Bug#964198: hylafax: diff for NMU version 3:6.0.7-3.1

Wed, 13 Jan 2021 05:09:18 -0800 

Control: tags 964198 + patch
Control: tags 964198 + pending
Control: tags 978220 + patch
Control: tags 978220 + pending


Dear maintainer,

I've prepared an NMU for hylafax (versioned as 3:6.0.7-3.1) and
uploaded it to DELAYED/7. Please feel free to tell me if I
should delay it longer.

Regards.

diff -Nru hylafax-6.0.7/debian/changelog hylafax-6.0.7/debian/changelog
--- hylafax-6.0.7/debian/changelog      2020-03-28 09:26:49.000000000 +0000
+++ hylafax-6.0.7/debian/changelog      2021-01-13 13:00:13.000000000 +0000
@@ -1,3 +1,23 @@
+hylafax (3:6.0.7-3.1) unstable; urgency=medium
+
+  * NMU
+  * Bug fix: "FTBFS: Incompatible TIFF Library.", thanks to Lucas Nussbaum
+    (Closes: #978220).
+  * Bug fix: "CVE-2020-15397 CVE-2020-15396", thanks to Moritz Muehlenhoff
+    (Closes: #964198):
+    - The faxsetup utility 
+      calls chown on files in user-owned directories.
+      By winning a race, a local attacker could use
+      this to escalate his privileges to root.
+    - Scripts that execute binaries from directories 
+      writable by unprivileged users (e.g., locations under
+      /var/spool/hylafax that are 
+      writable by the uucp account). This allows these users to
+      execute code in the context of the user calling these binaries
+      (often root).
+
+ -- Bastien Roucariès <ro...@debian.org>  Wed, 13 Jan 2021 13:00:13 +0000
+
 hylafax (3:6.0.7-3) unstable; urgency=medium
 
   * Added logrotate configuration for /var/spool/hylafax/log/xferfaxlog
diff -Nru hylafax-6.0.7/debian/patches/832_fix_FTBFS_with_newer_libtiff.patch 
hylafax-6.0.7/debian/patches/832_fix_FTBFS_with_newer_libtiff.patch
--- hylafax-6.0.7/debian/patches/832_fix_FTBFS_with_newer_libtiff.patch 
1970-01-01 00:00:00.000000000 +0000
+++ hylafax-6.0.7/debian/patches/832_fix_FTBFS_with_newer_libtiff.patch 
2021-01-13 12:34:16.000000000 +0000
@@ -0,0 +1,20 @@
+Subject: Fix FTBFS with newer libtiff
+author: Bastien Roucariès <ro...@debian.org>
+
+Allow newer libtiff in configure
+
+bug-debian: https://bugs.debian.org/978220
+
+Index: hylafax-6.0.7/configure
+===================================================================
+--- hylafax-6.0.7.orig/configure
++++ hylafax-6.0.7/configure
+@@ -2572,7 +2572,7 @@ EOF
+                               tiff_offset_t="uint32"
+                               tiff_bytecount_t="uint32"
+                               ;;
+-              4.[01])         tiff_runlen_t="uint32"
++              4.[0-9])        tiff_runlen_t="uint32"
+                               tiff_offset_t="uint64"
+                               tiff_bytecount_t="uint64"
+                               echo '#define TIFFHeader        
TIFFHeaderClassic'
diff -Nru hylafax-6.0.7/debian/patches/833_fix_insecure_directory.patch 
hylafax-6.0.7/debian/patches/833_fix_insecure_directory.patch
--- hylafax-6.0.7/debian/patches/833_fix_insecure_directory.patch       
1970-01-01 00:00:00.000000000 +0000
+++ hylafax-6.0.7/debian/patches/833_fix_insecure_directory.patch       
2021-01-13 12:55:29.000000000 +0000
@@ -0,0 +1,100 @@
+Subject: Fix insecure directory creation
+author: Johannes Segitz
+
+Secure temporary directory creation for faxsetup, faxaddmodem, and
+probemodem (13 Jun 2020)
+secure the HylaFAX spool directory bin and etc subdirs 
+
+In HylaFAX+ through 7.0.2 and HylaFAX Enterprise, the faxsetup utility 
+calls chown on files in user-owned directories. By winning a race, a local 
attacker could use this to escalate his privileges to root.
+
+HylaFAX+ through 7.0.2 and HylaFAX Enterprise have scripts that execute 
binaries from directories 
+writable by unprivileged users (e.g., locations under /var/spool/hylafax that 
are 
+writable by the uucp account). This allows these users to execute code in the 
context of the user calling these binaries (often root).
+
+This fix CVE-2020-15396 and CVE-2020-15397
+bug-debian: https://bugs.debian.org/964198
+origin: https://sourceforge.net/p/hylafax/HylaFAX+/2534/
+
+Index: hylafax-6.0.7/Makefile.in
+===================================================================
+--- hylafax-6.0.7.orig/Makefile.in
++++ hylafax-6.0.7/Makefile.in
+@@ -231,7 +231,10 @@ makeServerDirs::
+           -idb hylafax.sw.server -dir ${SPOOL}
+       -${INSTALL} -u ${FAXUSER} -g ${FAXGROUP} -m ${DIRMODE} \
+           -idb hylafax.sw.server -dir \
+-          -F ${SPOOL} bin client config dev etc info log recvq status
++          -F ${SPOOL} client config dev info log recvq status
++      -${INSTALL} -u root -g root -m ${DIRMODE} \
++          -idb hylafax.sw.server -dir \
++          -root ${INSTALLROOT} -F ${SPOOL} bin etc
+       -${INSTALL} -u ${FAXUSER} -g ${FAXGROUP} -m 700 \
+           -idb hylafax.sw.server -dir \
+           -F ${SPOOL} sendq doneq docq tmp pollq archive
+Index: hylafax-6.0.7/etc/faxaddmodem.sh.in
+===================================================================
+--- hylafax-6.0.7.orig/etc/faxaddmodem.sh.in
++++ hylafax-6.0.7/etc/faxaddmodem.sh.in
+@@ -108,12 +108,14 @@ if [ "$euid" != "root" ]; then
+ fi
+ 
+ # security
++o="`umask`"
++umask 077
+ TMPDIR=`(mktemp -d /tmp/.faxaddmodem.XXXXXX) 2>/dev/null`
++umask "$o"
+ if test X$TMPDIR = X; then
+-    TMPDIR=/tmp/.faxaddmodem$$
++    echo "Failed to create temporary directory.  Cannot continue."
++    exit 1
+ fi
+-@RM@ -rf $TMPDIR
+-(umask 077 ; mkdir $TMPDIR) || exit 1
+ 
+ SH=$SCRIPT_SH                 # shell for use below
+ CPATH=$SPOOL/etc/config               # prefix of configuration file
+Index: hylafax-6.0.7/etc/faxsetup.sh.in
+===================================================================
+--- hylafax-6.0.7.orig/etc/faxsetup.sh.in
++++ hylafax-6.0.7/etc/faxsetup.sh.in
+@@ -928,12 +928,14 @@ if onServer; then
+     #
+ 
+     # Setup TMPDIR before anything can trap and rm it
++    o="`umask`"
++    umask 077
+     TMPDIR=`(mktemp -d /tmp/.faxsetup.XXXXXX) 2>/dev/null`
++    umask "$o"
+     if test x$TMPDIR = x; then
+-      TMPDIR=/tmp/.faxsetup$$
++      echo "Failed to create temporary directory.  Cannot continue."
++      exit 1
+     fi
+-    $RM -rf $TMPDIR
+-    (umask 077 ; mkdir $TMPDIR) || exit 1
+ 
+     JUNK="etc/setup.tmp"
+     trap "$RM \$JUNK; $RM -r \$TMPDIR; exit 1" 1 2 15
+Index: hylafax-6.0.7/etc/probemodem.sh.in
+===================================================================
+--- hylafax-6.0.7.orig/etc/probemodem.sh.in
++++ hylafax-6.0.7/etc/probemodem.sh.in
+@@ -78,12 +78,14 @@ test -f $SPOOL/etc/setup.cache || {
+ . $SPOOL/etc/setup.cache      # common configuration stuff
+ . $SPOOL/etc/setup.modem      # modem-specific stuff
+ 
++o="`umask`"
++umask 077
+ TMPDIR=`(mktemp -d /tmp/.probemodem.XXXXXX) 2>/dev/null`
++umask "$o"
+ if test X$TMPDIR = X; then
+-    TMPDIR=/tmp/.probemodem$$
++    echo "Failed to create temporary directory.  Cannot continue."
++    exit 1
+ fi
+-@RM@ -fr $TMPDIR
+-(umask 077 ; mkdir $TMPDIR) || exit 1
+ 
+ SH=$SCRIPT_SH                 # shell for use below
+ OUT=$TMPDIR/probemodem$$      # temp file in which modem output is recorded
diff -Nru hylafax-6.0.7/debian/patches/series 
hylafax-6.0.7/debian/patches/series
--- hylafax-6.0.7/debian/patches/series 2020-03-06 23:30:54.000000000 +0000
+++ hylafax-6.0.7/debian/patches/series 2021-01-13 12:46:12.000000000 +0000
@@ -21,3 +21,5 @@
 827_make-build-reproducible.patch
 830_libtiff-v4.patch
 831_faxaddmodem-configure-systemd.patch
+832_fix_FTBFS_with_newer_libtiff.patch
+833_fix_insecure_directory.patch

Reply via email to