A command injection flaw was discovered in mgetty in the faxrunq script used to send queued faxes. The shell script faxrunq does not properly escape the arguments passed to faxsend before evaluating the command allowing a user, who has permissions to queue faxes in the system, to execute arbitrary command with elevated privileges.
Comment 4Riccardo Schirone
2018-09-19 09:30:40 UTC
faxrunq SHELL script does not properly escape the parameters before evaluating
the command to send the fax, thus the characters that sneak in thanks to loose
checks in faxq-helper.c:do_activate() can be used to inject commands.
Comment 6Riccardo Schirone
2018-09-19 09:35:01 UTC
Mitigation:
Allow only trusted users to run the faxq-helper binary, by correctly setting the /etc/mgetty+sendfax/fax.allow configuration file.
Comment 7Riccardo Schirone
2018-09-19 09:36:31 UTC
By default /etc/mgetty+sendfax/fax.allow does not exist on RHEL and only root is allowed to run faxq-helper binary, thus only root can exploit this flaw.
Comment 8Fedora Update System
2019-02-27 01:15:26 UTC
mgetty-1.1.37-10.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9Fedora Update System
2019-02-27 03:28:16 UTC
mgetty-1.1.37-11.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.