Hello community, here is the log from the commit of package hylafax checked in at Thu Dec 7 20:28:46 CET 2006. -------- --- hylafax/hylafax.changes 2006-08-06 23:08:30.000000000 +0200 +++ /mounts/work_src_done/STABLE/hylafax/hylafax.changes 2006-12-07 00:36:28.000000000 +0100 @@ -1,0 +2,11 @@ +Thu Dec 7 00:33:45 CET 2006 - kkeil@suse.de + +- fix FaxDispatch to take the correct parameter (#212516) + +------------------------------------------------------------------- +Tue Dec 5 17:01:27 CET 2006 - kkeil@suse.de + +- capi4hylafax: security fix against executing arbitrary commands + on the fax receiving system. CVE-2006-3126 (#203515) + +------------------------------------------------------------------- New: ---- capi4hylafax-secfix2.diff hylafax-4.3.0-dispatch-isdn.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ hylafax.spec ++++++ --- /var/tmp/diff_new_pack.w5H5LJ/_old 2006-12-07 20:25:20.000000000 +0100 +++ /var/tmp/diff_new_pack.w5H5LJ/_new 2006-12-07 20:25:20.000000000 +0100 @@ -19,7 +19,7 @@ Conflicts: sendfax Autoreqprov: on Version: 4.3.0 -Release: 1 +Release: 25 Source: %{name}-%{version}.tar.bz2 Source1: latex-cover-1.04.tar.bz2 Source2: %{name}-SuSE.tar.bz2 @@ -31,8 +31,10 @@ Patch4: %{name}-%{version}-fax_user.dif Patch5: %{name}-%{version}-asciifix.dif Patch6: %{name}-%{version}-warning.diff +Patch7: %{name}-%{version}-dispatch-isdn.diff Patch10: capi4hylafax-suse.diff Patch11: capi4hylafax-secfix.diff +Patch12: capi4hylafax-secfix2.diff URL: http://www.hylafax.org BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary: Very Powerful Fax Server @@ -67,7 +69,7 @@ Sam Leffler <sam@engr.sgi.com> %package -n capi4hylafax -License: GPL +License: GNU General Public License (GPL) URL: http://www.avm.de Summary: faxcapi modem for hylafax Group: Hardware/Fax @@ -94,12 +96,14 @@ %patch4 -p1 %patch5 -p1 %patch6 +%patch7 -p1 #-b .valist # need to be executable chmod 755 SuSE/usr/lib/fax/a2pswrap cd ../capi4hylafax-01.03.00 %patch10 -p1 %patch11 -p1 +%patch12 -p1 find ../ -name .cvsignore -exec rm {} \; %build @@ -383,6 +387,11 @@ /etc/config.faxCAPI.sample %changelog -n hylafax +* Thu Dec 07 2006 - kkeil@suse.de +- fix FaxDispatch to take the correct parameter (#212516) +* Tue Dec 05 2006 - kkeil@suse.de +- capi4hylafax: security fix against executing arbitrary commands + on the fax receiving system. CVE-2006-3126 (#203515) * Thu Aug 03 2006 - kkeil@suse.de - update to version 4.3.0 * Fix DCS tag handling in Class2 (BUG 771) (5 May 2006) @@ -712,7 +721,7 @@ - fixed doinst.sh for installion not in running system * Fri May 30 1997 - choeger@suse.de - built new package because of new location of httpd/cgi-bin --> /usr/local/httpd/cgi-bin + -> /usr/local/httpd/cgi-bin * Mon May 05 1997 - choeger@suse.de - added latex-cover v1.03 to the binary distribution * Tue Apr 22 1997 - choeger@suse.de ++++++ capi4hylafax-secfix2.diff ++++++ Index: capi4hylafax-01.03.00/src/faxrecv/faxrecv.cpp =================================================================== --- capi4hylafax-01.03.00.orig/src/faxrecv/faxrecv.cpp +++ capi4hylafax-01.03.00/src/faxrecv/faxrecv.cpp @@ -331,7 +331,7 @@ void CFaxReceive::IsDisconnected (c_info } // Hylafax: <qfile> <ModemDeviceID> <CommID> <Reason> <CIDNumber> <CIDName> <destination> - executeCommand.PrintAppend (" \"%S\" \"%S\" \"%09u\" \"%s\" \"%S\" \"\" \"%S\"", + executeCommand.PrintAppend (" \"%eS\" \"%eS\" \"%09u\" \"%es\" \"%eS\" \"\" \"%eS\"", GetRecvFiles()->GetFirst(), &FaxDevice->DeviceName, jobNr, StateText, GetReceiveID(), &MyNumber); WriteXferLog ("RECV", jobNr, 0, 0, (char *)FaxDevice->DeviceName.GetPointer(), 0, @@ -361,14 +361,14 @@ void CFaxReceive::IsDisconnected (c_info } executeCommand.PrintAppend (" %u 0x%X \"", recvStatus, Reason); - executeCommand.Append (GetReceiveID()); + executeCommand.PrintAppend ("%eS", GetReceiveID()); executeCommand.Append ("\" \""); if (!MyNumber.IsEmpty()) { - executeCommand.Append (&MyNumber); + executeCommand.PrintAppend ("%eS", &MyNumber); } executeCommand.PrintAppend ("\" %u", GetPageCount()); for (COneMultiString *pLauf = GetRecvFiles()->GetFirst(); (pLauf != 0); pLauf = pLauf->GetNext()) { - executeCommand.PrintAppend (" \"%S\"", pLauf); + executeCommand.PrintAppend (" \"%eS\"", pLauf); } } Index: capi4hylafax-01.03.00/src/faxsend/faxsend.cpp =================================================================== --- capi4hylafax-01.03.00.orig/src/faxsend/faxsend.cpp +++ capi4hylafax-01.03.00/src/faxsend/faxsend.cpp @@ -572,7 +572,7 @@ void CFaxSend::IsDisconnected (c_info Re commStr.Print ("%09u", m_commID); // Hylafax: <mailaddr> <qfile> <ModemDeviceID> <CommID> <Reason> - executeCommand.PrintAppend (" \"%S\" \"%S\" \"%S\" \"%S\" \"%s\"", &PollString, + executeCommand.PrintAppend (" \"%eS\" \"%eS\" \"%eS\" \"%eS\" \"%es\"", &PollString, GetRecvFiles()->GetFirst(), &DeviceName, &commStr, StateText); } else { // mgetty: <RecvStatus> <Hangup Code> "<sender id>" "<poll text>" <nr of pages> <file(s)> @@ -591,10 +591,10 @@ void CFaxSend::IsDisconnected (c_info Re case 3: break; } - executeCommand.PrintAppend (" %u 0x%X \"%S\" \"%S\" %u", recvStatus, Reason, GetReceiveID(), + executeCommand.PrintAppend (" %u 0x%X \"%eS\" \"%eS\" %u", recvStatus, Reason, GetReceiveID(), &PollString, GetPageCount()); for (COneMultiString *pLauf = GetRecvFiles()->GetFirst(); (pLauf != 0); pLauf = pLauf->GetNext()) { - executeCommand.PrintAppend (" \"%s\"", pLauf->GetPointer()); + executeCommand.PrintAppend (" \"%es\"", pLauf->GetPointer()); } } Index: capi4hylafax-01.03.00/src/standard/CString.cpp =================================================================== --- capi4hylafax-01.03.00.orig/src/standard/CString.cpp +++ capi4hylafax-01.03.00/src/standard/CString.cpp @@ -44,6 +44,9 @@ #define PRINTFLAGS_NEAR 0x0400 // Placeholder is a NEAR-pointer #define PRINTFLAGS_QUESTION 0x0800 // Sizeof Char specified before string #define PRINTFLAGS_STRINGTYPE 0x1000 // Placeholder is a CDynamicString-Pointer +#define PRINTFLAGS_SHELLESCAPE 0x2000 // The placeholder should be filled in with + // a string suitable for passing to /bin/sh + // between double quotes. /*===========================================================================*\ \*===========================================================================*/ @@ -389,6 +392,10 @@ tSInt CDynamicString::i_vPrintAppend (tF PrtFlags |= PRINTFLAGS_SHORT; break; + case 'e': + PrtFlags |= PRINTFLAGS_SHELLESCAPE; + break; + /*----- WIDTH or PRECISION-----*/ case '0': if (PrtPreci == -2) { @@ -580,13 +587,102 @@ tSInt CDynamicString::i_vPrintAppend (tF PrtWidth = 0; } tSize endPos = curLen + copyBufLen; - if (endPos >= GetMaxSize()) { - if (DynExpand (endPos + 1) == vFalse) { + const tSize max_space_needed = endPos + ((PrtFlags & PRINTFLAGS_SHELLESCAPE) ? copyBufLen : 0); + if (max_space_needed >= GetMaxSize()) { + if (DynExpand (max_space_needed + 1) == vFalse) { RETURN ('x', CSTRING_PRINT_MemoryError); } } - dassert (endPos < GetMaxSize()); + dassert (max_space_needed < GetMaxSize()); dassert (pntr != 0); + if (PrtFlags & PRINTFLAGS_SHELLESCAPE) { + const tChar * const c_bs = (tChar*) "\\"; + const tChar * const c_0 = (tChar*) "\0"; + const tChar * const c_dq = (tChar*) "\""; + const tChar * const c_d = (tChar*) "$"; + const tChar * const c_bq = (tChar*) "`"; + const tChar * const c_qm = (tChar*) "?"; + // Note that in this case, PrtWidth refers to the string _after_ + // interpretation by /bin/sh, i.e. after the escaping is removed. + if (PrtFlags & PRINTFLAGS_STRINGTYPE) { + const tStringChar *p = (tStringChar*)copyBuf; + const tStringChar * const p_end = p + copyBufLen; + for (;p < p_end; ++p) { + if (!s_strncmp(p,c_0,1)) { + s_strncpy (pntr + curLen, c_qm, 1); + } else { + if (!(s_strncmp(p,c_dq,1) && + s_strncmp(p,c_bs,1) && + s_strncmp(p,c_d ,1) && + s_strncmp(p,c_bq,1))) { + s_strncpy (pntr + curLen, c_bs, 1); + ++curLen; + ++endPos; + } + s_strncpy (pntr + curLen, p, 1); + } + ++curLen; + } + } else if (PrtFlags & PRINTFLAGS_LARGE) { + const tUWiChar *p = (tUWiChar*)copyBuf; + const tUWiChar * const p_end = p + copyBufLen; + for (;p < p_end; ++p) { + if (!s_strncmp(p,c_0,1)) { + s_strncpy (pntr + curLen, c_qm, 1); + } else { + if (!(s_strncmp(p,c_dq,1) && + s_strncmp(p,c_bs,1) && + s_strncmp(p,c_d,1) && + s_strncmp(p,c_bq,1))) { + s_strncpy (pntr + curLen, c_bs, 1); + ++curLen; + ++endPos; + } + s_strncpy (pntr + curLen, p, 1); + } + ++curLen; + } + } else if (PrtFlags & PRINTFLAGS_SHORT) { + const tUChar *p = (tUChar*)copyBuf; + const tUChar * const p_end = p + copyBufLen; + for (;p < p_end; ++p) { + if (!s_strncmp(p,c_0,1)) { + s_strncpy (pntr + curLen, c_qm, 1); + } else { + if (!(s_strncmp(p,c_dq,1) && + s_strncmp(p,c_bs,1) && + s_strncmp(p,c_d,1) && + s_strncmp(p,c_bq,1))) { + s_strncpy (pntr + curLen, c_bs, 1); + ++curLen; + ++endPos; + } + s_strncpy (pntr + curLen, p, 1); + } + ++curLen; + } + } else { + dassert((sizeof tChar)== (sizeof tFormatChar)); + const tChar *p = (tChar*)copyBuf; + const tChar * const p_end = p + copyBufLen; + for (;p < p_end; ++p) { + if (!s_strncmp(p,c_0,1)) { + s_strncpy (pntr + curLen, c_qm, 1); + } else { + if (!(s_strncmp(p,c_dq,1) && + s_strncmp(p,c_bs,1) && + s_strncmp(p,c_d,1) && + s_strncmp(p,c_bq,1))) { + s_strncpy (pntr + curLen, c_bs, 1); + ++curLen; + ++endPos; + } + s_strncpy (pntr + curLen, p, 1); + } + ++curLen; + } + } + } else { if (PrtFlags & PRINTFLAGS_STRINGTYPE) { s_strncpy (pntr + curLen, (tStringChar *)copyBuf, copyBufLen); } else if (PrtFlags & PRINTFLAGS_LARGE) { @@ -596,6 +692,7 @@ tSInt CDynamicString::i_vPrintAppend (tF } else { s_strncpy (pntr + curLen, copyBuf, copyBufLen); } + } pntr[endPos] = '\0'; curLen = endPos; if ((PrtWidth > copyBufLen) && (FillAppend (' ', PrtWidth - copyBufLen) == vFalse)) { Index: capi4hylafax-01.03.00/src/standard/aTypes.h =================================================================== --- capi4hylafax-01.03.00.orig/src/standard/aTypes.h +++ capi4hylafax-01.03.00/src/standard/aTypes.h @@ -29,6 +29,7 @@ /*---------------------------------------------------------------------------*\ \*---------------------------------------------------------------------------*/ +#include <limits.h> // should give __WORDSIZE #include <wchar.h> #if defined HAVE_STDINT_H && HAVE_STDINT_H > 0 ++++++ hylafax-4.3.0-dispatch-isdn.diff ++++++ Index: hylafax-4.3.0/util/FaxDispatch.sh =================================================================== --- hylafax-4.3.0.orig/util/FaxDispatch.sh +++ hylafax-4.3.0/util/FaxDispatch.sh @@ -2,8 +2,8 @@ # Dispatch fax to email depending on own MSN or extention (ISDN lines) # sourced from faxrcvd # -if [ "$7" != "" ]; then - PHONEMATCH=$7\$ +if [ "$CALLID3" != "" ]; then + PHONEMATCH=$CALLID3\$ USERENTRY=`grep -v "^#" etc/users | grep "$PHONEMATCH"` if [ "$USERENTRY" != "" ]; then USERNAME=`echo $USERENTRY | awk '{print $1}'` ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org