Address CVE-2018-17141 and fixes a few vulnerabilities in code supporting JPEG
These changes are adapted from Lee's fix for this vulnerability.
Luis Merino, Markus Vervier, and Eric Sesterhenn of X41 D-SEC GmbH
(Security Advisory: X41-2018-008) discovered an uninitialized pointer write
and also an out-of-bounds write in FaxModem::writeECMData() that could lead
to remote code execution with a specially-crafted fax sender.
These changes fix the coding errors and deliberately prevent malicious and
malfunctioning senders from inadvertently or deliberately setting JPEG and
MH/MR/MMR/JBIG formats in the same DCS signal.
libtiff 4.0 changed a few things:
- no more TIFFDirEntry
- Moved to "Classic" vs "Big" tiffs, so renamed some things
- Moved to 64-bit types for bytecounts/offsets
Aidan Van Dyk [Thu, 3 Nov 2011 19:58:08 +0000 (15:58 -0400)]
hfaxd: Release old accept fd
By unlinking from the dispatcher early, we prevented it from being
closed in the child, leaving an open listening fd on the main hfaxd
port.
If the main (parent) hfaxd exits, the child will inheret the listen
but won't actually include it in it's selects, or handle it. It just
prevents a new master hfaxd from binding to it.
Aidan Van Dyk [Thu, 3 Nov 2011 15:46:40 +0000 (11:46 -0400)]
hfaxd: Make source port for active connections be ctrl port - 1
Traditionally, active FTP data connections come from port-1 (4558 by default).
Even though firewalls now don't usually rely on that, but do active control connection
inspection to find ports being used, let's try and be as nice as we can to
non FTP-aware firewalls.
This was subtracting 1 before the bites swap, causing it to be 4303 on little
endian machines.
Aidan Van Dyk [Mon, 29 Aug 2011 17:36:38 +0000 (13:36 -0400)]
DialRules - recursively allow dialrules to reference others
This allows rules to reference other rules. The names are looked up
at runtime, not parse time, so they can reference rules not yet
defined. The expected usage would be to reference a "canonicalization" rule
(either CanonicalNumber directly, or through some indepenant rule) in
multiple places without needing repeats.
The replace format is of the form be \Name(...)
Example dialrules
! rules to canonoicalize numbers to +IDD format
CanonicalNumber := [
....
]
DialString := [
.* = \CanonicalNumber(&) ! Get the canonical
^[+]${Country}${Area} = ! Local call
^[+]${Country} = ${LDPrefix} ! domestic long distance
^[+] = ${IDDPrefix} ! International
]
There is a recursion depth limit in this, just to avoid infinute rule recursion.
Pattern rules may contain 0 length matches, such as:
(^[+])?([0-9]*)
We have nothing to replace it with (mlen = 0), so trying to extract
it from the string causes and abort. If there is nothing to replace
it with, there is nothing to try extracting for insertion.
If the match reference was not matched in the string, StartOfMatch and
EndOfMatch both return -1, leaving mlen = 0, making it an ideal check
if there is something to extract and insert.
Combine all Fontmap files in memory, including new Fontmap.HylaFAX
Reads the Fontmap.HylaFAX created by faxsetup when existing Fontmap
is missing filename mappings. Combine all Fontmap files so that aliases
can now point to entries in other Fontmap files.
If the existing Fontmap files do not provide the information to
find the default font, creates a private Fontmap.HylaFAX file
that will list all pfb fonts found to their font names. No
aliases are generated by this and every Fontmap file is searched
for any alias.
If a previous faxsetup had added Fontmap/Fontpath lines in
hyla.conf and the hardcoded Fontmap path is the same as the
installed Ghostscript search path, the previously added
Fontmap/Fontpath lines were left untouched even if they
were not valid anymore.
This patch now looks for a valid combination to set in hyla.conf
and will remove unneeded lines if necessary. It will even set
a default font (using a font filename) if the default "Courier"
font (or any font specified in hyla.conf) is not found using
the Fontmap files.
Do not warn about one of the Fontpath directories not existing
Fontpath usually contain multiple directories with one or more
not existing. Having faxsetup warn the user about this directory
not existing and having the possibility of causing problems just
confuse users. There is already a warning if no .afm file is
found in any of those directories. That should be enough.
Aidan Van Dyk [Mon, 30 Aug 2010 17:51:42 +0000 (13:51 -0400)]
Class2: Fix hangup cause handling
This makes sur that errors on reception in Class2 aren't "missed", as seen in:
Date: Mon, 30 Aug 2010 16:20:51 +0200
From: Giuseppe Sacco <giuseppe@eppesuigoccas.homedns.org>
Subject: [hylafax-users] COMREC error (code 72), Normal and proper end of connection,
To: hylafax-users@hylafax.org
Message-ID: <1283178051.5043.21.camel@scarafaggio>
Aidan Van Dyk [Wed, 5 May 2010 15:42:46 +0000 (11:42 -0400)]
pdf2fax/ps2fax: Use -dMaxStripSize=0
Ghostscript changed their default from 0. Unfortunately, in 8.71, they used a
small 8K, which causes "blank images" when this is send in 2D-MMR right to the
client by faxsend assuming it's a single strip.
Jorn Dreyer noticed that the call to pdf2fax from ConvertFile
was incorrect in it's handling of the output filename.
The same problem affected the ps2fax call.
Patrice Fournier [Fri, 22 Jan 2010 21:24:26 +0000 (16:24 -0500)]
Allow "any" as answer method for FIFO messages
"ANSWER modem" hfaxd command with no method sends "any" as the method.
faxanswer defaults to an empty method, but lists "any" as a valid method
in the man page.This method was not accepted by faxgetty. This adds the
"any" method as an alias to no method at all.
Aidan Van Dyk [Wed, 4 Nov 2009 20:38:43 +0000 (15:38 -0500)]
faxsend: Class1 1 ECM when skipping pages needs to be more careful
pageNumberOfCall is not a generic number - it's used explicitly for putting the
page number in the ECM frames... This is ECM specific to Class 1, and needs to
marge forwared 1 every page sent in a call, regardless of job, skipping, etc.
Patrice Fournier [Tue, 12 Oct 2010 15:35:25 +0000 (11:35 -0400)]
Re-order library files in fchmod() configure check
Newer gcc -E stops it's output on the first missing include file so we must
make sure that a possibly missing file in the list of headers to check is at
the end.
If the blank data at the end of a page is more than 64K, then it doesn't fit
into a 'Z%04x' field. In reality, the only way you get more than 64K of blank
data is if the tiff encodes the blanks pixel for pixel, and *not* encoding.
Fortunately, the only program I've seen that does that is Microsoft FAX
service.
Unfortunately, if it is > 64K, we need to limit it, otherwise we end up
something like:
Internal botch; unknown post-page handling string "e1Z131b0P"
Aidan Van Dyk [Fri, 12 Jun 2009 15:31:53 +0000 (11:31 -0400)]
clients: Add -O option
This adds a -O <option> syntax to the HylaFAX clients. This is
similar to the -c <option> on the server counterparts. Unfortunately
-c is already used by many clients (and -O is used for other things on
the server parts).
This gives you the ability to set any config option on a per-invocation
basis, like:
faxstat -O 'JobFmt: %j,%s' -O 'RecvFmt: %m' -r -d -s
Aidan Van Dyk [Fri, 12 Jun 2009 15:29:38 +0000 (11:29 -0400)]
hfaxd/faxq: Add -c <option> to hfaxd/faxq as done in faxsend/faxgetty
This means all the "server" components of HylaFAX take -c option
arguments on the command line. faxq, faxsend and faxgetty have
already done this, this gives hfaxd that ability too. It's useful
if you need to start hfaxd with some option that you don't want
going in the config file.
This also documents the -c option in the rest of the man pages.
Aidan Van Dyk [Fri, 14 Aug 2009 16:14:00 +0000 (12:14 -0400)]
hfaxd: Cleanup uid initizliaztion and theoretical overflow
This fixes a "techincal" array overflow:
FAXUID_MAX == FAXUID_ANON == 60002 == array size.
array[FAXUID_ANON] is out of bounds
It happens to not be one because our "bit array" doesn't end exactly
on long bindaries, to the out-of-bound by 1 is still in the allocated
"long array".
This also tightens up checks on acceptable uid values before being used
or assigned.
That commit changed the recvData API callback from:
bool (*f)(void*, const char*, int, fxStr&)
to;
bool (*f)(int, const char*, int, fxStr&)
Which is the exact *wrong* thing to do, and did it under the guise of
AMD fixes... That warning is properly fixed here as well as bringing the
API back to the (void*) argument.
Aidan Van Dyk [Fri, 7 Aug 2009 17:42:33 +0000 (13:42 -0400)]
IPv6: Rework initial bind
From the getaddrinfo man page:
AI_PASSIVE If the AI_PASSIVE bit is set it indicates
that the returned socket address structure
is intended for use in a call to bind(2).
In this case, if the hostname argument is
the null pointer, then the IP address por-
tion of the socket address structure will
be set to INADDR_ANY for an IPv4 address
or IN6ADDR_ANY_INIT for an IPv6 address.
If the AI_PASSIVE bit is not set, the
returned socket address structure will be
ready for use in a call to connect(2) for
a connection-oriented protocol or
connect(2), sendto(2), or sendmsg(2) if a
connectionless protocol was chosen. The
IP address portion of the socket address
structure will be set to the loopback
address if hostname is the null pointer
and AI_PASSIVE is not set.
We were doing this manually by memset-ing the sockaddr if bindaddress was
null, but this is the proper way to do it.
If skipped pages are not counted, make sure to not trace skipped pages as
faxed and to use the same page number for sent pages as in the tagline.
(cherry picked from commit 9ffba03b5ba4f41999b6231c6a1850ccffcad8aa)
Because other code relies on errno being set correctly from the
result of a previous syscall.
(cherry picked from commit baefdd9588a8169679d32be84c0a26f3523c3664)
Aidan Van Dyk [Sat, 23 May 2009 12:22:02 +0000 (12:22 +0000)]
Socket fixes for BSD 4.4 sockets
Giovanni Bechis reported things not working on OpenBSD, which uses the BSD
4.4 sockaddr struct which doesn't have sa_family as the first member. So
we can't rely on a family being the first member of our union either.
(cherry picked from commit 9695174b15fa8839ec7203c4c6def1a1b87e5f5d)
Patrice Fournier [Fri, 15 May 2009 17:50:52 +0000 (17:50 +0000)]
Cleanup distrules
Update list of files to distribute in the tarball and make sure
`make release.tar` will build a correctly named release tarball.
(cherry picked from commit 9d866b3ab4d325f890051fc8e7fa4cef83e33030)
Tim Rice [Sat, 18 Apr 2009 03:08:05 +0000 (03:08 +0000)]
[Makefile.in port/Makefile.in libhylafax/Makefile.in] port/version.c and
libhylafax/pagesizes are generated files that should be removed on a
"make distclean".
projects / thirdparty / HylaFAX.git / log
