Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 12 Aug 2002 14:35:44 -0400
From:      Mike Tancsa <mike@sentex.net>
To:        ports@FreeBSD.org
Cc:        security@FreeBSD.org
Subject:   hylaxfax security issue (from the ports)
Message-ID:  <5.1.1.6.0.20020812142654.0525a938@marble.sentex.ca>
next in thread | raw e-mail | index | archive | help 

Looks like the current version of HylaFax in the ports once again has 
security issues (remote and local).

 From the web page http://www.hylafax.org/4.1.3.html

4.1.3 includes fixes for a remote format string vulnerability which could 
be abused in a denial of service attack. Also fixed is a buffer overflow 
condition when receiving fax image data which potentially could be 
exploited to execute arbitrary code as root. Also present in 4.1.3 are 
fixes for several other local remote format string vulnerabilities which, 
in some installations, could lead to elevated privileges by abuse. Everyone 
is advised to upgrade.

------------------------------
I am not a heavy user of HylaFax (only outbound), but removing the two 
patch files and making the following changes lets it build with the new 
source code.  The md5 is also on the webpage.


% diff -u Makefile.old Makefile
--- Makefile.old        Mon Aug 12 14:25:33 2002
+++ Makefile    Mon Aug 12 14:25:47 2002
@@ -6,7 +6,7 @@
  #

  PORTNAME=      hylafax
-PORTVERSION=   4.1
+PORTVERSION=   4.1.3
  PORTREVISION=  1
  CATEGORIES=    comms
  MASTER_SITES=  ftp://ftp.hylafax.org/source/
% diff -u distinfo.old distinfo
--- distinfo.old        Mon Aug 12 14:26:37 2002
+++ distinfo    Mon Aug 12 14:27:25 2002
@@ -1,4 +1,4 @@
-MD5 (hylafax/hylafax-4.1.3.tar.gz) = d8a60dcddb4bcfd67c494aee89d036e7
+MD5 (hylafax/hylafax-4.1.3.tar.gz) = b3e95810a7fc99685f92faa8ff59114e
  MD5 (hylafax/tiff-3.5-interfaces.patch) = c1d2847c9967a10961bb7fe123ecd8e6
  MD5 (hylafax/cvtDateTime.patch) = 57b2d1218e83504c85cf31c1e3746e4e
  MD5 (hylafax/rings-cid-passing.patch) = ade1d9adc9dd236e45176b7a0e3b5d78
%

	---Mike	
--------------------------------------------------------------------
Mike Tancsa,                          	          tel +1 519 651 3400
Sentex Communications,     			  mike@sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada			  www.sentex.net/mike


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.1.6.0.20020812142654.0525a938>