Bugtraq mailing list archives
Re: [SECURITY] [DSA 1085-1] New lynx-cur packages fix several vulnerabilities
From: Thomas Dickey <dickey () radix net>
Date: Fri, 2 Jun 2006 08:33:15 -0400
On Thu, Jun 01, 2006 at 10:20:21AM +0200, Martin Schulze wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1085-1 security () debian org http://www.debian.org/security/ Martin Schulze June 1st, 2006 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : lynx-ssl Vulnerability : several Problem type : remote Debian-specific: no CVE IDs : CVE-2004-1617 CAN-2005-3120 BugTraq ID : 11443 Debian Bug : 296340 Several vulnerabilities have been discoverd in lynx, the popular
"Several" is more than two or three. But it sounds good in an advisory, even if inaccurate.
text-mode WWW browser. The Common Vulnerabilities and Exposures Project identifies the following vulnerabilities: CVE-2004-1617 Michal Zalewski discovered that lynx is not able to grok invalid HTML including a TEXTAREA tag with a large COLS value and a large tag name in an element that is not terminated, and loops forever trying to render the broken HTML.
This is only partly true. As I noted in the Debian bug report which is associated with this part of the advisory on the 29th: The credits on the advisory are inaccurate. Quoting from Zalewski's original mail: > > * lynx_die1.html > > Lynx loops forever trying to render broken HTML. and your advisory states: Michal Zalewski discovered that lynx, the popular text-mode WWW Browser, is not able to grok invalid HTML including a TEXTAREA tag with a large COLS value and a large tag name in an element that is not terminated, and loops forever trying to render the broken HTML. The same code is present in lynx-ssl. Lynx was unaffected by the _broken_ html. It did not guard against the large COLS value. Zalewski did no analysis, but wrote something that sounded nice(*) Zalewski also stated on a followup that he had notified (as is expected on this list) the vendors of the related programs. I'm certain this is incorrect as well, but that's a different thread. For this discussion, it is sufficient to point out that Martin Schulze misattributed a substantial part of the work which was done, and that (read the bug report) he was aware that this is incorrect.
CAN-2005-3120 Ulf Härnhammar discovered a buffer overflow that can be remotely exploited. During the handling of Asian characters when connecting to an NNTP server lynx can be tricked to write past the boundary of a buffer which can lead to the execution of arbitrary code. For the old stable distribution (woody) these problems have been fixed in version 2.8.5-2.5woody1. For the stable distribution (sarge) these problems have been fixed in version 2.8.6-9sarge1.
Indeed. I commented on these before, but was ignored. Perhaps you read BugTraq, since you ignore followups to your bug reports.
For the unstable distribution (sid) these problems will be fixed soon.
This also is inaccurate. To recap (and explain the "have been fixed", Ulf sent me a small patch which truncated the buffer (introducing two new problems: incorrect URL and possibly an incomplete character sequence). I wrote a better patch which eliminated these problems: * eliminate fixed-size buffers in HTrjis() and related functions to avoid potential buffer overflow in nntp pages (report by Ulf Harnhammar, CAN-2005-3120) -TD Ulf stated also that he was a member of the Debian security team, and requested that I not release the patch until a regular announcement of the issue could be made. At the same time, there was ongoing coordination with some packagers to back-port the fix (Redhat and Gentoo come to mind). However, someone in Debian's security team blundered and released a package with Ulf's patch. (Since many people including Ulf inspected my patch, the reason for this is not apparent). I pointed that out and was ignored.
We recommend that you upgrade your lynx-cur package.
lynx-cur already has the fix (from last year). -- Thomas E. Dickey http://invisible-island.net ftp://invisible-island.net
Attachment:
_bin
Description:
Current thread:
- [SECURITY] [DSA 1085-1] New lynx-cur packages fix several vulnerabilities Martin Schulze (Jun 01)
- Re: [SECURITY] [DSA 1085-1] New lynx-cur packages fix several vulnerabilities Thomas Dickey (Jun 02)