A set of problems have been discovered in Hylafax, a flexible
client/server fax software distributed with many GNU/Linux
distributions. Quoting SecurityFocus the problems are in detail:
- A format string vulnerability makes it possible for users to
potentially execute arbitrary code on some implementations. Due to
insufficient checking of input, it’s possible to execute a format
string attack. Since this only affects systems with the faxrm and
faxalter programs installed setuid, Debian is not vulnerable.
- A buffer overflow has been reported in Hylafax. A malicious fax
transmission may include a long scan line that will overflow a
memory buffer, corrupting adjacent memory. An exploit may result
in a denial of service condition, or possibly the execution of
arbitrary code with root privileges.
- A format string vulnerability has been discovered in faxgetty.
Incoming fax messages include a Transmitting Subscriber
Identification (TSI) string, used to identify the sending fax
machine. Hylafax uses this data as part of a format string without
properly sanitizing the input. Malicious fax data may cause the
server to crash, resulting in a denial of service condition.
- Marcin Dawcewicz discovered a format string vulnerability in hfaxd,
which will crash hfaxd under certain circumstances. Since Debian
doesn’t have hfaxd installed setuid root, this problem cannot
directly lead into a vulnerability. This has been fixed by Darren
Nickerson, which was already present in newer versions, but not in
the potato version.
These problems have been fixed in version 4.0.2-14.3 for the old
stable distribution (potato), in version 4.1.1-1.1 for the current
stable distribution (woody) and in version 4.1.2-2.1 for the unstable
distribution (sid).
We recommend that you upgrade your hylafax packages.