1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
Subject: Fix insecure directory creation
author: Johannes Segitz
Secure temporary directory creation for faxsetup, faxaddmodem, and
probemodem (13 Jun 2020)
secure the HylaFAX spool directory bin and etc subdirs
In HylaFAX+ through 7.0.2 and HylaFAX Enterprise, the faxsetup utility
calls chown on files in user-owned directories. By winning a race, a local attacker could use this to escalate his privileges to root.
HylaFAX+ through 7.0.2 and HylaFAX Enterprise have scripts that execute binaries from directories
writable by unprivileged users (e.g., locations under /var/spool/hylafax that are
writable by the uucp account). This allows these users to execute code in the context of the user calling these binaries (often root).
This fix CVE-2020-15396 and CVE-2020-15397
bug-debian: https://bugs.debian.org/964198
origin: https://sourceforge.net/p/hylafax/HylaFAX+/2534/
@@ -231,7 +231,10 @@ makeServerDirs::
-idb hylafax.sw.server -dir ${SPOOL}
-${INSTALL} -u ${FAXUSER} -g ${FAXGROUP} -m ${DIRMODE} \
-idb hylafax.sw.server -dir \
- -F ${SPOOL} bin client config dev etc info log recvq status
+ -F ${SPOOL} client config dev info log recvq status
+ -${INSTALL} -u root -g root -m ${DIRMODE} \
+ -idb hylafax.sw.server -dir \
+ -root ${INSTALLROOT} -F ${SPOOL} bin etc
-${INSTALL} -u ${FAXUSER} -g ${FAXGROUP} -m 700 \
-idb hylafax.sw.server -dir \
-F ${SPOOL} sendq doneq docq tmp pollq archive
@@ -108,12 +108,14 @@ if [ "$euid" != "root" ]; then
fi
# security
+o="`umask`"
+umask 077
TMPDIR=`(mktemp -d /tmp/.faxaddmodem.XXXXXX) 2>/dev/null`
+umask "$o"
if test X$TMPDIR = X; then
- TMPDIR=/tmp/.faxaddmodem$$
+ echo "Failed to create temporary directory. Cannot continue."
+ exit 1
fi
-@RM@ -rf $TMPDIR
-(umask 077 ; mkdir $TMPDIR) || exit 1
SH=$SCRIPT_SH # shell for use below
CPATH=$SPOOL/etc/config # prefix of configuration file
@@ -928,12 +928,14 @@ if onServer; then
#
# Setup TMPDIR before anything can trap and rm it
+ o="`umask`"
+ umask 077
TMPDIR=`(mktemp -d /tmp/.faxsetup.XXXXXX) 2>/dev/null`
+ umask "$o"
if test x$TMPDIR = x; then
- TMPDIR=/tmp/.faxsetup$$
+ echo "Failed to create temporary directory. Cannot continue."
+ exit 1
fi
- $RM -rf $TMPDIR
- (umask 077 ; mkdir $TMPDIR) || exit 1
JUNK="etc/setup.tmp"
trap "$RM \$JUNK; $RM -r \$TMPDIR; exit 1" 1 2 15
@@ -78,12 +78,14 @@ test -f $SPOOL/etc/setup.cache || {
. $SPOOL/etc/setup.cache # common configuration stuff
. $SPOOL/etc/setup.modem # modem-specific stuff
+o="`umask`"
+umask 077
TMPDIR=`(mktemp -d /tmp/.probemodem.XXXXXX) 2>/dev/null`
+umask "$o"
if test X$TMPDIR = X; then
- TMPDIR=/tmp/.probemodem$$
+ echo "Failed to create temporary directory. Cannot continue."
+ exit 1
fi
-@RM@ -fr $TMPDIR
-(umask 077 ; mkdir $TMPDIR) || exit 1
SH=$SCRIPT_SH # shell for use below
OUT=$TMPDIR/probemodem$$ # temp file in which modem output is recorded
|
