Home > Security > Advisories


Mandriva Advisories

Package name hylafax
Date April 24th, 2001
Advisory ID MDKSA-2001:041
Affected versions 7.1, 7.2, CS1.0
Synopsis Updated hylafax packages fix potential root exploit in hfaxd

Problem Description

A problem exists with the HylaFAX program, hfaxd. When hfaxd tries to
change it's queue directory and fails, it prints an error message via
syslog by directly passing user supplied data as the format string. If
hfaxd is installed setuid root, this behaviour can be exploited to gain
root access locally. Note that Linux-Mandrake does not ship hfaxd
setuid root by default.

Updated Packages

Mandrakelinux 7.1

 ee6eab1c642154d5322dbd352f52b624  7.1/RPMS/hylafax-4.1-0.10mdk.i586.rpm
b73c45f4ee1c4f491fcdedc91ac45030  7.1/RPMS/hylafax-client-4.1-0.10mdk.i586.rpm
cfebff780619fe410c20a131d0e8e9b3  7.1/RPMS/hylafax-server-4.1-0.10mdk.i586.rpm
d5beb2e46136d5828c1de8048ad8572e  7.1/SRPMS/hylafax-4.1-0.10mdk.src.rpm

Mandrakelinux 7.2

 bb5496fcdf2be7c4cf1a235797ef3317  7.2/RPMS/hylafax-4.1-0.9mdk.i586.rpm
12dbc8359e7e7a179d9df0ff763b7b5d  7.2/RPMS/hylafax-client-4.1-0.9mdk.i586.rpm
2a5394dca8c6629179f2182ffae55329  7.2/RPMS/hylafax-server-4.1-0.9mdk.i586.rpm
9aca03bb7cabaf127cf25b5a810c7d92  7.2/SRPMS/hylafax-4.1-0.9mdk.src.rpm

Corporate Server 1.0.1

 ee6eab1c642154d5322dbd352f52b624  1.0.1/RPMS/hylafax-4.1-0.10mdk.i586.rpm
b73c45f4ee1c4f491fcdedc91ac45030  1.0.1/RPMS/hylafax-client-4.1-0.10mdk.i586.rpm
cfebff780619fe410c20a131d0e8e9b3  1.0.1/RPMS/hylafax-server-4.1-0.10mdk.i586.rpm
d5beb2e46136d5828c1de8048ad8572e  1.0.1/SRPMS/hylafax-4.1-0.10mdk.src.rpm


To upgrade automatically, use MandrivaUpdate.


Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.