An issue was discovered in mgetty before 1.2.1. The shell script faxrunq does not properly escape arguments passed to faxsend and that may lead to command injection. A local user may use faxq-helper to sneak in some shell metacharacters (e.g. ||, &&, >) in the fax job file, that will be later parsed by faxrunq. References: https://lists.debian.org/debian-lts-announce/2018/09/msg00012.html https://www.x41-dsec.de/lab/advisories/x41-2018-007-mgetty/
Created mgetty tracking bugs for this issue: Affects: fedora-all [bug 1628755]
Created attachment 1484634 [details] upstream patch This patch was extracted from mgetty-1.2.1
faxrunq SHELL script does not properly escape the parameters before evaluating the command to send the fax, thus the characters that sneak in thanks to loose checks in faxq-helper.c:do_activate() can be used to inject commands.
Mitigation: Allow only trusted users to run the faxq-helper binary, by correctly setting the /etc/mgetty+sendfax/fax.allow configuration file.
By default /etc/mgetty+sendfax/fax.allow does not exist on RHEL and only root is allowed to run faxq-helper binary, thus only root can exploit this flaw.
mgetty-1.1.37-10.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
mgetty-1.1.37-11.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.