Hylafax, an enterprise-class open-source system for sending and receiving facsimiles as well as for sending alpha-numeric pages, was found to have a heap overflow vulnerability, which could allow a remote attacker to crash the hfaxd forked client. Quoting Dennis Jenkins's Bugtraq post: Hylafax+ contains a daemon, hfaxd, that allows a "fax client" to communicate with the fax server to submit fax jobs etc. The code path for authenticating users via LDAP allocates a 255-byte buffer, and then "strcats" user-supplied data buffered from the inbound FTP control channel. Other code limits the amount of copied data to 506 bytes, and truncates on NULL and "\n". Thus it is possible for an unauthenticated remote attacker to overflow the heap with a limited character set. hfaxd typically runs as the uucp user, and forks on each new connection. The heap overflow occurs in a forked child, which would typically just hang. The vulnerability is known to be fixed in HylaFAX+ 5.5.4 or a workaround could be to disable LDAP authentication via hfaxd.conf. References: https://bugzilla.novell.com/show_bug.cgi?id=843440 http://www.securityfocus.com/archive/1/528943
Created hylafax+ tracking bugs for this issue: Affects: fedora-all [bug 1014060] Affects: epel-all [bug 1014061]
Timeline in the linked Bugtraq post lists: 2013-08-07 - Project maintainer completes preliminary testing, coordinates release of RPMs for Fedora. 2013-08-22 - Fedora pushing new RPMs. There are already updates for Fedora / EPEL upgrading hylafax+ to version 5.5.4, which were marked as security. However, description does not highlight this flaw, but mentions change to using hardened build flags, which is often used as reason to set update type security. Lee may clarify why it was flagged as security update. Fix is mentioned in upstream release notes for 5.5.4: http://hylafax.sourceforge.net/news/5.5.4.php * rewrite direct LDAP authentication function by Dennis Jenkins (31 Jul 2013) Related upstream commits seem to be: http://sourceforge.net/p/hylafax/HylaFAX+/2297/ http://sourceforge.net/p/hylafax/HylaFAX+/2298/ http://sourceforge.net/p/hylafax/HylaFAX+/2299/ http://sourceforge.net/p/hylafax/HylaFAX+/2300/ http://sourceforge.net/p/hylafax/HylaFAX+/2302/ http://sourceforge.net/p/hylafax/HylaFAX+/2304/
Fixed version 5.5.4 is already in current Fedora and EPEL versions.