Debian GNU/Linux: hylafax | Linux Today

Debian GNU/Linux: hylafax

Written By
Web Webster
Web Webster
Aug 12, 2002
- --------------------------------------------------------------------------
Debian Security Advisory DSA 148-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
August 12th, 2002   
- --------------------------------------------------------------------------

Package        : hylafax
Vulnerability  : buffer overflows and format string vulnerabilities
Problem-Type   : remote
Debian-specific: no
CVE Id         : CAN-2001-1034
Bugtraq Id     : 3357 5349 5348

A set of problems have been discovered in Hylafax, a flexible
client/server fax software distributed with many GNU/Linux
distributions.  Quoting SecurityFocus the problems are in detail:

 * A format string vulnerability makes it possible for users to
   potentially execute arbitrary code on some implementations.  Due to
   insufficient checking of input, it's possible to execute a format
   string attack.  Since this only affects systems with the faxrm and
   faxalter programs installed setuid, Debian is not vulnerable.

 * A buffer overflow has been reported in Hylafax.  A malicious fax
   transmission may include a long scan line that will overflow a
   memory buffer, corrupting adjacent memory.  An exploid may result
   in a denial of service condition, or possibly the execution of
   arbitrary code with root privileges.

 * A format string vulnerability has been discovered in faxgetty.
   Incoming fax messages include a Transmitting Subscriber
   Identification (TSI) string, used to identify the sending fax
   machine.  Hylafax uses this data as part of a format string without
   properly sanitizing the input.  Malicious fax data may cause the
   server to crash, resulting in a denial of service condition.

 * Marcin Dawcewicz discovered a format string vulnerability in hfaxd,
   which will crash hfaxd under certain circumstances.  Since Debian
   doesn't have hfaxd installed setuid root, this problem can not
   directly lead into a vulnerability.  This has been fixed by Darren
   Nickerson, which was already present in newer versions, but not in
   the potato version.

These problems have been fixed in version 4.0.2-14.3 for the old
stable distribution (potato), in version 4.1.1-1.1 for the current
stable distribution (woody) and in version 4.1.2-2.1 for the unstable
distribution (sid).

We recommend that you upgrade your hylafax packages.

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 2.2 alias potato
- ---------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax_4.0.2-14.3.dsc
      Size/MD5 checksum:      624 258322373e17ea876ced8ff40d2657ae
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax_4.0.2-14.3.diff.gz
      Size/MD5 checksum:    81815 5d08c97482de1c0fb396148a43e464be
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax_4.0.2.orig.tar.gz
      Size/MD5 checksum:  1343569 59966e41f769770134b2c80c84245874

  Architecture independent components:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-doc_4.0.2-14.3_all.deb
      Size/MD5 checksum:   517632 2cfca398afd15471a4f3c8194dc838ae

  Alpha architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.0.2-14.3_alpha.deb
      Size/MD5 checksum:   509592 d3fb699ea9bd4fb5cddb16a7931a395e
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.0.2-14.3_alpha.deb
      Size/MD5 checksum:  1130548 9017187a07824236de07dce42a5032be

  ARM architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.0.2-14.3_arm.deb
      Size/MD5 checksum:   389264 98c2a5dfa4306965acc9d6f0ea909605
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.0.2-14.3_arm.deb
      Size/MD5 checksum:   864078 793c1de1a50bb73536c1246c96b0d450

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.0.2-14.3_i386.deb
      Size/MD5 checksum:   398406 9e30d17b4645472b1b04bab0962c1080
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.0.2-14.3_i386.deb
      Size/MD5 checksum:   877434 1ae774e2115c983eed9fda2b6c19aa84

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.0.2-14.3_m68k.deb
      Size/MD5 checksum:   385696 3177d7de33c31a7ee2e6fa67f81bdb77
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.0.2-14.3_m68k.deb
      Size/MD5 checksum:   843094 10610c3e3082a5e3e92ca0f07b2e961d

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.0.2-14.3_powerpc.deb
      Size/MD5 checksum:   388586 7917f305ddc521f3c0bf50f1df2d38eb
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.0.2-14.3_powerpc.deb
      Size/MD5 checksum:   858980 26889bca9a720946245519abaf96b32f

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.0.2-14.3_sparc.deb
      Size/MD5 checksum:   370812 80f3caad71eb8b3c67b6f7a8500460c4
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.0.2-14.3_sparc.deb
      Size/MD5 checksum:   827696 d11315ac73cf015bd8366f1c6c85e218


Debian GNU/Linux 3.0 alias woody
- --------------------------------

Hylafax was released only for the architectures alpha, arm, hppa,
i386, ia64, m68k, powerpc, s390 and sparc.

  Source archives:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax_4.1.1-1.1.dsc
      Size/MD5 checksum:      741 bc3635f4c19a0700b4cc717c6c1322e7
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax_4.1.1-1.1.diff.gz
      Size/MD5 checksum:   114552 612823bb6a275ab886fe2138ef15eae2
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax_4.1.1.orig.tar.gz
      Size/MD5 checksum:  1287689 1ed081750be70a800708699b7568e17e

  Architecture independent components:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-doc_4.1.1-1.1_all.deb
      Size/MD5 checksum:   318018 b2c9b05305490a58bcb325276964e3d2

  Alpha architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-1.1_alpha.deb
      Size/MD5 checksum:   556040 27102aa33baac1f507abf7c98e606b3b
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-1.1_alpha.deb
      Size/MD5 checksum:  1362152 f68c48dd394d175da3a0ecdeb6e112e3

  ARM architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-1.1_arm.deb
      Size/MD5 checksum:   445322 75ccc9e7ce3e0f85977a0e6f584eb4d5
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-1.1_arm.deb
      Size/MD5 checksum:  1095062 cccb608c1f26ed0611b54992720f5000

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-1.1_i386.deb
      Size/MD5 checksum:   462154 16a74f04fe1fb9d5c682239e202dbda5
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-1.1_i386.deb
      Size/MD5 checksum:  1132412 a941316aca93f58e0e257222b1e25111

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-1.1_ia64.deb
      Size/MD5 checksum:   615468 7ff33e153f2759a07c772f8a68f480d8
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-1.1_ia64.deb
      Size/MD5 checksum:  1491408 6720c5951d6a944db481386ea7be3320

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-1.1_hppa.deb
      Size/MD5 checksum:   501290 23fb491d4212c8677ca90412ff7502ef
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-1.1_hppa.deb
      Size/MD5 checksum:  1230944 83df5af12938f6615ce95109a26b5e0a

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-1.1_m68k.deb
      Size/MD5 checksum:   451016 753934c8f05bc2f5db81ef9a1f3f01a7
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-1.1_m68k.deb
      Size/MD5 checksum:  1099728 3c0921de3887e99a71f0f79c00bd2091

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-1.1_powerpc.deb
      Size/MD5 checksum:   450046 53b65e2f2f7a95d49b0f160606c12317
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-1.1_powerpc.deb
      Size/MD5 checksum:  1103892 efd5bdedef2a68adcc7ce30a66b6a2ea

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-1.1_s390.deb
      Size/MD5 checksum:   441698 0643afc885cbfe883b16128181fe0967
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-1.1_s390.deb
      Size/MD5 checksum:  1087174 76704c6234fe4c9bebaa4ae517a69e25

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-1.1_sparc.deb
      Size/MD5 checksum:   433586 06e478ccafa99cda109b6cce8192a5df
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-1.1_sparc.deb
      Size/MD5 checksum:  1082202 cbef6f10a8ab7b5515838de3466f3847


  These files will probably be moved into the stable distribution on
  its next revision.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>;


Web Webster

Web Webster

Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.

Linux Today Logo

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.