string bugs, at least one of them exploitable: --- FileTransfer.c++.orig 2003-10-06 05:13:15.000000000 -0700 +++ FileTransfer.c++ 2003-10-06 05:30:11.000000000 -0700 @@ -556,7 +556,7 @@ } else perror_reply(553, filename, errno); } else - reply(553, emsg); + reply(553, "%s", (const char*)emsg); } /* --- Parser.c++.orig 2003-10-06 05:13:01.000000000 -0700 +++ Parser.c++ 2003-10-06 05:29:14.000000000 -0700 @@ -963,7 +963,7 @@ break; case T_TRIGGER: if (string_param(s, "trigger-spec")) { - logcmd(t, s); + logcmd(t, "%s", (const char*)s); triggerCmd("%s", (const char*) s); return (true); } --- SNPPServer.c++.orig 2003-10-06 05:13:48.000000000 -0700 +++ SNPPServer.c++ 2003-10-06 05:13:37.000000000 -0700 @@ -849,7 +849,7 @@ fxStr emsg; u_int seqnum = getDocumentNumbers(1, emsg); if (seqnum == (u_int) -1) { - reply(554, emsg); + reply(554, "%s", (const char*)emsg); return; } msgFile = fxStr::format("/%s/doc%u.page", FAX_TMPDIR, seqnum); @@ -1053,7 +1053,7 @@ fxStr emsg; u_int seqnum = getDocumentNumbers(1, emsg); if (seqnum == (u_int) -1) { - reply(554, emsg); + reply(554, "%s", (const char*)emsg); return; }
<!-- SBZ_reproduce --> Enter on port 4559: site trigger %s%s%s%s%s%s%s%s
OK I can fix it. How important is it, e.g. which SL version should be updated ?
We should update 7.3-9.0 if affected. Is this maintained?
Good question, the package is in maintained products, but I really don't know if that is enough to be maintained. At all I would suggest if we fix all these version to update all to the same base version, that reduce work and also make maintainance lot easier in future. Comments ?
To answer the first question: Yes, it is enough, unfortunately. To the second question: Since these bugs are rather easy to fix, the answer will simply be no. It is conceivable that a newer version will bring about more hassles and testing complexity/cost than the old packages with the fix applied. For clarification, I'm adding rf@ to Cc: to make it possible to add a comment here. Roman.
OK, I have make packages for 7.3 8.0 8.1 sles8 8.2 9.0 (inclusiv bugfix 32136) based on current versions of these dists. All are building (execept sles8-ppc64 which also not build with the original package). I only tested 9.0 for normal function. Should I put them into done ?
9.0, too, yes. You need putonftp files to turn in with the packages, like the following (do not forget to change the string to match the distribution version!): ALL 7.3-ALL %UPDATE7.3 dxp Security update: This update fixes some format string errors in the hylafax package that may allow an attacker to gain root privileges. EOT Sicherheitsupdate für das hylafax Paket: Einige format string Fehler, die einem Angreifer zu root-Rechten verhelfen können, wurden behoben. EOT Thanks for the packages!
They are in done now with putonftp, is for SLES8 a second putonftp needed or is the 8.1 version enough ?
I will create the patchinfo now.
Sebastian, is there a laufzettel for hylafax?
yes. We wait for QA.
CAN-2003-0886 should be used.
Advisory send out. Case closed :)
CVE-2003-0886: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)