From: Waldo Bastian <email@example.com>
To: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org
Subject: SECURITY: efax
Date: 09 Nov 2001 17:36:58 -0800
The program "efax" which is distributed as part of the klprfax program in the
kdeutils module poses a security risk when installed suid. "efax" has been
part of KDE 2.2 and KDE 2.2.1 and is installed suid by default.
Scope: a local user can gain root privileges by exploiting a bug in "efax".
Solution: Remove the suid bit from the "efax" executable. This can be done
with the following command:
chmod -s `locate bin/efax`
"efax" will continue to work as before as long as users have sufficient rights
to create lock files in the system lock directory (like /var/lock) and
sufficient rights to open the modem device.
email@example.com | SuSE Labs KDE Developer | firstname.lastname@example.org