From: Waldo Bastian <firstname.lastname@example.org>
To: email@example.com, firstname.lastname@example.org, email@example.com
Subject: SECURITY: efax
Date: 09 Nov 2001 17:36:58 -0800
The program "efax" which is distributed as part of the klprfax program in the
kdeutils module poses a security risk when installed suid. "efax" has been
part of KDE 2.2 and KDE 2.2.1 and is installed suid by default.
Scope: a local user can gain root privileges by exploiting a bug in "efax".
Solution: Remove the suid bit from the "efax" executable. This can be done
with the following command:
chmod -s `locate bin/efax`
"efax" will continue to work as before as long as users have sufficient rights
to create lock files in the system lock directory (like /var/lock) and
sufficient rights to open the modem device.
firstname.lastname@example.org | SuSE Labs KDE Developer | email@example.com