MDKSA-2005:177 - Updated hylafax packages fix temporary file vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Update Advisory
_______________________________________________________________________
Package name: hylafax
Advisory ID: MDKSA-2005:177
Date: October 7th, 2005
Affected versions: 10.1, 10.2, 2006.0, Corporate 3.0,
Corporate Server 2.1
______________________________________________________________________
Problem Description:
faxcron, recvstats, and xferfaxstats in HylaFax 4.2.1 and earlier
allows local users to overwrite arbitrary files via a symlink attack
on temporary files. (CAN-2005-3069)
In addition, HylaFax has some provisional support for Unix domain
sockets, which is disabled in the default compile configuration. It is
suspected that a local user could create a fake /tmp/hyla.unix socket
and intercept fax traffic via this socket. In testing for this
vulnerability, with CONFIG_UNIXTRANSPORT disabled, it has been found
that client programs correctly exit before sending any data.
(CAN-2005-3070)
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3069
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3070
______________________________________________________________________
Updated Packages:
Mandrivalinux 10.1:
f7ca9274944776e0c8a697b77cc517ea 10.1/RPMS/hylafax-4.2.0-1.3.101mdk.i586.rpm
c49a39ddf8151f10b06b0ac70dc9c3e8
10.1/RPMS/hylafax-client-4.2.0-1.3.101mdk.i586.rpm
77211d2fe0790d276694b1cf3d2d855c
10.1/RPMS/hylafax-server-4.2.0-1.3.101mdk.i586.rpm
aaaca7a343600961e87f6c6e4ead0c8d
10.1/RPMS/libhylafax4.2.0-4.2.0-1.3.101mdk.i586.rpm
da5bce1b0c53e298dcd7cb5ef0dbab5d
10.1/RPMS/libhylafax4.2.0-devel-4.2.0-1.3.101mdk.i586.rpm
ca2bdc57603dda7f982c59626d9e2a02 10.1/SRPMS/hylafax-4.2.0-1.3.101mdk.src.rpm
Mandrivalinux 10.1/X86_64:
35f7d808588e1d9ad5b8de2c9e5c8cb0
x86_64/10.1/RPMS/hylafax-4.2.0-1.3.101mdk.x86_64.rpm
1b8a373e8d1d005b4b14124dba7b5df1
x86_64/10.1/RPMS/hylafax-client-4.2.0-1.3.101mdk.x86_64.rpm
5f169d7d2377d8066e2d13c771d431eb
x86_64/10.1/RPMS/hylafax-server-4.2.0-1.3.101mdk.x86_64.rpm
677f9360dcdfca9f86967ad4c6f738f1
x86_64/10.1/RPMS/lib64hylafax4.2.0-4.2.0-1.3.101mdk.x86_64.rpm
e2185b51d1d9568ccca76e37cd99e98b
x86_64/10.1/RPMS/lib64hylafax4.2.0-devel-4.2.0-1.3.101mdk.x86_64.rpm
ca2bdc57603dda7f982c59626d9e2a02
x86_64/10.1/SRPMS/hylafax-4.2.0-1.3.101mdk.src.rpm
Mandrivalinux 10.2:
55a1638f62262ff6a156006a460ef681 10.2/RPMS/hylafax-4.2.0-3.1.102mdk.i586.rpm
d02bb11c38379885513c742cf09212c0
10.2/RPMS/hylafax-client-4.2.0-3.1.102mdk.i586.rpm
d425b48947dc0bc5dc78b5512bf06fb9
10.2/RPMS/hylafax-server-4.2.0-3.1.102mdk.i586.rpm
0652d1bca7a8904a9443c1e88939a9ee
10.2/RPMS/libhylafax4.2.0-4.2.0-3.1.102mdk.i586.rpm
71f742c2355201f94130bfc0febfcfd1
10.2/RPMS/libhylafax4.2.0-devel-4.2.0-3.1.102mdk.i586.rpm
f8e2073acf5408bf8b55b3d22e55e2b2 10.2/SRPMS/hylafax-4.2.0-3.1.102mdk.src.rpm
Mandrivalinux 10.2/X86_64:
80b93124024f35ac604bca04c2157b6b
x86_64/10.2/RPMS/hylafax-4.2.0-3.1.102mdk.x86_64.rpm
54de1417816622492047cd95fcd192d1
x86_64/10.2/RPMS/hylafax-client-4.2.0-3.1.102mdk.x86_64.rpm
2682977698f5665e0bfde4f04123d817
x86_64/10.2/RPMS/hylafax-server-4.2.0-3.1.102mdk.x86_64.rpm
30820c2cbf827ff91e55c6c29ec795a7
x86_64/10.2/RPMS/lib64hylafax4.2.0-4.2.0-3.1.102mdk.x86_64.rpm
d8aae5eacf14c4f8321512e8c2696542
x86_64/10.2/RPMS/lib64hylafax4.2.0-devel-4.2.0-3.1.102mdk.x86_64.rpm
f8e2073acf5408bf8b55b3d22e55e2b2
x86_64/10.2/SRPMS/hylafax-4.2.0-3.1.102mdk.src.rpm
Mandrivalinux 2006.0:
8e97d7f9a84998a8c067c4b6185931cc
2006.0/RPMS/hylafax-4.2.1-2.1.20060mdk.i586.rpm
3d61efb5c464b443ac8ed26310a9db46
2006.0/RPMS/hylafax-client-4.2.1-2.1.20060mdk.i586.rpm
a42170bbc1d3acebe176dc6beb286c40
2006.0/RPMS/hylafax-server-4.2.1-2.1.20060mdk.i586.rpm
ffca2d97b9de37c2f07af1f8b5a556bf
2006.0/RPMS/libhylafax4.2.0-4.2.1-2.1.20060mdk.i586.rpm
54b789ce44dffb9b22d6777d8796d264
2006.0/RPMS/libhylafax4.2.0-devel-4.2.1-2.1.20060mdk.i586.rpm
3d78c1a88aecbd9d6ae0a947cf2eaa29
2006.0/SRPMS/hylafax-4.2.1-2.1.20060mdk.src.rpm
Mandrivalinux 2006.0/X86_64:
39a1e3bf1a63d33b424888a4a5c7faac
x86_64/2006.0/RPMS/hylafax-4.2.1-2.1.20060mdk.x86_64.rpm
4908c196d94d4bc72e1e79091ca7a098
x86_64/2006.0/RPMS/hylafax-client-4.2.1-2.1.20060mdk.x86_64.rpm
7f9ea9edf76faf3f3b917c96d8110ed5
x86_64/2006.0/RPMS/hylafax-server-4.2.1-2.1.20060mdk.x86_64.rpm
af2ec227f9d5b98b53c94bff68e47c50
x86_64/2006.0/RPMS/lib64hylafax4.2.0-4.2.1-2.1.20060mdk.x86_64.rpm
6840b4ff77f07090faa5b32620c05afe
x86_64/2006.0/RPMS/lib64hylafax4.2.0-devel-4.2.1-2.1.20060mdk.x86_64.rpm
3d78c1a88aecbd9d6ae0a947cf2eaa29
x86_64/2006.0/SRPMS/hylafax-4.2.1-2.1.20060mdk.src.rpm
Corporate Server 2.1:
e0e77173d66d6a0c31ffc84cd40a4253
corporate/2.1/RPMS/hylafax-4.1.3-5.3.C21mdk.i586.rpm
6f38a677c369b3a2110bd508a2a439e3
corporate/2.1/RPMS/hylafax-client-4.1.3-5.3.C21mdk.i586.rpm
fce937eeb3257adefe370294bbb8516e
corporate/2.1/RPMS/hylafax-server-4.1.3-5.3.C21mdk.i586.rpm
bfe2fedab3fdbbb726995e4a6e4a93ac
corporate/2.1/RPMS/libhylafax4.1.1-4.1.3-5.3.C21mdk.i586.rpm
c4b2bb4b1ab084a2949a934978a33d7f
corporate/2.1/RPMS/libhylafax4.1.1-devel-4.1.3-5.3.C21mdk.i586.rpm
763f4270d854d27b53c83c378bf81151
corporate/2.1/SRPMS/hylafax-4.1.3-5.3.C21mdk.src.rpm
Corporate Server 2.1/X86_64:
213b760b160484b8e17e5da32f974048
x86_64/corporate/2.1/RPMS/hylafax-4.1.3-5.3.C21mdk.x86_64.rpm
a4069af7c182c925844fcdcbad0b6ad6
x86_64/corporate/2.1/RPMS/hylafax-client-4.1.3-5.3.C21mdk.x86_64.rpm
840537452b7e5dcc83e36d72e5b9071f
x86_64/corporate/2.1/RPMS/hylafax-server-4.1.3-5.3.C21mdk.x86_64.rpm
2897c385ffe1e5c5ee76d01114ad6bee
x86_64/corporate/2.1/RPMS/libhylafax4.1.1-4.1.3-5.3.C21mdk.x86_64.rpm
674cef6c3e5b272e048218eb5e6ca8a2
x86_64/corporate/2.1/RPMS/libhylafax4.1.1-devel-4.1.3-5.3.C21mdk.x86_64.rpm
763f4270d854d27b53c83c378bf81151
x86_64/corporate/2.1/SRPMS/hylafax-4.1.3-5.3.C21mdk.src.rpm
Corporate 3.0:
2d17a03f1ef3f420981fea8bf5ebc6ff
corporate/3.0/RPMS/hylafax-4.1.8-2.3.C30mdk.i586.rpm
ef93ab687c830d4699419eed55871c1d
corporate/3.0/RPMS/hylafax-client-4.1.8-2.3.C30mdk.i586.rpm
8faf097e36be844cb3c8a4fcc7c75649
corporate/3.0/RPMS/hylafax-server-4.1.8-2.3.C30mdk.i586.rpm
3c90cd27d8ea5425c3ebc9e6ee492b18
corporate/3.0/RPMS/libhylafax4.1.1-4.1.8-2.3.C30mdk.i586.rpm
c01ef9626e435416defde272371e87a9
corporate/3.0/RPMS/libhylafax4.1.1-devel-4.1.8-2.3.C30mdk.i586.rpm
97e37c030a7cebe18b11f661f970d23e
corporate/3.0/SRPMS/hylafax-4.1.8-2.3.C30mdk.src.rpm
Corporate 3.0/X86_64:
1e12ff7fbbcf33edc62482e5335235ae
x86_64/corporate/3.0/RPMS/hylafax-4.1.8-2.3.C30mdk.x86_64.rpm
7b519165eb5b6c1fd8f70abc822f44c8
x86_64/corporate/3.0/RPMS/hylafax-client-4.1.8-2.3.C30mdk.x86_64.rpm
d83092b4fec23beec97c7fde051d9313
x86_64/corporate/3.0/RPMS/hylafax-server-4.1.8-2.3.C30mdk.x86_64.rpm
caf5f33b0eb919237378a1a683d5a933
x86_64/corporate/3.0/RPMS/lib64hylafax4.1.1-4.1.8-2.3.C30mdk.x86_64.rpm
3a5b5836bb53c4ace02d15c1a13d0086
x86_64/corporate/3.0/RPMS/lib64hylafax4.1.1-devel-4.1.8-2.3.C30mdk.x86_64.rpm
97e37c030a7cebe18b11f661f970d23e
x86_64/corporate/3.0/SRPMS/hylafax-4.1.8-2.3.C30mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFDRvLhmqjQ0CJFipgRAlULAKCPLF3KhIe4r7m5A5xDmQNy7XovmACgxv5h
HW+zpFscZoq4KyAycexh98k=
=XtSc
-----END PGP SIGNATURE-----