1014058 – (CVE-2013-5680) CVE-2013-5680 hylafax+: heap overflow in HylaFAXServer::ldapCheck triggered by long user name

Bug 1014058 (CVE-2013-5680) - CVE-2013-5680 hylafax+: heap overflow in HylaFAXServer::ldapCheck triggered by long user name

Summary: CVE-2013-5680 hylafax+: heap overflow in HylaFAXServer::ldapCheck triggered b...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2013-5680
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1014060 1014061
Blocks:
TreeView+	depends on / blocked

Reported:	2013-10-01 10:41 UTC by Ratul Gupta
Modified:	2019-09-29 13:08 UTC (History)
CC List:	1 user (show)
Fixed In Version:	hylafax+ 5.5.4
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-10-01 13:55:16 UTC
Embargoed:

Attachments	(Terms of Use)

Description Ratul Gupta 2013-10-01 10:41:12 UTC

Hylafax, an enterprise-class open-source system for sending and receiving facsimiles as well as for sending alpha-numeric pages, was found to have a heap overflow vulnerability, which could allow a remote attacker to crash the hfaxd forked client.

Quoting Dennis Jenkins's Bugtraq post:

Hylafax+ contains a daemon, hfaxd, that allows a "fax client" to communicate with the fax server to submit fax jobs etc. The code path for authenticating users via LDAP allocates a 255-byte buffer, and then "strcats" user-supplied data buffered from the inbound FTP control channel. Other code limits the amount of copied data to 506 bytes, and truncates on NULL and "\n". Thus it is possible for an unauthenticated remote attacker to overflow the heap with a limited character set.

hfaxd typically runs as the uucp user, and forks on each new connection. The heap overflow occurs in a forked child, which would typically just hang.

The vulnerability is known to be fixed in HylaFAX+ 5.5.4 or a workaround could be to disable LDAP authentication via hfaxd.conf.

References:
https://bugzilla.novell.com/show_bug.cgi?id=843440
http://www.securityfocus.com/archive/1/528943

Comment 1 Ratul Gupta 2013-10-01 10:44:40 UTC

Created hylafax+ tracking bugs for this issue:

Affects: fedora-all [bug 1014060]
Affects: epel-all [bug 1014061]

Comment 2 Tomas Hoger 2013-10-01 13:52:14 UTC

Timeline in the linked Bugtraq post lists:

2013-08-07 - Project maintainer completes preliminary testing,
coordinates release of RPMs for Fedora.
2013-08-22 - Fedora pushing new RPMs.

There are already updates for Fedora / EPEL upgrading hylafax+ to version 5.5.4, which were marked as security.  However, description does not highlight this flaw, but mentions change to using hardened build flags, which is often used as reason to set update type security.  Lee may clarify why it was flagged as security update.

Fix is mentioned in upstream release notes for 5.5.4:

http://hylafax.sourceforge.net/news/5.5.4.php

  * rewrite direct LDAP authentication function by Dennis Jenkins (31 Jul 2013)

Related upstream commits seem to be:

http://sourceforge.net/p/hylafax/HylaFAX+/2297/
http://sourceforge.net/p/hylafax/HylaFAX+/2298/
http://sourceforge.net/p/hylafax/HylaFAX+/2299/
http://sourceforge.net/p/hylafax/HylaFAX+/2300/
http://sourceforge.net/p/hylafax/HylaFAX+/2302/
http://sourceforge.net/p/hylafax/HylaFAX+/2304/

Comment 3 Tomas Hoger 2013-10-01 13:55:16 UTC

Fixed version 5.5.4 is already in current Fedora and EPEL versions.

Note You need to log in before you can comment on or make changes to this bug.