Summary: | net-misc/hylafax: hfaxd unauthorized login vulnerability | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Thierry Carrez (RETIRED) <koon> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | minor | CC: | gmsoft, gustavoz, kingtaco, nerdboy, weeve | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
Whiteboard: | B3 [glsa] koon 20050111 | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Thierry Carrez (RETIRED)
2004-12-28 12:51:38 UTC
Coordinated disclosure on 11 Jan 2005. Created attachment 47051 [details, diff]
hylafax-hostvuln.patch
Patch for 4.2.0
Another confidential vulnerability for you, Steve... You need to prepare and test and new ebuild for hylafax with the attached patch, but please do not commit it to CVS, it must remain confidential for now. You can attach a tar with everything (ebuild and patch file) to this bug, and we'll call specific people in arches to test it so that hopefully it can be committed stable on the coordinated release date. --- hylafax-4.2.0-r1.ebuild.orig 2005-01-05 20:03:46.120374101 -0600 +++ hylafax-4.2.0-r1.ebuild 2005-01-05 20:04:48.900910664 -0600 @@ -33,6 +33,7 @@ epatch ${FILESDIR}/${P}-faxcron_uid.patch epatch ${FILESDIR}/${P}-tiff_version.patch epatch ${FILESDIR}/configure-gcc-3.4.patch + epatch ${FILESDIR}/hylafax-hostvuln.patch } src_compile() { this works on amd64. I won't commit it to the tree per your request The patch tests out on x86 okay as well. I leave for a conference on Saturday, so KingTaco will commit the -r2 ebuild if we don't do it before I leave. Weeve or Gustavo: could you please test the patched ebuild and ensure it builds properly (and works) on sparc too ? Guy: You can also test for hppa and report success/failure here. The idea is to commit 4.2.0-r2 directly as KEYWORDS="x86 sparc hppa ~alpha ~amd64 ~ppc" on 2005/01/11. I had to add a -fPIC fix to make it compile on my hppa. I've added it for all arches (see #55238). Everyone : would be a good thing to be ready for the big date tomorrow with that one. weeve/gustavoz: please test on sparc and report success kingtaco: will you be available and ready to commit it tomorrow ? Green light for sparc. just let me know when you want it to go in, I'll be available after 1700 CST(gmt-6) kingtaco: it might be a good idea to add an ewarn about the hosts.hfaxd file losing backward compatibility. See "effect" in the Hylafax advisory draft. It's not up on the Hylafax site yet, so we must wait for the time being. http://www.hylafax.org/cgi-bin/cvsweb.cgi/~checkout~/CHANGES * fix CAN-2004-1182: hfaxd client/server authentication vulnerability (10 Jan 2005) [...] It's officially out : http://marc.theaimsgroup.com/?l=hylafax&m=110545119911558&w=2 kingtaco: please commit the 4.2.0-r2 ebuild ASAP with KEYWORDS="x86 sparc hppa ~alpha ~amd64 ~ppc" in cvs, stable on amd64 as well. GLSA 200501-21 |