MDKSA-2006:015 - Updated hylafax packages fix eval injection vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDKSA-2006:015
http://www.mandriva.com/security/
_______________________________________________________________________
Package : hylafax
Date : January 16, 2006
Affected: 10.1, 10.2, 2006.0
_______________________________________________________________________
Problem Description:
Patrice Fournier discovered the faxrcvd/notify scripts
(executed as the uucp/fax user) run user-supplied input through
eval without any attempt at sanitising it first. This would
allow any user who could submit jobs to HylaFAX, or through
telco manipulation control the representation of callid
information presented to HylaFAX to run arbitrary commands as
the uucp/fax user. (CVE-2005-3539, only 'notify' in the covered
versions)
Updated packages were also reviewed for vulnerability to
an issue where if PAM is disabled, a user could log in with no
password. (CVE-2005-3538)
In addition, some fixes to the packages for permissions, and
the %pre/%post scripts were backported from cooker. (#19679)
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3538
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3539
http://qa.mandriva.com/show_bug.cgi?id=19679
_______________________________________________________________________
Updated Packages:
Mandriva Linux 10.1:
2288eb6fa13db28cec0a2936e6da201b 10.1/RPMS/hylafax-4.2.0-1.4.101mdk.i586.rpm
ae01aff5e685211d56d782c7107aa643
10.1/RPMS/hylafax-client-4.2.0-1.4.101mdk.i586.rpm
2d160b49e8e9e41beb3a8bd98995a4e7
10.1/RPMS/hylafax-server-4.2.0-1.4.101mdk.i586.rpm
0210a8f6269b741c88f1a08e1fd3bf67
10.1/RPMS/libhylafax4.2.0-4.2.0-1.4.101mdk.i586.rpm
21aad742a2af1af8bef9ec598dcc9808
10.1/RPMS/libhylafax4.2.0-devel-4.2.0-1.4.101mdk.i586.rpm
0db2c22f9b1714b2bc67767be3af086b 10.1/SRPMS/hylafax-4.2.0-1.4.101mdk.src.rpm
Mandriva Linux 10.1/X86_64:
204fddbe437c72f04bbc10d9520b29bf
x86_64/10.1/RPMS/hylafax-4.2.0-1.4.101mdk.x86_64.rpm
0c0b7f49dc6ba818255066d880b1eeda
x86_64/10.1/RPMS/hylafax-client-4.2.0-1.4.101mdk.x86_64.rpm
514b0ae30861e05453665b10c96e0471
x86_64/10.1/RPMS/hylafax-server-4.2.0-1.4.101mdk.x86_64.rpm
0a91eadc96ace924c000932bf7b73f00
x86_64/10.1/RPMS/lib64hylafax4.2.0-4.2.0-1.4.101mdk.x86_64.rpm
1eea0a264c43552015c86490e562f3c3
x86_64/10.1/RPMS/lib64hylafax4.2.0-devel-4.2.0-1.4.101mdk.x86_64.rpm
0db2c22f9b1714b2bc67767be3af086b
x86_64/10.1/SRPMS/hylafax-4.2.0-1.4.101mdk.src.rpm
Mandriva Linux 10.2:
695fe8a1cf2e5833db4ffb268b655d6c 10.2/RPMS/hylafax-4.2.0-3.2.102mdk.i586.rpm
c9225a4743adb84c29980e08c21012af
10.2/RPMS/hylafax-client-4.2.0-3.2.102mdk.i586.rpm
aae88d44d8bf87dff930cd55fef41859
10.2/RPMS/hylafax-server-4.2.0-3.2.102mdk.i586.rpm
ab985d622d8163af3f8c14741bb12605
10.2/RPMS/libhylafax4.2.0-4.2.0-3.2.102mdk.i586.rpm
351cdb560784d10d328485feef281291
10.2/RPMS/libhylafax4.2.0-devel-4.2.0-3.2.102mdk.i586.rpm
8afc40fca6dffd46b6f7655248210c78 10.2/SRPMS/hylafax-4.2.0-3.2.102mdk.src.rpm
Mandriva Linux 10.2/X86_64:
98d01067467b97abd72184241bfb9f79
x86_64/10.2/RPMS/hylafax-4.2.0-3.2.102mdk.x86_64.rpm
8f21f4566fb19a5cb4b01829ad80c7cc
x86_64/10.2/RPMS/hylafax-client-4.2.0-3.2.102mdk.x86_64.rpm
15af886a1b4b2720415dc7c5193bef31
x86_64/10.2/RPMS/hylafax-server-4.2.0-3.2.102mdk.x86_64.rpm
8f2eebb841672550e7fc312eaf994f6e
x86_64/10.2/RPMS/lib64hylafax4.2.0-4.2.0-3.2.102mdk.x86_64.rpm
950422660ba456ace9450a99ead9f09e
x86_64/10.2/RPMS/lib64hylafax4.2.0-devel-4.2.0-3.2.102mdk.x86_64.rpm
8afc40fca6dffd46b6f7655248210c78
x86_64/10.2/SRPMS/hylafax-4.2.0-3.2.102mdk.src.rpm
Mandriva Linux 2006.0:
f59e6af800bd40730fc55268dd30a50f
2006.0/RPMS/hylafax-4.2.1-2.2.20060mdk.i586.rpm
cf0592e938676ea718034a3a34ba6d5e
2006.0/RPMS/hylafax-client-4.2.1-2.2.20060mdk.i586.rpm
f0f64fc2f28bbba0cf80a1f3e2be55e0
2006.0/RPMS/hylafax-server-4.2.1-2.2.20060mdk.i586.rpm
278d2008b94d186cc56c067685ad617b
2006.0/RPMS/libhylafax4.2.0-4.2.1-2.2.20060mdk.i586.rpm
47f570e1550aa2a286c0417d6a8673a6
2006.0/RPMS/libhylafax4.2.0-devel-4.2.1-2.2.20060mdk.i586.rpm
7fa7882271a6486bb797a21ac3621d3c
2006.0/SRPMS/hylafax-4.2.1-2.2.20060mdk.src.rpm
Mandriva Linux 2006.0/X86_64:
35a706154fb7111baa93011a32077284
x86_64/2006.0/RPMS/hylafax-4.2.1-2.2.20060mdk.x86_64.rpm
73cb090effdccf7cb1a6cbe04f121da4
x86_64/2006.0/RPMS/hylafax-client-4.2.1-2.2.20060mdk.x86_64.rpm
552d1a2f6b1ade68f2694dd4880bc000
x86_64/2006.0/RPMS/hylafax-server-4.2.1-2.2.20060mdk.x86_64.rpm
e4a63e6b0898a58d6125062ae913fe31
x86_64/2006.0/RPMS/lib64hylafax4.2.0-4.2.1-2.2.20060mdk.x86_64.rpm
6f2d818013c1f3be6aeacd5d7ca9cce2
x86_64/2006.0/RPMS/lib64hylafax4.2.0-devel-4.2.1-2.2.20060mdk.x86_64.rpm
7fa7882271a6486bb797a21ac3621d3c
x86_64/2006.0/SRPMS/hylafax-4.2.1-2.2.20060mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFDzAdFmqjQ0CJFipgRAjaCAJ9+YadU465+YmVz9cUfxAGJ1oqYVwCgt/q8
MwhJKlk2ExogvsgfpBxFCy8=
=7hXf
-----END PGP SIGNATURE-----