On Thu, Jun 01, 2006 at 10:20:21AM +0200, Martin Schulze wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA 1085-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
June 1st, 2006 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : lynx-ssl
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE IDs : CVE-2004-1617 CAN-2005-3120
BugTraq ID : 11443
Debian Bug : 296340
Several vulnerabilities have been discoverd in lynx, the popular
"Several" is more than two or three.
But it sounds good in an advisory, even if inaccurate.
text-mode WWW browser. The Common Vulnerabilities and Exposures
Project identifies the following vulnerabilities:
CVE-2004-1617
Michal Zalewski discovered that lynx is not able to grok invalid
HTML including a TEXTAREA tag with a large COLS value and a large
tag name in an element that is not terminated, and loops forever
trying to render the broken HTML.
This is only partly true. As I noted in the Debian bug report which is
associated with this part of the advisory on the 29th:
The credits on the advisory are inaccurate. Quoting from Zalewski's
original mail:
>
> * lynx_die1.html
>
> Lynx loops forever trying to render broken HTML.
and your advisory states:
Michal Zalewski discovered that lynx, the popular text-mode WWW
Browser, is not able to grok invalid HTML including a TEXTAREA tag
with a large COLS value and a large tag name in an element that is not
terminated, and loops forever trying to render the broken HTML. The
same code is present in lynx-ssl.
Lynx was unaffected by the _broken_ html. It did not guard against the
large
COLS value. Zalewski did no analysis, but wrote something that sounded
nice(*)
Zalewski also stated on a followup that he had notified (as is expected
on this list) the vendors of the related programs. I'm certain this is
incorrect as well, but that's a different thread. For this discussion,
it is sufficient to point out that Martin Schulze misattributed a
substantial part of the work which was done, and that (read the bug
report) he was aware that this is incorrect.
CAN-2005-3120
Ulf Härnhammar discovered a buffer overflow that can be remotely
exploited. During the handling of Asian characters when connecting
to an NNTP server lynx can be tricked to write past the boundary
of a buffer which can lead to the execution of arbitrary code.
For the old stable distribution (woody) these problems have been fixed in
version 2.8.5-2.5woody1.
For the stable distribution (sarge) these problems have been fixed in
version 2.8.6-9sarge1.
Indeed. I commented on these before, but was ignored.
Perhaps you read BugTraq, since you ignore followups to your bug reports.
For the unstable distribution (sid) these problems will be fixed soon.
This also is inaccurate. To recap (and explain the "have been fixed",
Ulf sent me a small patch which truncated the buffer (introducing
two new problems: incorrect URL and possibly an incomplete character
sequence). I wrote a better patch which eliminated these problems:
* eliminate fixed-size buffers in HTrjis() and related functions to avoid
potential buffer overflow in nntp pages (report by Ulf Harnhammar,
CAN-2005-3120) -TD
Ulf stated also that he was a member of the Debian security team, and
requested that I not release the patch until a regular announcement of
the issue could be made. At the same time, there was ongoing
coordination with some packagers to back-port the fix (Redhat and Gentoo
come to mind).
However, someone in Debian's security team blundered and released a
package with Ulf's patch. (Since many people including Ulf inspected my
patch, the reason for this is not apparent).
I pointed that out and was ignored.
We recommend that you upgrade your lynx-cur package.
lynx-cur already has the fix (from last year).
--
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net
pgpCq1KYkHNJg.pgp
Description: PGP signature
