Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 33368 - Updated hylafax 4.1.8 package fixes remote root vulnerability
Summary: Updated hylafax 4.1.8 package fixes remote root vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
URL: http://www.mandrakesecure.net/en/advi...
Whiteboard:
Keywords: SECURITY
: 33233 (view as bug list)
Depends on:
Blocks:
 
Reported: 2003-11-12 23:31 UTC by Steve Arnold
Modified: 2003-12-10 15:05 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Steve Arnold gentoo-dev 2003-11-12 23:31:17 UTC
During a code review of the hfaxd server, part of the hylafax package, the SuSE
Security Team discovered a format bug condition that allows remote attackers to
execute arbitrary code as the root user. Updated packages have been patched to
correct the problem.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0886

Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 1 solar (RETIRED) gentoo-dev 2003-11-13 14:51:21 UTC
Steve,
This is updated in portage now? 

Comment 2 Steve Arnold gentoo-dev 2003-11-13 16:26:50 UTC
The 4.1.8 release of Hylafax is the official fixed package from ftp.hylafax.org (but I guess the SuSe and Mandrake folks fixed older versions to match their stable packages).

http://www.hylafax.org/archive/2003-11/msg00096.html
Comment 3 Steve Arnold gentoo-dev 2003-11-13 17:27:15 UTC
Maybe that makes more sense...
Comment 4 solar (RETIRED) gentoo-dev 2003-11-14 00:14:31 UTC
*** Bug 33233 has been marked as a duplicate of this bug. ***
Comment 5 Steve Arnold gentoo-dev 2003-11-14 23:14:09 UTC
I guess they don't archive the Announce list, which is why I couldn't find the official announcement in the User list...  Here it is:

http://groups.google.com/groups?dq=&hl=en&lr=&ie=UTF-8&oe=UTF-8&group=fa.hylafax&selm=fa.e3v4oi8.1i7oh1u%40ifi.uio.no
Comment 6 Daniel Robbins (RETIRED) gentoo-dev 2003-11-19 14:00:18 UTC
OK, this GLSA seems to be online as:

glsa-200311-03.xml

But it has not been sent?
Comment 7 solar (RETIRED) gentoo-dev 2003-12-10 15:05:03 UTC
changing resolution to FIXED