Re: [SECURITY] [DSA 1085-1] New lynx-cur packages fix several vulnerabilities

[Thomas Dickey <dickey () radix net>]

On Thu, Jun 01, 2006 at 10:20:21AM +0200, Martin Schulze wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - --------------------------------------------------------------------------
> Debian Security Advisory DSA 1085-1                    security () debian org
> http://www.debian.org/security/                             Martin Schulze
> June 1st, 2006                          http://www.debian.org/security/faq
> - --------------------------------------------------------------------------
>
> Package        : lynx-ssl
> Vulnerability  : several
> Problem type   : remote
> Debian-specific: no
> CVE IDs        : CVE-2004-1617 CAN-2005-3120
> BugTraq ID     : 11443
> Debian Bug     : 296340
>
>
> Several vulnerabilities have been discoverd in lynx, the popular

"Several" is more than two or three.
But it sounds good in an advisory, even if inaccurate.

> text-mode WWW browser.  The Common Vulnerabilities and Exposures
> Project identifies the following vulnerabilities:
>
> CVE-2004-1617
>
>     Michal Zalewski discovered that lynx is not able to grok invalid
>     HTML including a TEXTAREA tag with a large COLS value and a large
>     tag name in an element that is not terminated, and loops forever
>     trying to render the broken HTML.

This is only partly true.  As I noted in the Debian bug report which is
associated with this part of the advisory on the 29th:

    The credits on the advisory are inaccurate.  Quoting from Zalewski's
    original mail:
    >
    >  * lynx_die1.html
    >
    >    Lynx loops forever trying to render broken HTML.

    and your advisory states:

          Michal  Zalewski  discovered  that  lynx,  the  popular  text-mode WWW
          Browser,  is  not  able  to grok invalid HTML including a TEXTAREA tag
          with a large COLS value and a large tag name in an element that is not
          terminated,  and  loops  forever trying to render the broken HTML. The
          same code is present in lynx-ssl.

    Lynx was unaffected by the _broken_ html.  It did not guard against the large
    COLS value.  Zalewski did no analysis, but wrote something that sounded nice(*)
 
Zalewski also stated on a followup that he had notified (as is expected
on this list) the vendors of the related programs.  I'm certain this is
incorrect as well, but that's a different thread.  For this discussion,
it is sufficient to point out that Martin Schulze misattributed a
substantial part of the work which was done, and that (read the bug
report) he was aware that this is incorrect.

> CAN-2005-3120
>
>     Ulf Härnhammar discovered a buffer overflow that can be remotely
>     exploited. During the handling of Asian characters when connecting
>     to an NNTP server lynx can be tricked to write past the boundary
>     of a buffer which can lead to the execution of arbitrary code.
>
> For the old stable distribution (woody) these problems have been fixed in
> version 2.8.5-2.5woody1.
>
> For the stable distribution (sarge) these problems have been fixed in
> version 2.8.6-9sarge1.

Indeed.  I commented on these before, but was ignored.
Perhaps you read BugTraq, since you ignore followups to your bug reports.

> For the unstable distribution (sid) these problems will be fixed soon.

This also is inaccurate.  To recap (and explain the "have been fixed",
Ulf sent me a small patch which truncated the buffer (introducing 
two new problems: incorrect URL and possibly an incomplete character
sequence).  I wrote a better patch which eliminated these problems:

* eliminate fixed-size buffers in HTrjis() and related functions to avoid
  potential buffer overflow in nntp pages (report by Ulf Harnhammar,
  CAN-2005-3120) -TD

Ulf stated also that he was a member of the Debian security team, and
requested that I not release the patch until a regular announcement of
the issue could be made.  At the same time, there was ongoing
coordination with some packagers to back-port the fix (Redhat and Gentoo
come to mind).

However, someone in Debian's security team blundered and released a
package with Ulf's patch.  (Since many people including Ulf inspected my
patch, the reason for this is not apparent).

I pointed that out and was ignored.
 
> We recommend that you upgrade your lynx-cur package.

lynx-cur already has the fix (from last year).

-- 
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net

Attachment: _bin
Description: