Debian Bug report logs -
#347298
hylafax-server: Security concern in notify script CVE-2005-3539
Reported by: Ernst Oudhof <ernst@mailfrom.nl>
Date: Mon, 9 Jan 2006 22:48:10 UTC
Severity: grave
Tags: security
Found in versions hylafax-server/1:4.2.1-5sarge1, hylafax-server/1:4.2.1-5sarge3
Done: Giuseppe Sacco <eppesuig@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Sacco <eppesuig@debian.org>:
Bug#347298; Package hylafax-server.
(full text, mbox, link).
Acknowledgement sent to Ernst Oudhof <ernst@mailfrom.nl>:
New Bug report received and forwarded. Copy sent to Giuseppe Sacco <eppesuig@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: hylafax-server
Version: 1:4.2.1-5sarge1
Severity: grave
Tags: security
Justification: user security hole
Hi,
An eval injection vulnerability was found in Hylafax 4.2.0 to 4.2.3
which allows an remote attacker to execute arbitrary commands.
this issue is described in candidate CVE-2005-3539
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3539
As debian stable is using 4.2.1 it is not vulnarable to the issue in the
faxrcvd script.
regards,
Ernst Oudhof
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-k7
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages hylafax-server depends on:
ii debconf 1.4.30.13 Debian configuration management sy
ii gawk [awk] 1:3.1.4-2 GNU awk, a pattern scanning and pr
ii gs 8.01-5 Transitional package
ii gs-gpl [gs] 8.01-5 The GPL Ghostscript PostScript int
ii hylafax-client 1:4.2.1-5sarge1 Flexible client/server fax softwar
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libgcc1 1:3.4.3-13 GCC support library
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii libstdc++5 1:3.3.5-13 The GNU Standard C++ Library v3
ii libtiff-tools 3.7.2-3 TIFF manipulation and conversion t
ii libtiff4 3.7.2-3 Tag Image File Format (TIFF) libra
ii mailx 1:8.1.2-0.20040524cvs-4 A simple mail user agent
ii mawk [awk] 1.3.3-11 a pattern scanning and text proces
ii mime-codecs 7.19-4 Fast Quoted-Printable and BASE64 M
ii psmisc 21.5-1 Utilities that use the proc filesy
ii sed 4.1.2-8 The GNU sed stream editor
ii zlib1g 1:1.2.2-4.sarge.2 compression library - runtime
-- debconf information excluded
Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Sacco <eppesuig@debian.org>:
Bug#347298; Package hylafax-server.
(full text, mbox, link).
Acknowledgement sent to Ernst Oudhof <ernst@mailfrom.nl>:
Extra info received and forwarded to list. Copy sent to Giuseppe Sacco <eppesuig@debian.org>.
(full text, mbox, link).
Message #10 received at 347298@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags +patch
Hi again,
After some research I've made a patch for the issue based
on the notify vulnerability patch on
http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=719
regards,
Ernst Oudhof
[notify-issue.patch (text/plain, inline)]
--- util/notify.sh.in.orig 2004-12-30 19:38:03.000000000 +0100
+++ util/notify.sh.in 2006-01-10 00:28:38.332762319 +0100
@@ -172,8 +172,18 @@
eval `($AWK -F: '
function p(varname,val)
{
+ # In shell scripts, there are no special characters in hard-quoted
+ # strings (quoted with (')). Single-quotes can't even be escaped
+ # inside such strings and must be put outside of them. We thus replace
+ # (') with ('\'') which terminates the current string, adds a single
+ # quote and starts a new string.
+ gsub(/\\047/, "\047\\\\\047\047", val);
+ # New lines in eval could cause problems so we escape them. As with
+ # single quotes above, we must first close the current string, add
+ # the escaped new line (double quoted) and start a new string.
+ gsub(/\n/, "\047\042\\\\n\042\047", val);
# print out variable name and value so we can eval it in the shell
- printf "%s=\"%s\"\n",varname,val
+ printf "%s=\\047%s\\047\n",varname,val
}
BEGIN {
nfiles = 0;
@@ -201,15 +211,9 @@
/^jobtype/ { p("jobtype", $2); }
# status needs to be used in the shell as faxstatus since status is reserved word
/^status/ { status = $0; sub("status:", "", status);
- if (status ~ /\\\\$/) {
- sub(/\\\\$/, "\\\\n", status);
- while (getline > 0) {
+ while ($0 ~ /\\\\$/ && getline > 0) {
+ sub(/\\\\$/, "\\n", status);
status = status $0;
- gsub("*","",status);
- sub(/\\\\$/, "\\\\n", status);
- if ($0 !~ /\\\\$/)
- break;
- }
} p("faxstatus", status);
}
/^resolution/ { p("resolution", $2); }
Reply sent to Giuseppe Sacco <eppesuig@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Ernst Oudhof <ernst@mailfrom.nl>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #15 received at 347298-done@bugs.debian.org (full text, mbox, reply):
Package: hylafax-server
Version: 1:4.2.1-5sarge3
Hi Ernst,
thanks for your report and your patch. A new hylafax version was already
prepared with the Debian Security Team. This new package version has
been released yesterday.
I am closing this bug report since the problem has been already fixed.
Bye,
Giuseppe
Message sent on to Ernst Oudhof <ernst@mailfrom.nl>:
Bug#347298.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 18 Jun 2007 21:47:15 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:13:04 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon