Vulnerability

    HylaFAX

Affected

    HylaFAX server v4.1 beta2

Description

    Marcin Dawcewicz found following.   He has found classical  format
    bug while hge was playing with HylaFAX server (v4.1 beta2):

        $ [ -u /usr/sbin/hfaxd ] && /usr/sbin/hfaxd -q '%n%n'
        Segmentation fault

    It crashes while calling syslog()  with user supplied fmt.   Looks
    nasty.

    No working exploit,

Solution

    A patch to address the problem may be found at:

        http://www.hylafax.org/patches/hfaxd-vulnerability.patch

    This patch fixes the problem,  and also removes the suid  bit from
    the hfaxd  binary.   Anyone experiencing  problems as  a result of
    this change please contact bugs@hylafax.org.

    They intend to release a  beta-4 very soon which will  include the
    above fix.   In the  meantime, if  you are  unable to  upgrade  or
    rebuild  HylaFAX  from  patched  source,  they  recommend that you
    remove the suid root bit from the hfaxd executable:

        chmod a-s /usr/sbin/hfaxd (or whatever your path is)