From thomas@SUSE.DE Sat Apr 21 10:31:21 2001 From: Thomas Biege To: BUGTRAQ@SECURITYFOCUS.COM Date: Fri, 20 Apr 2001 11:39:14 +0200 Subject: [BUGTRAQ] SuSE Security Announcement: hylafax (SuSE-SA:2001:15) -----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SuSE Security Announcement Package: hylafax Announcement-ID: SuSE-SA:2001:15 Date: Friday, April 20th, 2001 10.26 MEST Affected SuSE versions: [6.1, 6.2,] 6.3, 6.4, 7.0, 7.1 Vulnerability Type: local root compromise Severity (1-10): 7 SuSE default package: no Other affected systems: all systems using hylafax Content of this advisory: 1) security vulnerability resolved: hylafax problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information The HylaFax program hfaxd(8c) implements the server part of the HylaFax package. It is started either by inetd(8) or runs in standalone mode. hfaxd(8c) offers three different protocols to process fax jobs. When hfaxd(8c) tries to change to it's queue directory and fails, it prints an error message via syslog by directly passing user supplied data as format string. As long as hfaxd(8c) is installed setuid root, this behavior could be exploited to gain root access locally. As a workaround remove the setuid bit: /bin/chmod u-s /usr/lib/fax/hfaxd or restrict access to trusted users only: /bin/chown root.trusted /usr/lib/fax/hfaxd /bin/chmod 4750 /usr/lib/fax/hfaxd Download the update package from locations described below and install the package with the command `rpm -Uhv file.rpm'. The md5sum for each file is in the line below. You can verify the integrity of the rpm files using the command `rpm --checksig --nogpg file.rpm', independently from the md5 signatures below. i386 Intel Platform: SuSE-7.1 ftp://ftp.suse.com/pub/suse/i386/update/7.1/n3/hylafax-4.1beta2-251.i386.rpm a3d5d0d5a8977852b02dc9b7352054aa source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/hylafax-4.1beta2-251.src.rpm b5c8877de53db86eabfae932142221d7 SuSE-7.0 ftp://ftp.suse.com/pub/suse/i386/update/7.0/n2/hylafax-4.1beta2-254.i386.rpm 5be3094195a789d83b02d59ab343d7b5 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/hylafax-4.1beta2-254.src.rpm 87ee1d77eea95eac74c6b8355912ad9f SuSE-6.4 ftp://ftp.suse.com/pub/suse/i386/update/6.4/n2/hylafax-4.1beta2-253.i386.rpm 90a894b8d47a94125992f3a64a6ada44 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/hylafax-4.1beta2-253.src.rpm 7b53ca017efdd9371c9a6207095a8c2f SuSE-6.3 ftp://ftp.suse.com/pub/suse/i386/update/6.3/n2/hylafax-4.1beta2-252.i386.rpm 340e64a902a2e3f73b7d1771739c5b59 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/hylafax-4.1beta2-252.src.rpm edb05a6191ab7d5533d1d9eb9ef0d255 Sparc Platform: SuSE-7.1 ftp://ftp.suse.com/pub/suse/sparc/update/7.1/n3/hylafax-4.1beta2-218.sparc.rpm 1449e568071f5fb6080efebb8f2a7a2b source rpm: ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/hylafax-4.1beta2-218.src.rpm bf8c780206da51bc548e9fd4264b9bfc SuSE-7.0 ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n2/hylafax-4.1beta2-218.sparc.rpm bb265465ea8b84ca31b5c954266daf1d source rpm: ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/hylafax-4.1beta2-218.src.rpm b5bcae601fe056f399fc8696aa156529 AXP Alpha Platform: SuSE-7.0 ftp://ftp.suse.com/pub/suse/axp/update/7.0/n2/hylafax-4.1beta2-211.alpha.rpm 2ee3176e2b425c494bd37d22f2ea090c source rpm: ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/hylafax-4.1beta2-211.src.rpm f89c3771432d84a3e7c3ab2f4331d73c SuSE-6.4 ftp://ftp.suse.com/pub/suse/axp/update/6.4/n2/hylafax-4.1beta2-211.alpha.rpm 5aecfb997867f8f72164f27dc220f95b source rpm: ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/hylafax-4.1beta2-211.src.rpm 09f1cbb3714dfe75e1aa3ff2a52c13a3 SuSE-6.3 ftp://ftp.suse.com/pub/suse/axp/update/6.3/n2/hylafax-4.1beta2-211.alpha.rpm 39f12bc3f09bab26c60df98a2b52b64e source rpm: ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/hylafax-4.1beta2-211.src.rpm 6a48eac9982dfca01a1ed904cacfb2c8 PPC PowerPC Platform: SuSE-7.1 ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n3/hylafax-4.1beta2-164.ppc.rpm a42c7bc70e25a6725d8e2a76870be1d4 source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/hylafax-4.1beta2-164.src.rpm 9c064b869fb7c73f453a254b5f3780be SuSE-7.0 ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n2/hylafax-4.1beta2-165.ppc.rpm 81387d514f089a7060bc6dacb15358a8 source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/hylafax-4.1beta2-165.src.rpm 35ec2293fb0390cb827935499506ed89 SuSE-6.4 ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n2/hylafax-4.1beta2-165.ppc.rpm be20c8f1ef2488c8db711744eab2233b source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/hylafax-4.1beta2-165.src.rpm 4af4d6b8e948b39a1d4040adaad27c0a ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: - Updated man RPMs will be available in a few days. - In the past weeks, some security related bugs in the Linux kernel 2.2 and 2.4 were found. An announcement, that addresses this will be released asap. - Samba has serveral security problems, which could lead to local root access. Samba 2.0.8 fixes these problems. New RPMs are currently being built. ______________________________________________________________________________ 3) standard appendix: SuSE runs two security mailing lists to which any interested party may subscribe: suse-security@suse.com - general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to . suse-security-announce@suse.com - SuSE's announce-only mailing list. Only SuSE's security annoucements are sent to this list. To subscribe, send an email to . For general information or the frequently asked questions (faq) send mail to: or respectively. =============================================== SuSE's security contact is . =============================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. SuSE GmbH makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBOuACUHey5gA9JdPZAQHrdwf/TIjn3G879Q4Vb5im5T7CkHr+YF6pGbp4 NjxEM8j8lSPnXy1iJwYRuSV7UT7Jrcqe2lm008IUMD9xN73ybUjnjiG2dzCYfI52 xYImtlzTiAlaGVHtnPGBBj7K3MOLqCQsgr2FkjJ6/LOsdFrBSa2BNEcl+fy/9n72 2+fZN04hdgpkd9uGrbkZPch0XbYYG5Ij54lM2LKBqZ7RcAgtGToR8nJ/vyMCv9kJ ivPmPX6Jr/CYxw1gKNprpEAV9GiaI70rGDazW7bM9s94LVuEJmOt4bJzVnYzY3wK cz1UAnHZ3MWM8HmYj3Awl4elBmtFpiYJR8tfrc9pyOPSZir78ZvCdA== =KFNn -----END PGP SIGNATURE----- Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 51 AD B9 C7 34 FC F2 54 01 4A 1C D4 66 64 09 84