| Summary: | hylafax+ new security issues CVE-2020-15396 and CVE-2020-15397 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | geiger.david68210, herman.viaene, sysadmin-bugs |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | hylafax+-7.0.2-3.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2020-08-21 21:20:27 CEST
David Walser
2020-08-21 21:20:44 CEST
Whiteboard:
(none) =>
MGA7TOO Assigning to you, DavidG, as having done most recent updates to this (no registered maintainer). Assignee:
bugsquad =>
geiger.david68210 Fedora has issued an advisory for this on August 13: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J52QFVREJWJ35YSEEDDRMZQ2LM2H2WE6/
David Walser
2020-08-26 12:47:23 CEST
Whiteboard:
MGA7TOO =>
(none) Advisory: ======================== Updated hylafax+ packages fix security vulnerabilities: In HylaFAX+ through 7.0.2, the faxsetup utility calls chown on files in user-owned directories. By winning a race, a local attacker could use this to escalate his privileges to root (CVE-2020-15396). HylaFAX+ through 7.0.2 has scripts that execute binaries from directories writable by unprivileged users (e.g., locations under /var/spool/hylafax that are writable by the uucp account). This allows these users to execute code in the context of the user calling these binaries (often root) (CVE-2020-15397). The hylafax+ package has been updated to version 7.0.3, fixing thesee issues and several other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15396 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15397 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J52QFVREJWJ35YSEEDDRMZQ2LM2H2WE6/ https://hylafax.sourceforge.io/news/7.0.3.php ======================== Updated packages in core/updates_testing: ======================== hylafax+-7.0.3-1.mga7 hylafax+-client-7.0.3-1.mga7 libhylafax+7-7.0.3-1.mga7 libhylafax+-devel-7.0.3-1.mga7 from hylafax+-7.0.3-1.mga7.src.rpm CC:
(none) =>
geiger.david68210 MGA7-64 Plasma on Lenovo B50 No installation issues. Ref bug26233 for testing. # /usr/sbin/faxsetup -server Setup program for HylaFAX (tm) 7.0.3. Created for x86_64-mageia-linux-gnu on Fri Jul 31 22:38:20 UTC 2020. Found encoder: /bin/base64 Checking system for proper server configuration. and a lot more, skipping adding a modem to the configuration, since I don't have such device.... Then # systemctl -l status hylafax-hfaxd.service ● hylafax-hfaxd.service - HylaFAX hfaxd (client service) Loaded: loaded (/usr/lib/systemd/system/hylafax-hfaxd.service; disabled; vendor preset: disabled) Active: active (running) since Mon 2020-08-31 09:58:38 CEST; 53s ago Main PID: 27327 (hfaxd) Tasks: 1 (limit: 4915) Memory: 812.0K CGroup: /system.slice/hylafax-hfaxd.service └─27327 /usr/sbin/hfaxd -d -i hylafax Aug 31 09:58:38 mach5.hviaene.thuis systemd[1]: Started HylaFAX hfaxd (client service). Aug 31 09:58:38 mach5.hviaene.thuis HylaFAX[27327]: Listening to 0.0.0.0:4559 Aug 31 09:58:38 mach5.hviaene.thuis HylaFAX[27327]: HylaFAX INET Protocol Server: restarted. And as normal user: $ faxstat HylaFAX scheduler on mach5.hviaene.thuis: Running OK'ing on the fact that the service runs and ressponds to the client. CC:
(none) =>
herman.viaene Validating, advisory and packages in Comment 4. Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0356.html Resolution:
(none) =>
FIXED |