- --------------------------------------------------------------------------
Debian Security Advisory DSA 148-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
August 12th, 2002
- --------------------------------------------------------------------------
Package : hylafax
Vulnerability : buffer overflows and format string vulnerabilities
Problem-Type : remote
Debian-specific: no
CVE Id : CAN-2001-1034
Bugtraq Id : 3357 5349 5348
A set of problems have been discovered in Hylafax, a flexible
client/server fax software distributed with many GNU/Linux
distributions. Quoting SecurityFocus the problems are in detail:
* A format string vulnerability makes it possible for users to
potentially execute arbitrary code on some implementations. Due to
insufficient checking of input, it's possible to execute a format
string attack. Since this only affects systems with the faxrm and
faxalter programs installed setuid, Debian is not vulnerable.
* A buffer overflow has been reported in Hylafax. A malicious fax
transmission may include a long scan line that will overflow a
memory buffer, corrupting adjacent memory. An exploid may result
in a denial of service condition, or possibly the execution of
arbitrary code with root privileges.
* A format string vulnerability has been discovered in faxgetty.
Incoming fax messages include a Transmitting Subscriber
Identification (TSI) string, used to identify the sending fax
machine. Hylafax uses this data as part of a format string without
properly sanitizing the input. Malicious fax data may cause the
server to crash, resulting in a denial of service condition.
* Marcin Dawcewicz discovered a format string vulnerability in hfaxd,
which will crash hfaxd under certain circumstances. Since Debian
doesn't have hfaxd installed setuid root, this problem can not
directly lead into a vulnerability. This has been fixed by Darren
Nickerson, which was already present in newer versions, but not in
the potato version.
These problems have been fixed in version 4.0.2-14.3 for the old
stable distribution (potato), in version 4.1.1-1.1 for the current
stable distribution (woody) and in version 4.1.2-2.1 for the unstable
distribution (sid).
We recommend that you upgrade your hylafax packages.
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 2.2 alias potato
- ---------------------------------
Source archives:
http://security.debian.org/pool/updates/main/h/hylafax/hylafax_4.0.2-14.3.dsc
Size/MD5 checksum: 624 258322373e17ea876ced8ff40d2657ae
http://security.debian.org/pool/updates/main/h/hylafax/hylafax_4.0.2-14.3.diff.gz
Size/MD5 checksum: 81815 5d08c97482de1c0fb396148a43e464be
http://security.debian.org/pool/updates/main/h/hylafax/hylafax_4.0.2.orig.tar.gz
Size/MD5 checksum: 1343569 59966e41f769770134b2c80c84245874
Architecture independent components:
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-doc_4.0.2-14.3_all.deb
Size/MD5 checksum: 517632 2cfca398afd15471a4f3c8194dc838ae
Alpha architecture:
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.0.2-14.3_alpha.deb
Size/MD5 checksum: 509592 d3fb699ea9bd4fb5cddb16a7931a395e
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.0.2-14.3_alpha.deb
Size/MD5 checksum: 1130548 9017187a07824236de07dce42a5032be
ARM architecture:
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.0.2-14.3_arm.deb
Size/MD5 checksum: 389264 98c2a5dfa4306965acc9d6f0ea909605
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.0.2-14.3_arm.deb
Size/MD5 checksum: 864078 793c1de1a50bb73536c1246c96b0d450
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.0.2-14.3_i386.deb
Size/MD5 checksum: 398406 9e30d17b4645472b1b04bab0962c1080
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.0.2-14.3_i386.deb
Size/MD5 checksum: 877434 1ae774e2115c983eed9fda2b6c19aa84
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.0.2-14.3_m68k.deb
Size/MD5 checksum: 385696 3177d7de33c31a7ee2e6fa67f81bdb77
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.0.2-14.3_m68k.deb
Size/MD5 checksum: 843094 10610c3e3082a5e3e92ca0f07b2e961d
PowerPC architecture:
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.0.2-14.3_powerpc.deb
Size/MD5 checksum: 388586 7917f305ddc521f3c0bf50f1df2d38eb
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.0.2-14.3_powerpc.deb
Size/MD5 checksum: 858980 26889bca9a720946245519abaf96b32f
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.0.2-14.3_sparc.deb
Size/MD5 checksum: 370812 80f3caad71eb8b3c67b6f7a8500460c4
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.0.2-14.3_sparc.deb
Size/MD5 checksum: 827696 d11315ac73cf015bd8366f1c6c85e218
Debian GNU/Linux 3.0 alias woody
- --------------------------------
Hylafax was released only for the architectures alpha, arm, hppa,
i386, ia64, m68k, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/h/hylafax/hylafax_4.1.1-1.1.dsc
Size/MD5 checksum: 741 bc3635f4c19a0700b4cc717c6c1322e7
http://security.debian.org/pool/updates/main/h/hylafax/hylafax_4.1.1-1.1.diff.gz
Size/MD5 checksum: 114552 612823bb6a275ab886fe2138ef15eae2
http://security.debian.org/pool/updates/main/h/hylafax/hylafax_4.1.1.orig.tar.gz
Size/MD5 checksum: 1287689 1ed081750be70a800708699b7568e17e
Architecture independent components:
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-doc_4.1.1-1.1_all.deb
Size/MD5 checksum: 318018 b2c9b05305490a58bcb325276964e3d2
Alpha architecture:
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-1.1_alpha.deb
Size/MD5 checksum: 556040 27102aa33baac1f507abf7c98e606b3b
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-1.1_alpha.deb
Size/MD5 checksum: 1362152 f68c48dd394d175da3a0ecdeb6e112e3
ARM architecture:
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-1.1_arm.deb
Size/MD5 checksum: 445322 75ccc9e7ce3e0f85977a0e6f584eb4d5
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-1.1_arm.deb
Size/MD5 checksum: 1095062 cccb608c1f26ed0611b54992720f5000
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-1.1_i386.deb
Size/MD5 checksum: 462154 16a74f04fe1fb9d5c682239e202dbda5
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-1.1_i386.deb
Size/MD5 checksum: 1132412 a941316aca93f58e0e257222b1e25111
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-1.1_ia64.deb
Size/MD5 checksum: 615468 7ff33e153f2759a07c772f8a68f480d8
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-1.1_ia64.deb
Size/MD5 checksum: 1491408 6720c5951d6a944db481386ea7be3320
HP Precision architecture:
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-1.1_hppa.deb
Size/MD5 checksum: 501290 23fb491d4212c8677ca90412ff7502ef
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-1.1_hppa.deb
Size/MD5 checksum: 1230944 83df5af12938f6615ce95109a26b5e0a
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-1.1_m68k.deb
Size/MD5 checksum: 451016 753934c8f05bc2f5db81ef9a1f3f01a7
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-1.1_m68k.deb
Size/MD5 checksum: 1099728 3c0921de3887e99a71f0f79c00bd2091
PowerPC architecture:
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-1.1_powerpc.deb
Size/MD5 checksum: 450046 53b65e2f2f7a95d49b0f160606c12317
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-1.1_powerpc.deb
Size/MD5 checksum: 1103892 efd5bdedef2a68adcc7ce30a66b6a2ea
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-1.1_s390.deb
Size/MD5 checksum: 441698 0643afc885cbfe883b16128181fe0967
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-1.1_s390.deb
Size/MD5 checksum: 1087174 76704c6234fe4c9bebaa4ae517a69e25
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-1.1_sparc.deb
Size/MD5 checksum: 433586 06e478ccafa99cda109b6cce8192a5df
http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-1.1_sparc.deb
Size/MD5 checksum: 1082202 cbef6f10a8ab7b5515838de3466f3847
These files will probably be moved into the stable distribution on
its next revision.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>;
Articles
View All Hover to load posts
Articles
View All Hover to load posts
Articles
View All Hover to load posts
Articles
View All Hover to load posts
Articles
View All Hover to load posts
Articles
View All Hover to load posts
Articles
View All Hover to load posts
Articles
View All Hover to load posts