Hylafax Mailing List Archives

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Securityfix for /tmp racecondition



Hello,


Our security auditing team has found a vulnerability in the HylaFAX
package version 4.0pl2.

Vulnerability:
	The scripts recvstats, faxcron, probemodem, faxsetup and
	faxaddmodem contain /tmp raceconditions, which allows any
	local user on the system to overwrite any file the user executing
	these scripts is allowed to.
	This results in a denial of service attack, or - depending on the
	system configuration and data involved - access to the account
	executing these scripts.

Fix:
	Please consider the following patches and make changes as appropriate.

For any further information, please contact choeger@suse.de


A fixed, precompiled package can be found at
  ftp://ftp.suse.de/pub/suse_update/suse53/n1/hylafax.rpm

-- 
mfG,
	Carsten Hoeger
------
Carsten Hoeger  - S.u.S.E. GmbH -  Gebhardtstr. 2  -  90762 Fuerth  -  Germany
fax +49-911-3206727                                     web http://www.suse.de
------

Attachment Converted: "C:\PROGRAM FILES\EUDORA\Attach\hylafax.patch"



Home
Report any problems to webmaster@hylafax.org

HylaFAX is a trademark of Silicon Graphics Corporation.
Internet connectivity for hylafax.org is provided by:
VirtuALL Private Host Services