Discussion:
Bug#978220: hylafax: diff for NMU version 3:6.0.7-3.1
Add Reply
r***@gmail.com
2021-01-13 13:10:02 UTC
Reply
Permalink
Control: tags 964198 + patch
Control: tags 964198 + pending
Control: tags 978220 + patch
Control: tags 978220 + pending


Dear maintainer,

I've prepared an NMU for hylafax (versioned as 3:6.0.7-3.1) and
uploaded it to DELAYED/7. Please feel free to tell me if I
should delay it longer.

Regards.

diff -Nru hylafax-6.0.7/debian/changelog hylafax-6.0.7/debian/changelog
--- hylafax-6.0.7/debian/changelog 2020-03-28 09:26:49.000000000 +0000
+++ hylafax-6.0.7/debian/changelog 2021-01-13 13:00:13.000000000 +0000
@@ -1,3 +1,23 @@
+hylafax (3:6.0.7-3.1) unstable; urgency=medium
+
+ * NMU
+ * Bug fix: "FTBFS: Incompatible TIFF Library.", thanks to Lucas Nussbaum
+ (Closes: #978220).
+ * Bug fix: "CVE-2020-15397 CVE-2020-15396", thanks to Moritz Muehlenhoff
+ (Closes: #964198):
+ - The faxsetup utility
+ calls chown on files in user-owned directories.
+ By winning a race, a local attacker could use
+ this to escalate his privileges to root.
+ - Scripts that execute binaries from directories
+ writable by unprivileged users (e.g., locations under
+ /var/spool/hylafax that are
+ writable by the uucp account). This allows these users to
+ execute code in the context of the user calling these binaries
+ (often root).
+
+ -- Bastien RoucariÚs <***@debian.org> Wed, 13 Jan 2021 13:00:13 +0000
+
hylafax (3:6.0.7-3) unstable; urgency=medium

* Added logrotate configuration for /var/spool/hylafax/log/xferfaxlog
diff -Nru hylafax-6.0.7/debian/patches/832_fix_FTBFS_with_newer_libtiff.patch hylafax-6.0.7/debian/patches/832_fix_FTBFS_with_newer_libtiff.patch
--- hylafax-6.0.7/debian/patches/832_fix_FTBFS_with_newer_libtiff.patch 1970-01-01 00:00:00.000000000 +0000
+++ hylafax-6.0.7/debian/patches/832_fix_FTBFS_with_newer_libtiff.patch 2021-01-13 12:34:16.000000000 +0000
@@ -0,0 +1,20 @@
+Subject: Fix FTBFS with newer libtiff
+author: Bastien RoucariÚs <***@debian.org>
+
+Allow newer libtiff in configure
+
+bug-debian: https://bugs.debian.org/978220
+
+Index: hylafax-6.0.7/configure
+===================================================================
+--- hylafax-6.0.7.orig/configure
++++ hylafax-6.0.7/configure
+@@ -2572,7 +2572,7 @@ EOF
+ tiff_offset_t="uint32"
+ tiff_bytecount_t="uint32"
+ ;;
+- 4.[01]) tiff_runlen_t="uint32"
++ 4.[0-9]) tiff_runlen_t="uint32"
+ tiff_offset_t="uint64"
+ tiff_bytecount_t="uint64"
+ echo '#define TIFFHeader TIFFHeaderClassic'
diff -Nru hylafax-6.0.7/debian/patches/833_fix_insecure_directory.patch hylafax-6.0.7/debian/patches/833_fix_insecure_directory.patch
--- hylafax-6.0.7/debian/patches/833_fix_insecure_directory.patch 1970-01-01 00:00:00.000000000 +0000
+++ hylafax-6.0.7/debian/patches/833_fix_insecure_directory.patch 2021-01-13 12:55:29.000000000 +0000
@@ -0,0 +1,100 @@
+Subject: Fix insecure directory creation
+author: Johannes Segitz
+
+Secure temporary directory creation for faxsetup, faxaddmodem, and
+probemodem (13 Jun 2020)
+secure the HylaFAX spool directory bin and etc subdirs
+
+In HylaFAX+ through 7.0.2 and HylaFAX Enterprise, the faxsetup utility
+calls chown on files in user-owned directories. By winning a race, a local attacker could use this to escalate his privileges to root.
+
+HylaFAX+ through 7.0.2 and HylaFAX Enterprise have scripts that execute binaries from directories
+writable by unprivileged users (e.g., locations under /var/spool/hylafax that are
+writable by the uucp account). This allows these users to execute code in the context of the user calling these binaries (often root).
+
+This fix CVE-2020-15396 and CVE-2020-15397
+bug-debian: https://bugs.debian.org/964198
+origin: https://sourceforge.net/p/hylafax/HylaFAX+/2534/
+
+Index: hylafax-6.0.7/Makefile.in
+===================================================================
+--- hylafax-6.0.7.orig/Makefile.in
++++ hylafax-6.0.7/Makefile.in
+@@ -231,7 +231,10 @@ makeServerDirs::
+ -idb hylafax.sw.server -dir ${SPOOL}
+ -${INSTALL} -u ${FAXUSER} -g ${FAXGROUP} -m ${DIRMODE} \
+ -idb hylafax.sw.server -dir \
+- -F ${SPOOL} bin client config dev etc info log recvq status
++ -F ${SPOOL} client config dev info log recvq status
++ -${INSTALL} -u root -g root -m ${DIRMODE} \
++ -idb hylafax.sw.server -dir \
++ -root ${INSTALLROOT} -F ${SPOOL} bin etc
+ -${INSTALL} -u ${FAXUSER} -g ${FAXGROUP} -m 700 \
+ -idb hylafax.sw.server -dir \
+ -F ${SPOOL} sendq doneq docq tmp pollq archive
+Index: hylafax-6.0.7/etc/faxaddmodem.sh.in
+===================================================================
+--- hylafax-6.0.7.orig/etc/faxaddmodem.sh.in
++++ hylafax-6.0.7/etc/faxaddmodem.sh.in
+@@ -108,12 +108,14 @@ if [ "$euid" != "root" ]; then
+ fi
+
+ # security
++o="`umask`"
++umask 077
+ TMPDIR=`(mktemp -d /tmp/.faxaddmodem.XXXXXX) 2>/dev/null`
++umask "$o"
+ if test X$TMPDIR = X; then
+- TMPDIR=/tmp/.faxaddmodem$$
++ echo "Failed to create temporary directory. Cannot continue."
++ exit 1
+ fi
+-@RM@ -rf $TMPDIR
+-(umask 077 ; mkdir $TMPDIR) || exit 1
+
+ SH=$SCRIPT_SH # shell for use below
+ CPATH=$SPOOL/etc/config # prefix of configuration file
+Index: hylafax-6.0.7/etc/faxsetup.sh.in
+===================================================================
+--- hylafax-6.0.7.orig/etc/faxsetup.sh.in
++++ hylafax-6.0.7/etc/faxsetup.sh.in
+@@ -928,12 +928,14 @@ if onServer; then
+ #
+
+ # Setup TMPDIR before anything can trap and rm it
++ o="`umask`"
++ umask 077
+ TMPDIR=`(mktemp -d /tmp/.faxsetup.XXXXXX) 2>/dev/null`
++ umask "$o"
+ if test x$TMPDIR = x; then
+- TMPDIR=/tmp/.faxsetup$$
++ echo "Failed to create temporary directory. Cannot continue."
++ exit 1
+ fi
+- $RM -rf $TMPDIR
+- (umask 077 ; mkdir $TMPDIR) || exit 1
+
+ JUNK="etc/setup.tmp"
+ trap "$RM \$JUNK; $RM -r \$TMPDIR; exit 1" 1 2 15
+Index: hylafax-6.0.7/etc/probemodem.sh.in
+===================================================================
+--- hylafax-6.0.7.orig/etc/probemodem.sh.in
++++ hylafax-6.0.7/etc/probemodem.sh.in
+@@ -78,12 +78,14 @@ test -f $SPOOL/etc/setup.cache || {
+ . $SPOOL/etc/setup.cache # common configuration stuff
+ . $SPOOL/etc/setup.modem # modem-specific stuff
+
++o="`umask`"
++umask 077
+ TMPDIR=`(mktemp -d /tmp/.probemodem.XXXXXX) 2>/dev/null`
++umask "$o"
+ if test X$TMPDIR = X; then
+- TMPDIR=/tmp/.probemodem$$
++ echo "Failed to create temporary directory. Cannot continue."
++ exit 1
+ fi
+-@RM@ -fr $TMPDIR
+-(umask 077 ; mkdir $TMPDIR) || exit 1
+
+ SH=$SCRIPT_SH # shell for use below
+ OUT=$TMPDIR/probemodem$$ # temp file in which modem output is recorded
diff -Nru hylafax-6.0.7/debian/patches/series hylafax-6.0.7/debian/patches/series
--- hylafax-6.0.7/debian/patches/series 2020-03-06 23:30:54.000000000 +0000
+++ hylafax-6.0.7/debian/patches/series 2021-01-13 12:46:12.000000000 +0000
@@ -21,3 +21,5 @@
827_make-build-reproducible.patch
830_libtiff-v4.patch
831_faxaddmodem-configure-systemd.patch
+832_fix_FTBFS_with_newer_libtiff.patch
+833_fix_insecure_directory.patch
Debian Bug Tracking System
2021-01-13 13:10:02 UTC
Reply
Permalink
Post by r***@gmail.com
tags 964198 + patch
Bug #964198 [src:hylafax] CVE-2020-15397 CVE-2020-15396
Added tag(s) patch.
Post by r***@gmail.com
tags 964198 + pending
Bug #964198 [src:hylafax] CVE-2020-15397 CVE-2020-15396
Added tag(s) pending.
Post by r***@gmail.com
tags 978220 + patch
Bug #978220 [src:hylafax] hylafax: FTBFS: Incompatible TIFF Library.
Added tag(s) patch.
Post by r***@gmail.com
tags 978220 + pending
Bug #978220 [src:hylafax] hylafax: FTBFS: Incompatible TIFF Library.
Added tag(s) pending.
--
964198: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964198
978220: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978220
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Debian Bug Tracking System
2021-01-13 13:10:03 UTC
Reply
Permalink
Post by r***@gmail.com
tags 964198 + patch
Bug #964198 [src:hylafax] CVE-2020-15397 CVE-2020-15396
Ignoring request to alter tags of bug #964198 to the same tags previously set
Post by r***@gmail.com
tags 964198 + pending
Bug #964198 [src:hylafax] CVE-2020-15397 CVE-2020-15396
Ignoring request to alter tags of bug #964198 to the same tags previously set
Post by r***@gmail.com
tags 978220 + patch
Bug #978220 [src:hylafax] hylafax: FTBFS: Incompatible TIFF Library.
Ignoring request to alter tags of bug #978220 to the same tags previously set
Post by r***@gmail.com
tags 978220 + pending
Bug #978220 [src:hylafax] hylafax: FTBFS: Incompatible TIFF Library.
Ignoring request to alter tags of bug #978220 to the same tags previously set
--
964198: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964198
978220: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978220
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Giuseppe Sacco
2021-01-13 14:40:03 UTC
Reply
Permalink
Hello Bastien,
thank you very much for your NMU.

Bye,
Giuseppe
Debian Bug Tracking System
2021-01-15 08:30:02 UTC
Reply
Permalink
Your message dated Fri, 15 Jan 2021 08:21:24 +0000
with message-id <E1l0KMG-000IpO-***@fasolo.debian.org>
and subject line Bug#978220: fixed in hylafax 3:6.0.7-3.1
has caused the Debian Bug report #978220,
regarding hylafax: FTBFS: Incompatible TIFF Library.
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
978220: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978220
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Loading...