Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 106882

Summary: net-misc/hylafax tmp file issue in xferfaxstats script
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: kingtaco, nerdboy
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=329384
Whiteboard: B3 [glsa] jaervosz
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen gentoo-dev 2005-09-22 06:07:42 UTC
Package: hylafax 
Severity: critical 
Version: 1:4.2.1-7 
Tags: woody sarge security patch 
 
This was a mail sent to the Debian security team, the hylafax Debian 
maintainer and the hylafax upstream maintainer a while back, since 
then, version  1:4.2.2+rc1 has been uploaded to testing (Sept 3rd 2005) 
making this issue public: 
 
   * Added patches from Javier Fernandez-Sanguino Pe
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-09-22 06:07:42 UTC
Package: hylafax 
Severity: critical 
Version: 1:4.2.1-7 
Tags: woody sarge security patch 
 
This was a mail sent to the Debian security team, the hylafax Debian 
maintainer and the hylafax upstream maintainer a while back, since 
then, version  1:4.2.2+rc1 has been uploaded to testing (Sept 3rd 2005) 
making this issue public: 
 
   * Added patches from Javier Fernandez-Sanguino Peña to cron jobs in 
     order to redirect stderr, and to other scripts in order to fix 
     temporary directory usage. (See patch 702) 
 
This is the mail sent describing the vulnerabilites (dated 6 Aug 2005). 
Attached is the patch (700, not 702 as mentioned in the changelog) used by 
the maintainer and based in may original patches. 
 
Notice that the patch only fixes the tempdir vulnerabilities, the last issue 
(the UNIX domain socket) has not yet been investigated. 
 
------------------------------------------------------------------------- 
 
 
Hi there hylafax maintainer and Debian security team, 
 
While reviewing Debian packages for vulnerabilities due to the insecure 
use of temporary files I've found that the hylafax package contains a  
script (xferfaxstats) which is vulnerable to symlink attacks since 
it uses temporary files in an unsafe way: 
 
------------------------------------------------------------------ 
(...) 
tmpAwk=/tmp/xferfax$$ 
trap "rm -f $tmpAwk; exit 1" 0 1 2 15 
(...) 
)>$tmpAwk 
$AWK -f $tmpAwk -v TODAY="$TODAY" -v AGE="$AGE" -v SINCEDT="$SINCEDT" -v 
ENDDT=" 
------------------------------------------------------------------ 
 
Furthermore, this script is run in a monthly basis by the predefined cron 
tasks in the package as root so it makes this vulnerability an exploitable 
issue in all systems that have this package installed. 
 
I've reviewed all other hylafax scripts which make use of /tmp too: 
/usr/sbin/recvstats, /usr/sbin/faxcron, /usr/sbin/faxaddmodem,  
/usr/sbin/faxsetup and /usr/sbin/probemodem and they use constructs which 
prevent symlink attacks from overwritting files. It seems that the Debian 
maintener fixed these bugs in 28 Sep 1998 (based on the changelog) but 
the xferstats script seems to have been missed.  
 
This script is available in all hylafax-server versions: woody, sarge, 
etch and sid. 
 
I'm also concerned that the hylafax package creates /var/spool/hylafax/tmp 
with mode 4777 supposedly, based on the manpages of those scripts, to be 
used as a temporary location of files but, instead, all of the files use 
/tmp instead directly. 
 
In order to clean up the code a little bit attached is a separate 
(untested) patch which reviews all the use of temporary files in scripts: 
 
1.- It makes all of them use mktemp if available, this prevents DoS attacks 
    agains the scripts since rogue users will find it more difficult 
    to pre-create the temporary files. With the current code it is 
    simple to prevent all scripts from executing just by populating 
    the /tmp directory with symlinks. 
2.- It makes all of them use TMPDIR if defined (through mktemp -t or 
    through the use of $TMPDIR instead of /tmp if mktemp is not available) 
3.- It generates proper error messages if temporary files cannot be 
    created 
4.- It changes cron jobs to forward error messages to the scripts to log 
    files or to mail messages 
5.- Do not define 'exit 1' when setting traps, since the exit status  
    of the script will be changed (a 0 exit status will be 1 instead). 
    Code sample: 
        ------------------------------------------------ 
        #!/bin/sh 
 
        trap "echo trap; exit 1" 0 1 2 3 15 
        echo no trap 
 
        exit 0 
        ---------------------------------------------- 
        $ ./test.sh 
        no trap 
        trap 
        $ echo $? 
        1 
 
This patch could be used in the sid package since it is actually code 
cleamup. If it was added, the cron jobs could redefine TMPDIR to be  
/var/spool/hylafax/tmp before calling the scripts so that the claim  
of the manpages would be correct. Based on the current code that directory 
does not seem to be used at all. 
 
Finally, another concern, is that the default config file defines 
FAX_DEFUNIX as /tmp/hyla.unix to setup a transport mode based on UNIX 
domain sockets. The FaxClient code uses whatever transport mechanism 
is available (through Transport::getTransport) and the Transport code says: 
 
[ ./util/Transport.c++ ] 
     53         if (UnixTransport::isA(FAX_DEFUNIX)) { 
     54             client.setHost(FAX_DEFUNIX); 
     55             return *new UnixTransport(client); 
     56         } else { 
     57             client.setHost(FAX_DEFHOST); 
     58             return *new InetTransport(client); 
     59         } 
 
UnixTransport::isA  is defined as: 
 
[ util/UnixTransport.c++ ] 
     35 UnixTransport::isA(const char* address) 
     36 { 
     37      return Sys::isSocketFile(address); 
     38 } 
 
I don't see that the Debian package creates the UNIX domain socket at all. 
¿Does this code means that if a rogue local user where to create a UNIX 
socket at /tmp/hyla.unix all Hylafax clients in the system would use that 
instead of the other inettransport (localhost:4559)? ¿Does this means 
that a local user could get access to all faxes sent and prevent faxes 
from being sent to the proper Hylafax Server? Notice that this code 
disputes the claim from the hylafax-client that it only communicates through 
TCP/IP (the manpage does not mention it either) and can introduce 
a different vulnerability in the system than the ones fixed by the 
attached patches. 
 
Regards 
 
Javier Fernandez-Sanguino
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-09-23 13:39:07 UTC
Steve, could you bump hylafax with the fixorz ?
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-09-27 07:37:04 UTC
Pulling rest of herd to help as nerdboy doesn't seem to answer...
Comment 4 Steve Arnold gentoo-dev 2005-09-27 18:37:29 UTC
Sorry, I got swamped; it says below "sent upstream" but xferfaxstats is still as 
shown below.  I suppose I have to yank it from the debian site...
Comment 5 Steve Arnold gentoo-dev 2005-09-27 22:31:25 UTC
Okay, all 4.2x versions are patched with the tmpdir patch; I'm removing 4.1.8 
unless somebody screams real loud...
Comment 6 Sune Kloppenborg Jeppesen gentoo-dev 2005-09-27 23:06:22 UTC
nerdboy please don't close security bugs. 
 
Reopening for GLSA decision. 
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-09-28 00:24:58 UTC
I vote yes
Comment 8 Sune Kloppenborg Jeppesen gentoo-dev 2005-09-28 08:24:19 UTC
I vote YES too. 
Comment 9 Sune Kloppenborg Jeppesen gentoo-dev 2005-09-28 12:02:51 UTC
Back to ebuild status. 
 
nerdboy please bump all affected versions so users will pick up the fixed 
versions and we can properly list affected versions. 
Comment 10 Steve Arnold gentoo-dev 2005-09-28 18:35:02 UTC
So, you want a revision bump on each of the remaining hylafax ebuilds?  I.e., 

hylafax-4.2.0-r2.ebuild => hylafax-4.2.0-r3.ebuild and so on?

This is what we have now:

hylafax-4.2.1.ebuild hylafax-4.2.0-r2.ebuild  hylafax-4.2.2.ebuild
hylafax-4.2.1-r1.ebuild

so I'm thinking of removing 4.2.1 and bumping 4.2.1-r1 to -r2 (plus the other 
two).  Does that make sense?
Comment 11 Sune Kloppenborg Jeppesen gentoo-dev 2005-09-28 22:10:12 UTC
For each stable arch there should be a revision increase so they pickup the  
update. Preferably as few stable versions as possible, but no hard demand.  
 
We should at least have 4.2.1-r2 for x86 and sparc and possibly 4.2.0-r3 for 
hppa and amd64, otherwise they will have to mark 4.2.1-r2 stable. 
 
Comment 12 Steve Arnold gentoo-dev 2005-09-30 00:01:00 UTC
Done.
Comment 13 Sune Kloppenborg Jeppesen gentoo-dev 2005-09-30 00:02:28 UTC
Thx, ready for GLSA. 
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-09-30 06:10:30 UTC
GLSA 200509-21