SB2018100937 - Input validation error in hylafax (Alpine package)
Published: October 9, 2018
Security Bulletin ID
SB2018100937
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Input validation error (CVE-ID: CVE-2018-17141)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
HylaFAX 6.0.6 and HylaFAX+ 5.6.0 allow remote attackers to execute arbitrary code via a dial-in session that provides a FAX page with the JPEG bit enabled, which is mishandled in FaxModem::writeECMData() in the faxd/CopyQuality.c++ file.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=7bbcc9f46e8ac09d9f29df3c3efc164b61b29c15
- https://git.alpinelinux.org/aports/commit/?id=d2222829a2e51028fc69fc5c2c41595e8791fc0e
- https://git.alpinelinux.org/aports/commit/?id=36e800a6544186269dd6307c7dd6b6f3b5174360
- https://git.alpinelinux.org/aports/commit/?id=7d6b7de320d1f663bf6fb6cd3ae142d863cfa52f
- https://git.alpinelinux.org/aports/commit/?id=560432c353fcc6b62d0e2cd4608d55a70cb324a1
- https://git.alpinelinux.org/aports/commit/?id=237666ca2867db3218e5a1cb628fceb554023c53
- https://git.alpinelinux.org/aports/commit/?id=42946288bdd789821b3c3a957b87d80ed7c9dee3
- https://git.alpinelinux.org/aports/commit/?id=d4ebd7cc66c32690a483cb6e2b1d825429a4920c
- https://git.alpinelinux.org/aports/commit/?id=85e4531b6a91a13519196be452785cd3147cd5df