Control: tags 964198 + patch Control: tags 964198 + pending Control: tags 978220 + patch Control: tags 978220 + pending
Dear maintainer, I've prepared an NMU for hylafax (versioned as 3:6.0.7-3.1) and uploaded it to DELAYED/7. Please feel free to tell me if I should delay it longer. Regards. diff -Nru hylafax-6.0.7/debian/changelog hylafax-6.0.7/debian/changelog --- hylafax-6.0.7/debian/changelog 2020-03-28 09:26:49.000000000 +0000 +++ hylafax-6.0.7/debian/changelog 2021-01-13 13:00:13.000000000 +0000 @@ -1,3 +1,23 @@ +hylafax (3:6.0.7-3.1) unstable; urgency=medium + + * NMU + * Bug fix: "FTBFS: Incompatible TIFF Library.", thanks to Lucas Nussbaum + (Closes: #978220). + * Bug fix: "CVE-2020-15397 CVE-2020-15396", thanks to Moritz Muehlenhoff + (Closes: #964198): + - The faxsetup utility + calls chown on files in user-owned directories. + By winning a race, a local attacker could use + this to escalate his privileges to root. + - Scripts that execute binaries from directories + writable by unprivileged users (e.g., locations under + /var/spool/hylafax that are + writable by the uucp account). This allows these users to + execute code in the context of the user calling these binaries + (often root). + + -- Bastien Roucariès <ro...@debian.org> Wed, 13 Jan 2021 13:00:13 +0000 + hylafax (3:6.0.7-3) unstable; urgency=medium * Added logrotate configuration for /var/spool/hylafax/log/xferfaxlog diff -Nru hylafax-6.0.7/debian/patches/832_fix_FTBFS_with_newer_libtiff.patch hylafax-6.0.7/debian/patches/832_fix_FTBFS_with_newer_libtiff.patch --- hylafax-6.0.7/debian/patches/832_fix_FTBFS_with_newer_libtiff.patch 1970-01-01 00:00:00.000000000 +0000 +++ hylafax-6.0.7/debian/patches/832_fix_FTBFS_with_newer_libtiff.patch 2021-01-13 12:34:16.000000000 +0000 @@ -0,0 +1,20 @@ +Subject: Fix FTBFS with newer libtiff +author: Bastien Roucariès <ro...@debian.org> + +Allow newer libtiff in configure + +bug-debian: https://bugs.debian.org/978220 + +Index: hylafax-6.0.7/configure +=================================================================== +--- hylafax-6.0.7.orig/configure ++++ hylafax-6.0.7/configure +@@ -2572,7 +2572,7 @@ EOF + tiff_offset_t="uint32" + tiff_bytecount_t="uint32" + ;; +- 4.[01]) tiff_runlen_t="uint32" ++ 4.[0-9]) tiff_runlen_t="uint32" + tiff_offset_t="uint64" + tiff_bytecount_t="uint64" + echo '#define TIFFHeader TIFFHeaderClassic' diff -Nru hylafax-6.0.7/debian/patches/833_fix_insecure_directory.patch hylafax-6.0.7/debian/patches/833_fix_insecure_directory.patch --- hylafax-6.0.7/debian/patches/833_fix_insecure_directory.patch 1970-01-01 00:00:00.000000000 +0000 +++ hylafax-6.0.7/debian/patches/833_fix_insecure_directory.patch 2021-01-13 12:55:29.000000000 +0000 @@ -0,0 +1,100 @@ +Subject: Fix insecure directory creation +author: Johannes Segitz + +Secure temporary directory creation for faxsetup, faxaddmodem, and +probemodem (13 Jun 2020) +secure the HylaFAX spool directory bin and etc subdirs + +In HylaFAX+ through 7.0.2 and HylaFAX Enterprise, the faxsetup utility +calls chown on files in user-owned directories. By winning a race, a local attacker could use this to escalate his privileges to root. + +HylaFAX+ through 7.0.2 and HylaFAX Enterprise have scripts that execute binaries from directories +writable by unprivileged users (e.g., locations under /var/spool/hylafax that are +writable by the uucp account). This allows these users to execute code in the context of the user calling these binaries (often root). + +This fix CVE-2020-15396 and CVE-2020-15397 +bug-debian: https://bugs.debian.org/964198 +origin: https://sourceforge.net/p/hylafax/HylaFAX+/2534/ + +Index: hylafax-6.0.7/Makefile.in +=================================================================== +--- hylafax-6.0.7.orig/Makefile.in ++++ hylafax-6.0.7/Makefile.in +@@ -231,7 +231,10 @@ makeServerDirs:: + -idb hylafax.sw.server -dir ${SPOOL} + -${INSTALL} -u ${FAXUSER} -g ${FAXGROUP} -m ${DIRMODE} \ + -idb hylafax.sw.server -dir \ +- -F ${SPOOL} bin client config dev etc info log recvq status ++ -F ${SPOOL} client config dev info log recvq status ++ -${INSTALL} -u root -g root -m ${DIRMODE} \ ++ -idb hylafax.sw.server -dir \ ++ -root ${INSTALLROOT} -F ${SPOOL} bin etc + -${INSTALL} -u ${FAXUSER} -g ${FAXGROUP} -m 700 \ + -idb hylafax.sw.server -dir \ + -F ${SPOOL} sendq doneq docq tmp pollq archive +Index: hylafax-6.0.7/etc/faxaddmodem.sh.in +=================================================================== +--- hylafax-6.0.7.orig/etc/faxaddmodem.sh.in ++++ hylafax-6.0.7/etc/faxaddmodem.sh.in +@@ -108,12 +108,14 @@ if [ "$euid" != "root" ]; then + fi + + # security ++o="`umask`" ++umask 077 + TMPDIR=`(mktemp -d /tmp/.faxaddmodem.XXXXXX) 2>/dev/null` ++umask "$o" + if test X$TMPDIR = X; then +- TMPDIR=/tmp/.faxaddmodem$$ ++ echo "Failed to create temporary directory. Cannot continue." ++ exit 1 + fi +-@RM@ -rf $TMPDIR +-(umask 077 ; mkdir $TMPDIR) || exit 1 + + SH=$SCRIPT_SH # shell for use below + CPATH=$SPOOL/etc/config # prefix of configuration file +Index: hylafax-6.0.7/etc/faxsetup.sh.in +=================================================================== +--- hylafax-6.0.7.orig/etc/faxsetup.sh.in ++++ hylafax-6.0.7/etc/faxsetup.sh.in +@@ -928,12 +928,14 @@ if onServer; then + # + + # Setup TMPDIR before anything can trap and rm it ++ o="`umask`" ++ umask 077 + TMPDIR=`(mktemp -d /tmp/.faxsetup.XXXXXX) 2>/dev/null` ++ umask "$o" + if test x$TMPDIR = x; then +- TMPDIR=/tmp/.faxsetup$$ ++ echo "Failed to create temporary directory. Cannot continue." ++ exit 1 + fi +- $RM -rf $TMPDIR +- (umask 077 ; mkdir $TMPDIR) || exit 1 + + JUNK="etc/setup.tmp" + trap "$RM \$JUNK; $RM -r \$TMPDIR; exit 1" 1 2 15 +Index: hylafax-6.0.7/etc/probemodem.sh.in +=================================================================== +--- hylafax-6.0.7.orig/etc/probemodem.sh.in ++++ hylafax-6.0.7/etc/probemodem.sh.in +@@ -78,12 +78,14 @@ test -f $SPOOL/etc/setup.cache || { + . $SPOOL/etc/setup.cache # common configuration stuff + . $SPOOL/etc/setup.modem # modem-specific stuff + ++o="`umask`" ++umask 077 + TMPDIR=`(mktemp -d /tmp/.probemodem.XXXXXX) 2>/dev/null` ++umask "$o" + if test X$TMPDIR = X; then +- TMPDIR=/tmp/.probemodem$$ ++ echo "Failed to create temporary directory. Cannot continue." ++ exit 1 + fi +-@RM@ -fr $TMPDIR +-(umask 077 ; mkdir $TMPDIR) || exit 1 + + SH=$SCRIPT_SH # shell for use below + OUT=$TMPDIR/probemodem$$ # temp file in which modem output is recorded diff -Nru hylafax-6.0.7/debian/patches/series hylafax-6.0.7/debian/patches/series --- hylafax-6.0.7/debian/patches/series 2020-03-06 23:30:54.000000000 +0000 +++ hylafax-6.0.7/debian/patches/series 2021-01-13 12:46:12.000000000 +0000 @@ -21,3 +21,5 @@ 827_make-build-reproducible.patch 830_libtiff-v4.patch 831_faxaddmodem-configure-systemd.patch +832_fix_FTBFS_with_newer_libtiff.patch +833_fix_insecure_directory.patch