openSUSE has issued an advisory on August 15: https://lists.opensuse.org/opensuse-security-announce/2020-08/msg00039.html The issues are fixed upstream in 7.0.3. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOStatus comment: (none) => Fixed upstream in 7.0.3
Assigning to you, DavidG, as having done most recent updates to this (no registered maintainer).
Assignee: bugsquad => geiger.david68210
Fedora has issued an advisory for this on August 13: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J52QFVREJWJ35YSEEDDRMZQ2LM2H2WE6/
Done for mga7!
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Advisory: ======================== Updated hylafax+ packages fix security vulnerabilities: In HylaFAX+ through 7.0.2, the faxsetup utility calls chown on files in user-owned directories. By winning a race, a local attacker could use this to escalate his privileges to root (CVE-2020-15396). HylaFAX+ through 7.0.2 has scripts that execute binaries from directories writable by unprivileged users (e.g., locations under /var/spool/hylafax that are writable by the uucp account). This allows these users to execute code in the context of the user calling these binaries (often root) (CVE-2020-15397). The hylafax+ package has been updated to version 7.0.3, fixing thesee issues and several other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15396 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15397 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J52QFVREJWJ35YSEEDDRMZQ2LM2H2WE6/ https://hylafax.sourceforge.io/news/7.0.3.php ======================== Updated packages in core/updates_testing: ======================== hylafax+-7.0.3-1.mga7 hylafax+-client-7.0.3-1.mga7 libhylafax+7-7.0.3-1.mga7 libhylafax+-devel-7.0.3-1.mga7 from hylafax+-7.0.3-1.mga7.src.rpm
CC: (none) => geiger.david68210Status comment: Fixed upstream in 7.0.3 => (none)Assignee: geiger.david68210 => qa-bugsSeverity: normal => critical
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref bug26233 for testing. # /usr/sbin/faxsetup -server Setup program for HylaFAX (tm) 7.0.3. Created for x86_64-mageia-linux-gnu on Fri Jul 31 22:38:20 UTC 2020. Found encoder: /bin/base64 Checking system for proper server configuration. and a lot more, skipping adding a modem to the configuration, since I don't have such device.... Then # systemctl -l status hylafax-hfaxd.service ● hylafax-hfaxd.service - HylaFAX hfaxd (client service) Loaded: loaded (/usr/lib/systemd/system/hylafax-hfaxd.service; disabled; vendor preset: disabled) Active: active (running) since Mon 2020-08-31 09:58:38 CEST; 53s ago Main PID: 27327 (hfaxd) Tasks: 1 (limit: 4915) Memory: 812.0K CGroup: /system.slice/hylafax-hfaxd.service └─27327 /usr/sbin/hfaxd -d -i hylafax Aug 31 09:58:38 mach5.hviaene.thuis systemd[1]: Started HylaFAX hfaxd (client service). Aug 31 09:58:38 mach5.hviaene.thuis HylaFAX[27327]: Listening to 0.0.0.0:4559 Aug 31 09:58:38 mach5.hviaene.thuis HylaFAX[27327]: HylaFAX INET Protocol Server: restarted. And as normal user: $ faxstat HylaFAX scheduler on mach5.hviaene.thuis: Running OK'ing on the fact that the service runs and ressponds to the client.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Validating, advisory and packages in Comment 4.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0356.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED