Bug 23661 - hylafax+ new security issue CVE-2018-17141
Summary: hylafax+ new security issue CVE-2018-17141
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-10-09 23:51 CEST by David Walser
Modified: 2018-11-17 23:24 CET (History)
8 users (show)

See Also:
Source RPM: hylafax+-5.5.8-4.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-10-09 23:51:18 CEST
A security issue fixed upstream in Hylafax+ has been announced:
https://www.openwall.com/lists/oss-security/2018/09/20/1

The issue was fixed upstream in 5.6.1.

Debian has issued an advisory for this on September 20:
https://www.debian.org/security/2018/dsa-4298
David Walser 2018-10-09 23:51:35 CEST

CC: (none) => geiger.david68210

Comment 1 David GEIGER 2018-10-10 02:20:16 CEST
Done for mga6!
Comment 2 Marja Van Waes 2018-10-10 06:16:49 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Also CC'ing some committers.

CC: (none) => cjw, marja11, smelror
Assignee: bugsquad => pkg-bugs

Comment 3 Marja Van Waes 2018-10-10 06:50:03 CEST
(In reply to David GEIGER from comment #1)
> Done for mga6!

Thanks, David, and sorry for having missed that (It's still early)

Assigning to you then, because there's no adivisory etc. yet.

Assignee: pkg-bugs => geiger.david68210

Comment 4 David Walser 2018-10-10 16:28:10 CEST
Advisory:
========================

Updated hylafax+ packages fixes security vulnerability:

Luis Merino, Markus Vervier and Eric Sesterhenn discovered that missing input
sanitising in the Hylafax fax software could potentially result in the
execution of arbitrary code via a malformed fax message (CVE-2018-17141).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17141
https://www.debian.org/security/2018/dsa-4298
========================

Updated packages in core/updates_testing:
========================
hylafax+-5.6.1-1.mga6
hylafax+-client-5.6.1-1.mga6
libhylafax+5-5.6.1-1.mga6
libhylafax+-devel-5.6.1-1.mga6

from hylafax+-5.6.1-1.mga6.src.rpm

Assignee: geiger.david68210 => qa-bugs

Comment 5 Herman Viaene 2018-10-23 11:40:01 CEST
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
No fax available here, trying hylafax service
# systemctl start hylafax-faxq
# systemctl -l status hylafax-faxq
● hylafax-faxq.service - HylaFAX faxq (job scheduler service)
   Loaded: loaded (/usr/lib/systemd/system/hylafax-faxq.service; enabled; vendor preset: enabled
   Active: inactive (dead)
Condition: start condition failed at di 2018-10-23 11:30:07 CEST; 4s ago
           ConditionPathExists=/var/spool/hylafax/etc/setup.cache was not met

which is fair enough as faxsetup.linux has not been run
Printing is not affected , so I will not object OK if anyone else can test the fax functionality.

CC: (none) => herman.viaene

Comment 6 Thomas Andrews 2018-11-15 23:41:21 CET
Using the new QA Repo tool with this update would have been easier if there had been a separate list for each arch in Comment 4. 

I installed the original hylafax packages, and then updated using Mageia Update. Packages installed cleanly. Since no one seems to have the hardware needed to test this, OKing and validating on the basis of clean installation. Suggested advisory in Comment 4.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA6-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 7 Lewis Smith 2018-11-17 21:04:38 CET
Advisoried from comment 4.

CC: (none) => lewyssmith
Keywords: (none) => advisory

Comment 8 Mageia Robot 2018-11-17 23:24:31 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0456.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.