6365955 2001-04-15 02:23 -0400 /29 rader/ Darren Nickerson <darren@DAZZA.ORG> Sänt av: joel@lysator.liu.se Importerad: 2001-04-16 10:41 av Brevbäraren Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: darren@DAZZA.ORG Mottagare: Bugtraq (import) <16544> Ärende: **SECURITY ADVISORY** - HylaFAX format string vulnerability ------------------------------------------------------------ From: Darren Nickerson <darren@DAZZA.ORG> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <20010415062349.E4A055FFBA@hewes.dazza.org> Folks, A format bug has been discovered in hfaxd. Details of the report may be found at: http://www.securityfocus.com/archive/1/175963 A patch to address the problem may be found at: http://www.hylafax.org/patches/hfaxd-vulnerability.patch This patch fixes the problem, and also removes the suid bit from the hfaxd binary. Anyone experiencing problems as a result of this change please contact bugs@hylafax.org. We intend to release a beta-4 very soon which will include the above fix. In the meantime, if you are unable to upgrade or rebuild HylaFAX from patched source, we recommend that you remove the suid root bit from the hfaxd executable: chmod a-s /usr/sbin/hfaxd (or whatever your path is) -Darren (6365955) /Darren Nickerson <darren@DAZZA.ORG>/(Ombruten)