Bug 78543 - Mgetty 1.1.29 fixes security issue
Mgetty 1.1.29 fixes security issue
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: mgetty (Show other bugs)
7.3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-11-25 09:07 EST by Bruce Garlock
Modified: 2008-05-01 11:38 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-04-08 08:16:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bruce Garlock 2002-11-25 09:07:17 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.8 [en] (WinNT; U)

Description of problem:
Mgetty 1.1.29 was just released, and fixes a security issue in 
faxspool/faxrunqd.  Here is the release announcement:

I have just released mgetty+sendfax 1.1.29.

  It contains a couple of new features, bug fixes, and a massive rewrite of
  the way the fax queue (/var/spool/fax/ and /var/spool/fax/outgoing/)
  is accessed.


  New features:

   * many error messages clarified

   * the caller's name (Caller ID) is now exported to external scripts 
     as $CALLER_NAME

   * voice/ has support for DLE shielding of long DTMF tones

   * voice/ has support for 16 bit linear audio on V.253 modems

   * lots of documentation work


  Security fixes / concept changes:

   * it's now possible to run faxrunq/faxrunqd (and thus sendfax) as 
     non-root user

   * fax spool directories are no longer world-writeable, access is done
     via a suid helper program (suid to a special user ID, "fax")

   * possible buffer overrun when calling cnd-program (if CallerName is 
     too long)

   * $CALLER_ID, $CALLER_NAME and so on are sanitized before passing to shell
     (all quote characters and all non-printable characters are replaced by " 
")


  Bug fixes:

   * "caller name = CONNECTICUT" is now handled correctly, and not mistaken
     for "CONNECT" any more

   * faxrunqd sometimes didn't obey job priority settings if combining 
     multiple jobs to the same destination

   * some timing problems in sending ATE0 to voice modems on fast computers


  Who should upgrade?

   * everbody who is using faxspool/faxrunq on a machine that is shared
     with other users that are not 100 per cent trustworthy

   * vgetty users with V.253 modems


  Distribution vendors: 

   - I strongly urge you to upgrade to 1.1.29 - older versions are NOT safe 
     if there are malicious users on the system and faxrunq/faxrunqd are in 
     use.
     
   - The fax queue handling (faxspool, faxq-helper) needs a new user ID
     now ("fax") which MUST own the fax queue directories and SHOULD NOT
     own anything else.  The user ID is configured in the Makefile.

   - faxrunq/faxrunqd can run as user "fax", but in that case the user
     needs access to the modem devices (via his primary group id).

     Watch out for log file access permissions if this is used!


  If anything is unclear, *please* talk to me before rolling out updated
  packages that might break things in funny ways.

  gert

  -- 
  USENET is *not* the non-clickable part of WWW!
                                                             
//www.muc.de/~gert/
  Gert Doering - Munich, Germany                             
gert@greenie.muc.de
  fax: +49-89-35655025                        
gert.doering@physik.tu-muenchen.de


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. use faxspool/faxrunqd from mgetty < 1.1.29
2.
3.
	

Actual Results:  FAX spool directories are world writable

Expected Results:  Non world writable directories.

Additional info:
Comment 1 Mark J. Cox (Product Security) 2003-04-08 08:16:54 EDT
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2003-036.html

Note You need to log in before you can comment on or make changes to this bug.