Bug 1014058 (CVE-2013-5680)
Summary: | CVE-2013-5680 hylafax+: heap overflow in HylaFAXServer::ldapCheck triggered by long user name | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Ratul Gupta <ratulg> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | faxguy |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | hylafax+ 5.5.4 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-10-01 13:55:16 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1014060, 1014061 | ||
Bug Blocks: |
Description
Ratul Gupta
2013-10-01 10:41:12 UTC
Created hylafax+ tracking bugs for this issue: Affects: fedora-all [bug 1014060] Affects: epel-all [bug 1014061] Timeline in the linked Bugtraq post lists: 2013-08-07 - Project maintainer completes preliminary testing, coordinates release of RPMs for Fedora. 2013-08-22 - Fedora pushing new RPMs. There are already updates for Fedora / EPEL upgrading hylafax+ to version 5.5.4, which were marked as security. However, description does not highlight this flaw, but mentions change to using hardened build flags, which is often used as reason to set update type security. Lee may clarify why it was flagged as security update. Fix is mentioned in upstream release notes for 5.5.4: http://hylafax.sourceforge.net/news/5.5.4.php * rewrite direct LDAP authentication function by Dennis Jenkins (31 Jul 2013) Related upstream commits seem to be: http://sourceforge.net/p/hylafax/HylaFAX+/2297/ http://sourceforge.net/p/hylafax/HylaFAX+/2298/ http://sourceforge.net/p/hylafax/HylaFAX+/2299/ http://sourceforge.net/p/hylafax/HylaFAX+/2300/ http://sourceforge.net/p/hylafax/HylaFAX+/2302/ http://sourceforge.net/p/hylafax/HylaFAX+/2304/ Fixed version 5.5.4 is already in current Fedora and EPEL versions. |