[20221] in bugtraq
**SECURITY ADVISORY** - HylaFAX format string vulnerability
daemon@ATHENA.MIT.EDU (Darren Nickerson)
Mon Apr 16 04:37:54 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20010415062349.E4A055FFBA@hewes.dazza.org>
Date: Sun, 15 Apr 2001 02:23:43 -0400
Reply-To: darren@DAZZA.ORG
From: Darren Nickerson <darren@DAZZA.ORG>
X-To: hylafax-announce@hylafax.org
To: BUGTRAQ@SECURITYFOCUS.COM
Folks,
A format bug has been discovered in hfaxd. Details of the report may be found
at:
http://www.securityfocus.com/archive/1/175963
A patch to address the problem may be found at:
http://www.hylafax.org/patches/hfaxd-vulnerability.patch
This patch fixes the problem, and also removes the suid bit from the hfaxd
binary. Anyone experiencing problems as a result of this change please contact
bugs@hylafax.org.
We intend to release a beta-4 very soon which will include the above fix. In
the meantime, if you are unable to upgrade or rebuild HylaFAX from patched
source, we recommend that you remove the suid root bit from the hfaxd
executable:
chmod a-s /usr/sbin/hfaxd (or whatever your path is)
-Darren
