Hello community,
here is the log from the commit of package hylafax
checked in at Thu Dec 7 20:28:46 CET 2006.
--------
--- hylafax/hylafax.changes 2006-08-06 23:08:30.000000000 +0200
+++ /mounts/work_src_done/STABLE/hylafax/hylafax.changes 2006-12-07 00:36:28.000000000 +0100
@@ -1,0 +2,11 @@
+Thu Dec 7 00:33:45 CET 2006 - kkeil@suse.de
+
+- fix FaxDispatch to take the correct parameter (#212516)
+
+-------------------------------------------------------------------
+Tue Dec 5 17:01:27 CET 2006 - kkeil@suse.de
+
+- capi4hylafax: security fix against executing arbitrary commands
+ on the fax receiving system. CVE-2006-3126 (#203515)
+
+-------------------------------------------------------------------
New:
----
capi4hylafax-secfix2.diff
hylafax-4.3.0-dispatch-isdn.diff
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ hylafax.spec ++++++
--- /var/tmp/diff_new_pack.w5H5LJ/_old 2006-12-07 20:25:20.000000000 +0100
+++ /var/tmp/diff_new_pack.w5H5LJ/_new 2006-12-07 20:25:20.000000000 +0100
@@ -19,7 +19,7 @@
Conflicts: sendfax
Autoreqprov: on
Version: 4.3.0
-Release: 1
+Release: 25
Source: %{name}-%{version}.tar.bz2
Source1: latex-cover-1.04.tar.bz2
Source2: %{name}-SuSE.tar.bz2
@@ -31,8 +31,10 @@
Patch4: %{name}-%{version}-fax_user.dif
Patch5: %{name}-%{version}-asciifix.dif
Patch6: %{name}-%{version}-warning.diff
+Patch7: %{name}-%{version}-dispatch-isdn.diff
Patch10: capi4hylafax-suse.diff
Patch11: capi4hylafax-secfix.diff
+Patch12: capi4hylafax-secfix2.diff
URL: http://www.hylafax.org
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Summary: Very Powerful Fax Server
@@ -67,7 +69,7 @@
Sam Leffler
%package -n capi4hylafax
-License: GPL
+License: GNU General Public License (GPL)
URL: http://www.avm.de
Summary: faxcapi modem for hylafax
Group: Hardware/Fax
@@ -94,12 +96,14 @@
%patch4 -p1
%patch5 -p1
%patch6
+%patch7 -p1
#-b .valist
# need to be executable
chmod 755 SuSE/usr/lib/fax/a2pswrap
cd ../capi4hylafax-01.03.00
%patch10 -p1
%patch11 -p1
+%patch12 -p1
find ../ -name .cvsignore -exec rm {} \;
%build
@@ -383,6 +387,11 @@
/etc/config.faxCAPI.sample
%changelog -n hylafax
+* Thu Dec 07 2006 - kkeil@suse.de
+- fix FaxDispatch to take the correct parameter (#212516)
+* Tue Dec 05 2006 - kkeil@suse.de
+- capi4hylafax: security fix against executing arbitrary commands
+ on the fax receiving system. CVE-2006-3126 (#203515)
* Thu Aug 03 2006 - kkeil@suse.de
- update to version 4.3.0
* Fix DCS tag handling in Class2 (BUG 771) (5 May 2006)
@@ -712,7 +721,7 @@
- fixed doinst.sh for installion not in running system
* Fri May 30 1997 - choeger@suse.de
- built new package because of new location of httpd/cgi-bin
--> /usr/local/httpd/cgi-bin
+ -> /usr/local/httpd/cgi-bin
* Mon May 05 1997 - choeger@suse.de
- added latex-cover v1.03 to the binary distribution
* Tue Apr 22 1997 - choeger@suse.de
++++++ capi4hylafax-secfix2.diff ++++++
Index: capi4hylafax-01.03.00/src/faxrecv/faxrecv.cpp
===================================================================
--- capi4hylafax-01.03.00.orig/src/faxrecv/faxrecv.cpp
+++ capi4hylafax-01.03.00/src/faxrecv/faxrecv.cpp
@@ -331,7 +331,7 @@ void CFaxReceive::IsDisconnected (c_info
}
// Hylafax: <qfile> <ModemDeviceID> <CommID> <Reason> <CIDNumber> <CIDName> <destination>
- executeCommand.PrintAppend (" \"%S\" \"%S\" \"%09u\" \"%s\" \"%S\" \"\" \"%S\"",
+ executeCommand.PrintAppend (" \"%eS\" \"%eS\" \"%09u\" \"%es\" \"%eS\" \"\" \"%eS\"",
GetRecvFiles()->GetFirst(), &FaxDevice->DeviceName, jobNr,
StateText, GetReceiveID(), &MyNumber);
WriteXferLog ("RECV", jobNr, 0, 0, (char *)FaxDevice->DeviceName.GetPointer(), 0,
@@ -361,14 +361,14 @@ void CFaxReceive::IsDisconnected (c_info
}
executeCommand.PrintAppend (" %u 0x%X \"", recvStatus, Reason);
- executeCommand.Append (GetReceiveID());
+ executeCommand.PrintAppend ("%eS", GetReceiveID());
executeCommand.Append ("\" \"");
if (!MyNumber.IsEmpty()) {
- executeCommand.Append (&MyNumber);
+ executeCommand.PrintAppend ("%eS", &MyNumber);
}
executeCommand.PrintAppend ("\" %u", GetPageCount());
for (COneMultiString *pLauf = GetRecvFiles()->GetFirst(); (pLauf != 0); pLauf = pLauf->GetNext()) {
- executeCommand.PrintAppend (" \"%S\"", pLauf);
+ executeCommand.PrintAppend (" \"%eS\"", pLauf);
}
}
Index: capi4hylafax-01.03.00/src/faxsend/faxsend.cpp
===================================================================
--- capi4hylafax-01.03.00.orig/src/faxsend/faxsend.cpp
+++ capi4hylafax-01.03.00/src/faxsend/faxsend.cpp
@@ -572,7 +572,7 @@ void CFaxSend::IsDisconnected (c_info Re
commStr.Print ("%09u", m_commID);
// Hylafax: <mailaddr> <qfile> <ModemDeviceID> <CommID> <Reason>
- executeCommand.PrintAppend (" \"%S\" \"%S\" \"%S\" \"%S\" \"%s\"", &PollString,
+ executeCommand.PrintAppend (" \"%eS\" \"%eS\" \"%eS\" \"%eS\" \"%es\"", &PollString,
GetRecvFiles()->GetFirst(), &DeviceName, &commStr, StateText);
} else {
// mgetty: <RecvStatus> <Hangup Code> "<sender id>" "<poll text>" <nr of pages>
@@ -591,10 +591,10 @@ void CFaxSend::IsDisconnected (c_info Re
case 3:
break;
}
- executeCommand.PrintAppend (" %u 0x%X \"%S\" \"%S\" %u", recvStatus, Reason, GetReceiveID(),
+ executeCommand.PrintAppend (" %u 0x%X \"%eS\" \"%eS\" %u", recvStatus, Reason, GetReceiveID(),
&PollString, GetPageCount());
for (COneMultiString *pLauf = GetRecvFiles()->GetFirst(); (pLauf != 0); pLauf = pLauf->GetNext()) {
- executeCommand.PrintAppend (" \"%s\"", pLauf->GetPointer());
+ executeCommand.PrintAppend (" \"%es\"", pLauf->GetPointer());
}
}
Index: capi4hylafax-01.03.00/src/standard/CString.cpp
===================================================================
--- capi4hylafax-01.03.00.orig/src/standard/CString.cpp
+++ capi4hylafax-01.03.00/src/standard/CString.cpp
@@ -44,6 +44,9 @@
#define PRINTFLAGS_NEAR 0x0400 // Placeholder is a NEAR-pointer
#define PRINTFLAGS_QUESTION 0x0800 // Sizeof Char specified before string
#define PRINTFLAGS_STRINGTYPE 0x1000 // Placeholder is a CDynamicString-Pointer
+#define PRINTFLAGS_SHELLESCAPE 0x2000 // The placeholder should be filled in with
+ // a string suitable for passing to /bin/sh
+ // between double quotes.
/*===========================================================================*\
\*===========================================================================*/
@@ -389,6 +392,10 @@ tSInt CDynamicString::i_vPrintAppend (tF
PrtFlags |= PRINTFLAGS_SHORT;
break;
+ case 'e':
+ PrtFlags |= PRINTFLAGS_SHELLESCAPE;
+ break;
+
/*----- WIDTH or PRECISION-----*/
case '0':
if (PrtPreci == -2) {
@@ -580,13 +587,102 @@ tSInt CDynamicString::i_vPrintAppend (tF
PrtWidth = 0;
}
tSize endPos = curLen + copyBufLen;
- if (endPos >= GetMaxSize()) {
- if (DynExpand (endPos + 1) == vFalse) {
+ const tSize max_space_needed = endPos + ((PrtFlags & PRINTFLAGS_SHELLESCAPE) ? copyBufLen : 0);
+ if (max_space_needed >= GetMaxSize()) {
+ if (DynExpand (max_space_needed + 1) == vFalse) {
RETURN ('x', CSTRING_PRINT_MemoryError);
}
}
- dassert (endPos < GetMaxSize());
+ dassert (max_space_needed < GetMaxSize());
dassert (pntr != 0);
+ if (PrtFlags & PRINTFLAGS_SHELLESCAPE) {
+ const tChar * const c_bs = (tChar*) "\\";
+ const tChar * const c_0 = (tChar*) "\0";
+ const tChar * const c_dq = (tChar*) "\"";
+ const tChar * const c_d = (tChar*) "$";
+ const tChar * const c_bq = (tChar*) "`";
+ const tChar * const c_qm = (tChar*) "?";
+ // Note that in this case, PrtWidth refers to the string _after_
+ // interpretation by /bin/sh, i.e. after the escaping is removed.
+ if (PrtFlags & PRINTFLAGS_STRINGTYPE) {
+ const tStringChar *p = (tStringChar*)copyBuf;
+ const tStringChar * const p_end = p + copyBufLen;
+ for (;p < p_end; ++p) {
+ if (!s_strncmp(p,c_0,1)) {
+ s_strncpy (pntr + curLen, c_qm, 1);
+ } else {
+ if (!(s_strncmp(p,c_dq,1) &&
+ s_strncmp(p,c_bs,1) &&
+ s_strncmp(p,c_d ,1) &&
+ s_strncmp(p,c_bq,1))) {
+ s_strncpy (pntr + curLen, c_bs, 1);
+ ++curLen;
+ ++endPos;
+ }
+ s_strncpy (pntr + curLen, p, 1);
+ }
+ ++curLen;
+ }
+ } else if (PrtFlags & PRINTFLAGS_LARGE) {
+ const tUWiChar *p = (tUWiChar*)copyBuf;
+ const tUWiChar * const p_end = p + copyBufLen;
+ for (;p < p_end; ++p) {
+ if (!s_strncmp(p,c_0,1)) {
+ s_strncpy (pntr + curLen, c_qm, 1);
+ } else {
+ if (!(s_strncmp(p,c_dq,1) &&
+ s_strncmp(p,c_bs,1) &&
+ s_strncmp(p,c_d,1) &&
+ s_strncmp(p,c_bq,1))) {
+ s_strncpy (pntr + curLen, c_bs, 1);
+ ++curLen;
+ ++endPos;
+ }
+ s_strncpy (pntr + curLen, p, 1);
+ }
+ ++curLen;
+ }
+ } else if (PrtFlags & PRINTFLAGS_SHORT) {
+ const tUChar *p = (tUChar*)copyBuf;
+ const tUChar * const p_end = p + copyBufLen;
+ for (;p < p_end; ++p) {
+ if (!s_strncmp(p,c_0,1)) {
+ s_strncpy (pntr + curLen, c_qm, 1);
+ } else {
+ if (!(s_strncmp(p,c_dq,1) &&
+ s_strncmp(p,c_bs,1) &&
+ s_strncmp(p,c_d,1) &&
+ s_strncmp(p,c_bq,1))) {
+ s_strncpy (pntr + curLen, c_bs, 1);
+ ++curLen;
+ ++endPos;
+ }
+ s_strncpy (pntr + curLen, p, 1);
+ }
+ ++curLen;
+ }
+ } else {
+ dassert((sizeof tChar)== (sizeof tFormatChar));
+ const tChar *p = (tChar*)copyBuf;
+ const tChar * const p_end = p + copyBufLen;
+ for (;p < p_end; ++p) {
+ if (!s_strncmp(p,c_0,1)) {
+ s_strncpy (pntr + curLen, c_qm, 1);
+ } else {
+ if (!(s_strncmp(p,c_dq,1) &&
+ s_strncmp(p,c_bs,1) &&
+ s_strncmp(p,c_d,1) &&
+ s_strncmp(p,c_bq,1))) {
+ s_strncpy (pntr + curLen, c_bs, 1);
+ ++curLen;
+ ++endPos;
+ }
+ s_strncpy (pntr + curLen, p, 1);
+ }
+ ++curLen;
+ }
+ }
+ } else {
if (PrtFlags & PRINTFLAGS_STRINGTYPE) {
s_strncpy (pntr + curLen, (tStringChar *)copyBuf, copyBufLen);
} else if (PrtFlags & PRINTFLAGS_LARGE) {
@@ -596,6 +692,7 @@ tSInt CDynamicString::i_vPrintAppend (tF
} else {
s_strncpy (pntr + curLen, copyBuf, copyBufLen);
}
+ }
pntr[endPos] = '\0';
curLen = endPos;
if ((PrtWidth > copyBufLen) && (FillAppend (' ', PrtWidth - copyBufLen) == vFalse)) {
Index: capi4hylafax-01.03.00/src/standard/aTypes.h
===================================================================
--- capi4hylafax-01.03.00.orig/src/standard/aTypes.h
+++ capi4hylafax-01.03.00/src/standard/aTypes.h
@@ -29,6 +29,7 @@
/*---------------------------------------------------------------------------*\
\*---------------------------------------------------------------------------*/
+#include // should give __WORDSIZE
#include
#if defined HAVE_STDINT_H && HAVE_STDINT_H > 0
++++++ hylafax-4.3.0-dispatch-isdn.diff ++++++
Index: hylafax-4.3.0/util/FaxDispatch.sh
===================================================================
--- hylafax-4.3.0.orig/util/FaxDispatch.sh
+++ hylafax-4.3.0/util/FaxDispatch.sh
@@ -2,8 +2,8 @@
# Dispatch fax to email depending on own MSN or extention (ISDN lines)
# sourced from faxrcvd
#
-if [ "$7" != "" ]; then
- PHONEMATCH=$7\$
+if [ "$CALLID3" != "" ]; then
+ PHONEMATCH=$CALLID3\$
USERENTRY=`grep -v "^#" etc/users | grep "$PHONEMATCH"`
if [ "$USERENTRY" != "" ]; then
USERNAME=`echo $USERENTRY | awk '{print $1}'`
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org