During a code review of the hfaxd server, part of the hylafax package, the SuSE Security Team discovered a format bug condition that allows remote attackers to execute arbitrary code as the root user. Updated packages have been patched to correct the problem. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0886 Reproducible: Always Steps to Reproduce: 1. 2. 3.
Steve, This is updated in portage now?
The 4.1.8 release of Hylafax is the official fixed package from ftp.hylafax.org (but I guess the SuSe and Mandrake folks fixed older versions to match their stable packages). http://www.hylafax.org/archive/2003-11/msg00096.html
Maybe that makes more sense...
*** Bug 33233 has been marked as a duplicate of this bug. ***
I guess they don't archive the Announce list, which is why I couldn't find the official announcement in the User list... Here it is: http://groups.google.com/groups?dq=&hl=en&lr=&ie=UTF-8&oe=UTF-8&group=fa.hylafax&selm=fa.e3v4oi8.1i7oh1u%40ifi.uio.no
OK, this GLSA seems to be online as: glsa-200311-03.xml But it has not been sent?
changing resolution to FIXED