Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 13 Aug 2002 04:36:31 +0930
From:      Greg Lewis <glewis@eyesbeyond.com>
To:        Mike Tancsa <mike@sentex.net>
Cc:        ports@FreeBSD.ORG, security@FreeBSD.ORG, so@FreeBSD.ORG
Subject:   Re: hylaxfax security issue (from the ports)
Message-ID:  <20020813043631.A19449@misty.eyesbeyond.com>
In-Reply-To: <5.1.1.6.0.20020812142654.0525a938@marble.sentex.ca>; from mike@sentex.net on Mon, Aug 12, 2002 at 02:35:44PM -0400
References:  <5.1.1.6.0.20020812142654.0525a938@marble.sentex.ca>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Aug 12, 2002 at 02:35:44PM -0400, Mike Tancsa wrote:
> 
> Looks like the current version of HylaFax in the ports once again has 
> security issues (remote and local).
> 
>  From the web page http://www.hylafax.org/4.1.3.html
> 
> 4.1.3 includes fixes for a remote format string vulnerability which could 
> be abused in a denial of service attack. Also fixed is a buffer overflow 
> condition when receiving fax image data which potentially could be 
> exploited to execute arbitrary code as root. Also present in 4.1.3 are 
> fixes for several other local remote format string vulnerabilities which, 
> in some installations, could lead to elevated privileges by abuse. Everyone 
> is advised to upgrade.
> 
> ------------------------------
> I am not a heavy user of HylaFax (only outbound), but removing the two 
> patch files and making the following changes lets it build with the new 
> source code.  The md5 is also on the webpage.

Ouch.  Upgrade committed, security-officer may want to send out an advisory
on this though.  I only needed to modify one of the patch files to get
thing to build correctly.  I also updated the package list to match the
files 4.1.3 installs.

Thanks, Mike!

-- 
Greg Lewis                          Email   : glewis@eyesbeyond.com
Eyes Beyond                         Web     : http://www.eyesbeyond.com
Information Technology              FreeBSD : glewis@FreeBSD.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020813043631.A19449>