Bug 1014058 (CVE-2013-5680)

Summary: CVE-2013-5680 hylafax+: heap overflow in HylaFAXServer::ldapCheck triggered by long user name
Product: [Other] Security Response Reporter: Ratul Gupta <ratulg>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: faxguy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: hylafax+ 5.5.4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-01 13:55:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1014060, 1014061    
Bug Blocks:    

Description Ratul Gupta 2013-10-01 10:41:12 UTC 
Hylafax, an enterprise-class open-source system for sending and receiving facsimiles as well as for sending alpha-numeric pages, was found to have a heap overflow vulnerability, which could allow a remote attacker to crash the hfaxd forked client.

Quoting Dennis Jenkins's Bugtraq post:

Hylafax+ contains a daemon, hfaxd, that allows a "fax client" to communicate with the fax server to submit fax jobs etc. The code path for authenticating users via LDAP allocates a 255-byte buffer, and then "strcats" user-supplied data buffered from the inbound FTP control channel. Other code limits the amount of copied data to 506 bytes, and truncates on NULL and "\n". Thus it is possible for an unauthenticated remote attacker to overflow the heap with a limited character set.

hfaxd typically runs as the uucp user, and forks on each new connection. The heap overflow occurs in a forked child, which would typically just hang.

The vulnerability is known to be fixed in HylaFAX+ 5.5.4 or a workaround could be to disable LDAP authentication via hfaxd.conf.

References:
https://bugzilla.novell.com/show_bug.cgi?id=843440
http://www.securityfocus.com/archive/1/528943
Comment 1 Ratul Gupta 2013-10-01 10:44:40 UTC 
Created hylafax+ tracking bugs for this issue:

Affects: fedora-all [bug 1014060]
Affects: epel-all [bug 1014061]
Comment 2 Tomas Hoger 2013-10-01 13:52:14 UTC 
Timeline in the linked Bugtraq post lists:

2013-08-07 - Project maintainer completes preliminary testing,
coordinates release of RPMs for Fedora.
2013-08-22 - Fedora pushing new RPMs.

There are already updates for Fedora / EPEL upgrading hylafax+ to version 5.5.4, which were marked as security.  However, description does not highlight this flaw, but mentions change to using hardened build flags, which is often used as reason to set update type security.  Lee may clarify why it was flagged as security update.

Fix is mentioned in upstream release notes for 5.5.4:

http://hylafax.sourceforge.net/news/5.5.4.php

  * rewrite direct LDAP authentication function by Dennis Jenkins (31 Jul 2013)

Related upstream commits seem to be:

http://sourceforge.net/p/hylafax/HylaFAX+/2297/
http://sourceforge.net/p/hylafax/HylaFAX+/2298/
http://sourceforge.net/p/hylafax/HylaFAX+/2299/
http://sourceforge.net/p/hylafax/HylaFAX+/2300/
http://sourceforge.net/p/hylafax/HylaFAX+/2302/
http://sourceforge.net/p/hylafax/HylaFAX+/2304/
Comment 3 Tomas Hoger 2013-10-01 13:55:16 UTC 
Fixed version 5.5.4 is already in current Fedora and EPEL versions.