Vendors, We would like to coordinate a security release for HylaFAX. HylaFAX version 4.2.3 has 2 vulnerabilities which are important. On Dec, 12, a user noticed that when PAM is disabled, a user could log in with no password. This bug was confirmed and fixed in CVS. I believe most HylaFAX installations would have PAM enabled, so this shouldn't affect most users. If PAM is disabled, any password can be used to get log in HylaFAX as a valid user (HylaFAX user, not system user) from a client authorised for that user. A more serious issue was recently found by Patrice Fournier <patrice.fournier@ifax.com> where the faxrcvd/notify scripts (executed as the uucp/fax user) run user-supplied input through eval without any attempt at sanitising it first. This would allow any user who could submit jobs to HylaFAX, or through telco manipulation control the representation of callid information presented to HylaFAX to run arbitrary commands as the uucp/fax user. Our proposed release date is on Wednesday, Jan 4. Public exposure of the vulnerability could, although unlikely, surface (most likely on the hylafax-users or hylafax-devel mailing lists) from outside sources before the 4th. If such occurred, then we would re-contact you with that information and release immediately. Attached are our patches for this vulnerability. If your find problems with the patches, or have problems with the proposed release date, then please reply to all addresses on this e-mail. We will not commit these patches to HylaFAX CVS until the release date. We were hoping to cut a 4.2.4 in the near future anyways, so we have entered a release cycle for 4.2.4 involving at least 1 beta and an RC. None of these releases will contain the attached patches. They will be applied to CVS only on the release date immediately prior to the release. The HylaFAX Bugzilla report for Bug 719 discussing this is a private bug, and will not be open to public access until the release. Following below, I've included the text of our future announcement which will be made on the date of the release. Thank you for including HylaFAX in your distributions. Aidan Van Dyk, HylaFAX developer ============================================================= HylaFAX security advisory 4 Jan 2006 Subject: HylaFAX hfaxd and notify/faxrcvd vulnerabilities Introduction: HylaFAX is a mature (est. 1991) enterprise-class open-source software package for sending and receiving facsimiles as well as for sending alpha-numeric pages. It runs on a wide variety of UNIX-like platforms including Linux, BSD (including Mac OS X), SunOS and Solaris, SCO, IRIX, AIX, and HP-UX. See http://www.hylafax.org Problem Descriptions and Impact: 1. HylaFAX hfaxd will allow any password when compiled with PAM support disabled. Only HylaFAX version 4.2.3 is vulnerable. This vulnerability was mentionned by Dileep <dileep@networkgulf.com> on the hylafax-users mailing list on December 12, was picked up and confirmed by Lee Horward and a fix was provided the same day by Todd Lipcon. The fix was committed to CVS-HEAD on December 15. This vulnerability has been assigned CVE-XXXX-XXXX. 2. HylaFAX notify script passes unsanitised user-supplied data to eval, allowing remote attackers to execute arbitrary commands. The data needs to be part of a submitted job and as such, attackers must have access to submit faxes to the server in order to exploit this vulnerability. HylaFAX versions 4.2.0 up to 4.2.3 are vulnerable. Prior version used a awk notify script that was not vulnerable. This vulnerability was discovered and fixed by Patrice Fournier of iFAX Solutions, Inc. This vulnerability has been assigned CVE-XXXX-XXXX. 3. HylaFAX faxrcvd script passes unsanitised user-supplied data to eval, allowing remote attackers to execute arbitrary commands. CallID (CIDName/CIDNumber) must be configured on the server and the attackers must have access to submit non alphanumeric characters as CallID data (which may not be possible for most configuration) in order to exploit this vulnerability. HylaFAX versions 4.2.2 and 4.2.3 are vulnerable. Prior version didn't support a variable number of CallID parameters. This vulnerability was discovered and fixed by Patrice Fournier of iFAX Solutions, Inc. This vulnerability has been assigned CVE-XXXX-XXXX. Status: HylaFAX.org has released HylaFAX version 4.2.4 which includes changes to fix each of these problems. All HylaFAX users are strongly encouraged to upgrade. The HylaFAX 4.2.4 source code is available at ftp://ftp.hylafax.org/source/hylafax-4.2.4.tar.gz In the event that upgrading to 4.2.4 is not appropriate, the patches to fix those vulnerabilities are available at the following bug reports: http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=682 http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=719 If PAM support is NOT enabled and upgrading or patching is not possible, firewalling techniques restricting access to port 4559 are strongly encouraged. As the patches to faxrcvd and notify are simple changes to shell scripts, you should apply those patches in either case. No abuse of these vulnerabilities is known to HylaFAX development. Thanks, The vendor-sec mailing list was notified on 21st December, and HylaFAX CVS-HEAD was updated on 15 December for the PAM-disabled login vulnerability and on XX December for the other two vulnerabilities. Patrice Fournier HylaFAX developer
Created attachment 75327 [details, diff] faxrcvd-eval-vulnerability.patch
Created attachment 75328 [details, diff] notify-eval-vulnerability.patch
Steve please attach an updated ebuild. Do NOT commit anything to portage at this point.
Created attachment 75617 [details] updated hylafax-4.2.3 ebuild Hylafax-4.2.3 ebuild updated with the following patches: hylafax-4.2.3-faxrcvd-eval-vulnerability.patch hylafax-4.2.3-notify-eval-vulnerability.patch
Thx Steve. Arch SLiasons please test and report on this bug.
I don't have any hardware to be able to "actually" test this, but it looks like it works on x86 :)
as far as i can test it looks fine on amd64 too, but i don't have the hardware either. AFAIR kingtaco has, so i'm cc'ing him hereby :)
sparc looks sane too.
looks sane for amd64
CC'ing ferdy for alpha as I probably won't be around until january 2nd or 3rd.
looks fine on alpha too
Good for ppc
Only hppa left to check.
Sorry, forgot to write that hppa's okay, too.
Ready to commit directly as stable on security-supported arches, GLSA must be drafted
hansmi -> killerfox for hppa, hansmi -> dertobi123 for ppc
Steve, this should be announced on Hylafax website sometime today, please get ready to commit with the following approved keywords : KEYWORDS="x86 sparc hppa alpha amd64 ppc" We'll wait for the official announcement to commit the ebuild.
I assume you mean this announcement: Subject: [hylafax-announce] **ANNOUNCE** HylaFAX 4.2.4 Now Available Both 4.2.4 (straight) and patched 4.2.3 are now in portage; how did you want to handle the older versions? How far back do these issues go? I have the flu, so I'm kinda slow right now...
Thx for the ebuilds. You can keyword 4.2.3-r1 with : KEYWORDS="x86 sparc hppa alpha amd64 ppc" since it has been OKed by the appropriate arch security contacts. About removing old versions, we don't really care as it won't really make users safer. Here is the affected versions rundown : hfaxd allows any password when USE=pam --> Only version 4.2.3 is vulnerable notify unsanitised user-supplied data --> versions 4.2.0 up to 4.2.3 are vulnerable faxrcvd unsanitised user-supplied data --> versions 4.2.2 and 4.2.3 are vulnerable Feel free to cleanup as you deem appropriate.
Updated and cleaned...
Thx, this one is ready for GLSA.
GLSA 200601-03