{"edition": 1, "title": "HylaFAX faxgetty TSI Format String DoS", "bulletinFamily": "software", "published": "2002-07-29T23:14:19", "lastseen": "2017-04-28T13:19:59", "history": [], "modified": "2002-07-29T23:14:19", "reporter": "Christer Oberg()", "hash": "50c0255e558666cb369ad2fa984b4ec16ac598c915c7079c2c6fc573fbf236a5", "viewCount": 1, "href": "https://vulners.com/osvdb/OSVDB:5002", "description": "## Vulnerability Description\nHylaFAX faxgetty contains a flaw that may allow a remote denial of service. The issue is triggered when format string occurs via the TSI data element, which may allow for an attacker to casue the service to stop responding and or execute arbitrary code on the targeted host.\n## Solution Description\nUpgrade to version 4.1.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nHylaFAX faxgetty contains a flaw that may allow a remote denial of service. The issue is triggered when format string occurs via the TSI data element, which may allow for an attacker to casue the service to stop responding and or execute arbitrary code on the targeted host.\n## References:\nVendor URL: http://www.hylafax.org/\n[Vendor Specific Advisory URL](http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2002:055)\n[Vendor Specific Advisory URL](http://www.suse.com/de/security/2002_035_hylafax.html)\n[Vendor Specific Advisory URL](http://www.debian.org/security/2002/dsa-148)\n[Vendor Specific Advisory URL](http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=300)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-07/0358.html\nISS X-Force ID: 9728\n[CVE-2002-1049](https://vulners.com/cve/CVE-2002-1049)\nBugtraq ID: 5348\n", "affectedSoftware": [{"name": "HylaFax", "version": "4.0.2", "operator": "eq"}], "type": "osvdb", "hashmap": [{"key": "affectedSoftware", "hash": "3bc1837181036c07f990d11e9d62bd17"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "eeb736c8ecb83518c461c173037ac0b3"}, {"key": "cvss", "hash": "84813b1457b92d6ba1174abffbb83a2f"}, {"key": "description", "hash": "64eb5505f3763777fa5cf4b19b77563d"}, {"key": "href", "hash": "6836a495794d7714f2395d9c6e86bc11"}, {"key": "modified", "hash": "505fc0350f16135d78a33344cd55a834"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "505fc0350f16135d78a33344cd55a834"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "75dead744d1130c25b773e911db69d89"}, {"key": "title", "hash": "9582260b6e939443138329be0701a390"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "references": [], "objectVersion": "1.2", "enchantments": {"score": {"vector": "NONE", "value": 7.5}, "vulnersScore": 7.5}, "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/", "score": 5.0}, "cvelist": ["CVE-2002-1049"], "id": "OSVDB:5002"}

{"cve": [{"lastseen": "2016-09-03T03:31:46", "references": ["http://www.securityfocus.com/bid/5348", "http://www.novell.com/linux/security/advisories/2002_035_hylafax.html", "http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=300", "http://www.mandrakesoft.com/security/advisories?name=MDKSA-2002:055", "http://www.iss.net/security_center/static/9728.php", "http://www.debian.org/security/2002/dsa-148", "http://archives.neohapsis.com/archives/bugtraq/2002-07/0358.html"], "description": "Format string vulnerability in HylaFAX faxgetty before 4.1.3 allows remote attackers to cause a denial of service (crash) via the TSI data element.", "edition": 1, "reporter": "NVD", "published": "2002-10-04T00:00:00", "title": "CVE-2002-1049", "type": "cve", "enchantments": {"score": {"modified": "2016-09-03T03:31:46", "vector": "NONE", "value": 5.0}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2002-1049"], "scanner": [], "cpe": ["cpe:/a:hylafax:hylafax:4.1_beta2", "cpe:/a:hylafax:hylafax:4.1_beta3", "cpe:/a:hylafax:hylafax:4.1_beta1", "cpe:/a:hylafax:hylafax:4.0_pl1", "cpe:/a:hylafax:hylafax:4.0.2", "cpe:/a:hylafax:hylafax:4.0_pl2", "cpe:/a:hylafax:hylafax:4.1.1", "cpe:/a:hylafax:hylafax:4.0_pl0", "cpe:/a:hylafax:hylafax:4.1.2", "cpe:/a:hylafax:hylafax:4.1"], "modified": "2008-09-05T16:29:38", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1049", "id": "CVE-2002-1049", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "suse": [{"lastseen": "2016-09-04T11:18:19", "references": [], "affectedPackage": [{"OS": "openSUSE", "OSVersion": "7.0", "packageVersion": "4.1beta2-217", "packageName": "hylafax", "packageFilename": "hylafax-4.1beta2-217.ppc.rpm", "arch": "ppc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "7.3", "packageVersion": "4.1-112", "packageName": "hylafax", "packageFilename": "hylafax-4.1-112.sparc.rpm", "arch": "sparc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "7.1", "packageVersion": "4.1beta2-245", "packageName": "hylafax", "packageFilename": "hylafax-4.1beta2-245.alpha.rpm", "arch": "alpha", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "7.0", "packageVersion": "4.1beta2-373", "packageName": "hylafax", "packageFilename": "hylafax-4.1beta2-373.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "8.0", "packageVersion": "4.1-285", "packageName": "hylafax", "packageFilename": "hylafax-4.1-285.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "7.2", "packageVersion": "4.1beta2-376", "packageName": "hylafax", "packageFilename": "hylafax-4.1beta2-376.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "7.3", "packageVersion": "4.1-284", "packageName": "hylafax", "packageFilename": "hylafax-4.1-284.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "7.0", "packageVersion": "4.1beta2-244", "packageName": "hylafax", "packageFilename": "hylafax-4.1beta2-244.alpha.rpm", "arch": "alpha", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "7.1", "packageVersion": "4.1beta2-375", "packageName": "hylafax", "packageFilename": "hylafax-4.1beta2-375.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "7.3", "packageVersion": "4.1-189", "packageName": "hylafax", "packageFilename": "hylafax-4.1-189.ppc.rpm", "arch": "ppc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "7.1", "packageVersion": "4.1beta2-218", "packageName": "hylafax", "packageFilename": "hylafax-4.1beta2-218.ppc.rpm", "arch": "ppc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "7.1", "packageVersion": "4.1beta2-218", "packageName": "hylafax", "packageFilename": "hylafax-4.1beta2-218.sparc.rpm", "arch": "sparc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "7.0", "packageVersion": "4.1beta2-218", "packageName": "hylafax", "packageFilename": "hylafax-4.1beta2-218.sparc.rpm", "arch": "sparc", "operator": "lt"}], "description": "HylaFAX is a client-server architecture for receiving and sending facsimiles.", "edition": 1, "reporter": "Suse", "published": "2002-10-07T09:17:55", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "suse", "title": "remote privilege escalation in hylafax", "bulletinFamily": "unix", "cvelist": ["CVE-2002-1049", "CVE-2002-1050"], "modified": "2002-10-07T09:17:55", "id": "SUSE-SA:2002:035", "href": "http://lists.opensuse.org/opensuse-security-announce/2002-10/msg00007.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2018-11-17T03:09:38", "references": ["https://www.securityfocus.com/archive/1/215984"], "pluginID": "13957", "description": "Numerous vulnerabilities in the HylaFAX product exist in versions prior to 4.1.3. It does not check the TSI string which is received from remote FAX systems before using it in logging and other places. A remote sender using a specially formatted TSI string can cause the faxgetty program to segfault, resulting in a denial of service. Format string vulnerabilities were also discovered by Christer Oberg, which exist in a number of utilities bundled with HylaFax, such as faxrm, faxalter, faxstat, sendfax, sendpage, and faxwatch. If any of these tools are setuid, they could be used to elevate system privileges.\nMandrake Linux does not, by default, install these tools setuid.\nFinally, Lee Howard discovered that faxgetty would segfault due to a buffer overflow after receiving a very large line of image data. This vulnerability could conceivably be used to execute arbitrary commands on the system as root, and could also be exploited more easily as a denial of sevice.", "edition": 6, "reporter": "Tenable", "published": "2004-07-31T00:00:00", "title": "Mandrake Linux Security Advisory : hylafax (MDKSA-2002:055)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Mandriva Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-1049", "CVE-2001-1034", "CVE-2002-1050"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/o:mandrakesoft:mandrake_linux:7.2", "p-cpe:/a:mandriva:linux:libhylafax4.1.1-devel", "cpe:/o:mandrakesoft:mandrake_linux:8.2", "p-cpe:/a:mandriva:linux:hylafax-client", "p-cpe:/a:mandriva:linux:libhylafax4.1.1", "cpe:/o:mandrakesoft:mandrake_linux:8.0", "cpe:/o:mandrakesoft:mandrake_linux:7.1", "p-cpe:/a:mandriva:linux:hylafax-server", "cpe:/o:mandrakesoft:mandrake_linux:8.1", "p-cpe:/a:mandriva:linux:hylafax"], "id": "MANDRAKE_MDKSA-2002-055.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=13957", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2002:055. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(13957);\n script_version (\"1.19\");\n script_cvs_date(\"Date: 2018/11/15 20:50:22\");\n\n script_cve_id(\"CVE-2001-1034\", \"CVE-2002-1049\", \"CVE-2002-1050\");\n script_bugtraq_id(3357);\n script_xref(name:\"MDKSA\", value:\"2002:055\");\n\n script_name(english:\"Mandrake Linux Security Advisory : hylafax (MDKSA-2002:055)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Numerous vulnerabilities in the HylaFAX product exist in versions\nprior to 4.1.3. It does not check the TSI string which is received\nfrom remote FAX systems before using it in logging and other places. A\nremote sender using a specially formatted TSI string can cause the\nfaxgetty program to segfault, resulting in a denial of service. Format\nstring vulnerabilities were also discovered by Christer Oberg, which\nexist in a number of utilities bundled with HylaFax, such as faxrm,\nfaxalter, faxstat, sendfax, sendpage, and faxwatch. If any of these\ntools are setuid, they could be used to elevate system privileges.\nMandrake Linux does not, by default, install these tools setuid.\nFinally, Lee Howard discovered that faxgetty would segfault due to a\nbuffer overflow after receiving a very large line of image data. This\nvulnerability could conceivably be used to execute arbitrary commands\non the system as root, and could also be exploited more easily as a\ndenial of sevice.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.securityfocus.com/archive/1/215984\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:hylafax\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:hylafax-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:hylafax-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libhylafax4.1.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libhylafax4.1.1-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:8.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:8.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2002/08/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"hylafax-4.1-0.11mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"hylafax-client-4.1-0.11mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"hylafax-server-4.1-0.11mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"hylafax-4.1-0.11mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"hylafax-client-4.1-0.11mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"hylafax-server-4.1-0.11mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"hylafax-4.1.3-1.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"hylafax-client-4.1.3-1.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"hylafax-server-4.1.3-1.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"libhylafax4.1.1-4.1.3-1.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"libhylafax4.1.1-devel-4.1.3-1.1mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"hylafax-4.1.3-1.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"hylafax-client-4.1.3-1.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"hylafax-server-4.1.3-1.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"libhylafax4.1.1-4.1.3-1.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"libhylafax4.1.1-devel-4.1.3-1.1mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"hylafax-4.1.3-1.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"hylafax-client-4.1.3-1.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"hylafax-server-4.1.3-1.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"libhylafax4.1.1-4.1.3-1.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"libhylafax4.1.1-devel-4.1.3-1.1mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:46:37", "references": ["http://www.debian.org/security/2002/dsa-148"], "pluginID": "14985", "description": "A set of problems have been discovered in Hylafax, a flexible client/server fax software distributed with many GNU/Linux distributions. Quoting SecurityFocus the problems are in detail :\n\n - A format string vulnerability makes it possible for users to potentially execute arbitrary code on some implementations. Due to insufficient checking of input, it's possible to execute a format string attack. Since this only affects systems with the faxrm and faxalter programs installed setuid, Debian is not vulnerable.\n - A buffer overflow has been reported in Hylafax. A malicious fax transmission may include a long scan line that will overflow a memory buffer, corrupting adjacent memory. An exploit may result in a denial of service condition, or possibly the execution of arbitrary code with root privileges.\n\n - A format string vulnerability has been discovered in faxgetty. Incoming fax messages include a Transmitting Subscriber Identification (TSI) string, used to identify the sending fax machine. Hylafax uses this data as part of a format string without properly sanitizing the input. Malicious fax data may cause the server to crash, resulting in a denial of service condition.\n\n - Marcin Dawcewicz discovered a format string vulnerability in hfaxd, which will crash hfaxd under certain circumstances. Since Debian doesn't have hfaxd installed setuid root, this problem cannot directly lead into a vulnerability. This has been fixed by Darren Nickerson, which was already present in newer versions, but not in the potato version.\n\nThese problems have been fixed in version 4.0.2-14.3 for the old stable distribution (potato), in version 4.1.1-1.1 for the current stable distribution (woody) and in version 4.1.2-2.1 for the unstable distribution (sid).", "edition": 6, "reporter": "Tenable", "published": "2004-09-29T00:00:00", "title": "Debian DSA-148-1 : hylafax - buffer overflows and format string vulnerabilities", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 10.0}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-1049", "CVE-2001-0387", "CVE-2001-1034", "CVE-2002-1050"], "modified": "2018-07-20T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:2.2", "cpe:/o:debian:debian_linux:3.0", "p-cpe:/a:debian:debian_linux:hylafax"], "id": "DEBIAN_DSA-148.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=14985", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-148. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(14985);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/07/20 2:17:10\");\n\n script_cve_id(\"CVE-2001-0387\", \"CVE-2001-1034\", \"CVE-2002-1049\", \"CVE-2002-1050\");\n script_bugtraq_id(3357, 5348, 5349);\n script_xref(name:\"DSA\", value:\"148\");\n\n script_name(english:\"Debian DSA-148-1 : hylafax - buffer overflows and format string vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A set of problems have been discovered in Hylafax, a flexible\nclient/server fax software distributed with many GNU/Linux\ndistributions. Quoting SecurityFocus the problems are in detail :\n\n - A format string vulnerability makes it possible for\n users to potentially execute arbitrary code on some\n implementations. Due to insufficient checking of input,\n it's possible to execute a format string attack. Since\n this only affects systems with the faxrm and faxalter\n programs installed setuid, Debian is not vulnerable.\n - A buffer overflow has been reported in Hylafax. A\n malicious fax transmission may include a long scan line\n that will overflow a memory buffer, corrupting adjacent\n memory. An exploit may result in a denial of service\n condition, or possibly the execution of arbitrary code\n with root privileges.\n\n - A format string vulnerability has been discovered in\n faxgetty. Incoming fax messages include a Transmitting\n Subscriber Identification (TSI) string, used to identify\n the sending fax machine. Hylafax uses this data as part\n of a format string without properly sanitizing the\n input. Malicious fax data may cause the server to crash,\n resulting in a denial of service condition.\n\n - Marcin Dawcewicz discovered a format string\n vulnerability in hfaxd, which will crash hfaxd under\n certain circumstances. Since Debian doesn't have hfaxd\n installed setuid root, this problem cannot directly lead\n into a vulnerability. This has been fixed by Darren\n Nickerson, which was already present in newer versions,\n but not in the potato version.\n\nThese problems have been fixed in version 4.0.2-14.3 for the old\nstable distribution (potato), in version 4.1.1-1.1 for the current\nstable distribution (woody) and in version 4.1.2-2.1 for the unstable\ndistribution (sid).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2002/dsa-148\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the hylafax packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:hylafax\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:2.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2002/08/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2001/04/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"2.2\", prefix:\"hylafax-client\", reference:\"4.0.2-14.3\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"hylafax-doc\", reference:\"4.0.2-14.3\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"hylafax-server\", reference:\"4.0.2-14.3\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"hylafax-client\", reference:\"4.1.1-1.1\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"hylafax-doc\", reference:\"4.1.1-1.1\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"hylafax-server\", reference:\"4.1.1-1.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}