Bugzilla Bug 116389

Vendors,

We would like to coordinate a security release for HylaFAX.

HylaFAX version 4.2.3 has 2 vulnerabilities which are important.

On Dec, 12, a user noticed that when PAM is disabled, a user could log
in with no password.  This bug was confirmed and fixed in CVS.  I
believe most HylaFAX installations would have PAM enabled, so this
shouldn't affect most users.  If PAM is disabled, any password can be
used to get log in HylaFAX as a valid user (HylaFAX user, not system
user) from a client authorised for that user.

A more serious issue was recently found by Patrice Fournier
<patrice.fournier@ifax.com> where the faxrcvd/notify scripts (executed as the
uucp/fax user) run user-supplied input through eval without any attempt at
sanitising it first.  This would allow any user who could submit jobs to
HylaFAX, or through telco manipulation control the representation of
callid information presented to HylaFAX to run arbitrary commands as the
uucp/fax user.

Our proposed release date is on Wednesday, Jan 4.   Public exposure of
the vulnerability could, although unlikely, surface (most likely on the
hylafax-users or hylafax-devel mailing lists) from outside sources
before the 4th.  If such occurred, then we would re-contact you with
that information and release immediately.

Attached are our patches for this vulnerability.  If your find problems
with the patches, or have problems with the proposed release date, then
please reply to all addresses on this e-mail.

We will not commit these patches to HylaFAX CVS until the release date.
We were hoping to cut a 4.2.4 in the near future anyways, so we have
entered a release cycle for 4.2.4 involving at least 1 beta and an RC.
None of these releases will contain the attached patches.  They will be
applied to CVS only on the release date immediately prior to the
release.

The HylaFAX  Bugzilla report for Bug 719 discussing this is a private
bug, and will not be open to public access until the release.

Following below, I've included the text of our future
announcement which will be made on the date of the release.

Thank you for including HylaFAX in your distributions.

Aidan Van Dyk,
HylaFAX developer

=============================================================
HylaFAX security advisory
4 Jan 2006

Subject:  HylaFAX hfaxd and notify/faxrcvd vulnerabilities

Introduction:

HylaFAX is a mature (est. 1991) enterprise-class open-source software
package for sending and receiving facsimiles as well as for sending
alpha-numeric pages.  It runs on a wide variety of UNIX-like platforms
including Linux, BSD (including Mac OS X), SunOS and Solaris, SCO, IRIX,
AIX, and HP-UX.  See http://www.hylafax.org


Problem Descriptions and Impact:

1. HylaFAX hfaxd will allow any password when compiled with PAM support
disabled.

Only HylaFAX version 4.2.3 is vulnerable. 

This vulnerability was mentionned by Dileep <dileep@networkgulf.com>
on the hylafax-users mailing list on December 12, was picked up and 
confirmed by Lee Horward and a fix was provided the same day by Todd
Lipcon. The fix was committed to CVS-HEAD on December 15.

This vulnerability has been assigned CVE-XXXX-XXXX.

2. HylaFAX notify script passes unsanitised user-supplied data to eval,
allowing remote attackers to execute arbitrary commands. The data needs
to be part of a submitted job and as such, attackers must have access to submit
faxes to the server in order to exploit this
vulnerability.

HylaFAX versions 4.2.0 up to 4.2.3 are vulnerable. Prior version used
a awk notify script that was not vulnerable. This vulnerability was
discovered and fixed by Patrice Fournier of iFAX Solutions, Inc.

This vulnerability has been assigned CVE-XXXX-XXXX.

3. HylaFAX faxrcvd script passes unsanitised user-supplied data to eval,
allowing remote attackers to execute arbitrary commands. CallID 
(CIDName/CIDNumber) must be configured on the server and the attackers
must have access to submit non alphanumeric characters as CallID data
(which may not be possible for most configuration) in order to exploit
this vulnerability.

HylaFAX versions 4.2.2 and 4.2.3 are vulnerable. Prior version didn't
support a variable number of CallID parameters. This vulnerability was
discovered and fixed by Patrice Fournier of iFAX Solutions, Inc.

This vulnerability has been assigned CVE-XXXX-XXXX.


Status:

HylaFAX.org has released HylaFAX version 4.2.4 which includes changes
to fix each of these problems.  All HylaFAX users are strongly
encouraged to upgrade.  The HylaFAX 4.2.4 source code is available at

   ftp://ftp.hylafax.org/source/hylafax-4.2.4.tar.gz

In the event that upgrading to 4.2.4 is not appropriate, the patches to
fix those vulnerabilities are available at the following bug reports:

   http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=682
   http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=719

If PAM support is NOT enabled and upgrading or patching is not possible,
firewalling techniques restricting access to port 4559 are strongly
encouraged. As the patches to faxrcvd and notify are simple changes to
shell scripts, you should apply those patches in either case.

No abuse of these vulnerabilities is known to HylaFAX development.

Thanks,

The vendor-sec mailing list was notified on 21st December, and HylaFAX
CVS-HEAD was updated on 15 December for the PAM-disabled login
vulnerability and on XX December for the other two vulnerabilities.

Patrice Fournier
HylaFAX developer

Created an attachment (id=75327) [edit]
faxrcvd-eval-vulnerability.patch

Created an attachment (id=75328) [edit]
notify-eval-vulnerability.patch

Steve please attach an updated ebuild. Do NOT commit anything to portage at
this point.

Created an attachment (id=75617) [edit]
updated hylafax-4.2.3 ebuild

Hylafax-4.2.3 ebuild updated with the following patches:

hylafax-4.2.3-faxrcvd-eval-vulnerability.patch
hylafax-4.2.3-notify-eval-vulnerability.patch

Thx Steve. 

Arch SLiasons please test and report on this bug.

I don't have any hardware to be able to "actually" test this, but it looks like
it works on x86 :)

as far as i can test it looks fine on amd64 too, but i don't have the hardware
either. AFAIR kingtaco has, so i'm cc'ing him hereby :)

sparc looks sane too.

looks sane for amd64

CC'ing ferdy for alpha as I probably won't be around until january 2nd or 3rd.

looks fine on alpha too

Good for ppc

Only hppa left to check.

Sorry, forgot to write that hppa's okay, too.

Ready to commit directly as stable on security-supported arches, GLSA must be
drafted

hansmi -> killerfox for hppa,
hansmi -> dertobi123 for ppc

Steve, this should be announced on Hylafax website sometime today, please get
ready to commit with the following approved keywords :

KEYWORDS="x86 sparc hppa alpha amd64 ppc"

We'll wait for the official announcement to commit the ebuild.

I assume you mean this announcement:

Subject: [hylafax-announce] **ANNOUNCE** HylaFAX 4.2.4 Now Available

Both 4.2.4 (straight) and patched 4.2.3 are now in portage; how did you want to 
handle the older versions?  How far back do these issues go?  I have the flu,
so 
I'm kinda slow right now...

Thx for the ebuilds.
You can keyword 4.2.3-r1 with :
  KEYWORDS="x86 sparc hppa alpha amd64 ppc"
since it has been OKed by the appropriate arch security contacts.

About removing old versions, we don't really care as it won't really make users
safer. Here is the affected versions rundown :

hfaxd allows any password when USE=pam --> Only version 4.2.3 is vulnerable
notify unsanitised user-supplied data --> versions 4.2.0 up to 4.2.3 are
vulnerable
faxrcvd unsanitised user-supplied data --> versions 4.2.2 and 4.2.3 are
vulnerable

Feel free to cleanup as you deem appropriate.

Updated and cleaned...

Thx, this one is ready for GLSA.

GLSA 200601-03