BugTraq
[SECURITY] [DSA 1085-1] New lynx-cur packages fix several vulnerabilities Jun 01 2006 08:20AM
joey infodrom org (Martin Schulze) (1 replies)
Re: [SECURITY] [DSA 1085-1] New lynx-cur packages fix several vulnerabilities Jun 02 2006 12:33PM
Thomas Dickey (dickey radix net)
On Thu, Jun 01, 2006 at 10:20:21AM +0200, Martin Schulze wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - ------------------------------------------------------------------------
--
> Debian Security Advisory DSA 1085-1 security (at) debian (dot) org [email concealed]
> http://www.debian.org/security/ Martin Schulze
> June 1st, 2006 http://www.debian.org/security/faq
> - ------------------------------------------------------------------------
--
>
> Package : lynx-ssl
> Vulnerability : several
> Problem type : remote
> Debian-specific: no
> CVE IDs : CVE-2004-1617 CAN-2005-3120
> BugTraq ID : 11443
> Debian Bug : 296340
>
>
> Several vulnerabilities have been discoverd in lynx, the popular

"Several" is more than two or three.
But it sounds good in an advisory, even if inaccurate.

> text-mode WWW browser. The Common Vulnerabilities and Exposures
> Project identifies the following vulnerabilities:
>
> CVE-2004-1617
>
> Michal Zalewski discovered that lynx is not able to grok invalid
> HTML including a TEXTAREA tag with a large COLS value and a large
> tag name in an element that is not terminated, and loops forever
> trying to render the broken HTML.

This is only partly true. As I noted in the Debian bug report which is
associated with this part of the advisory on the 29th:

The credits on the advisory are inaccurate. Quoting from Zalewski's
original mail:
>
> * lynx_die1.html
>
> Lynx loops forever trying to render broken HTML.

and your advisory states:

Michal Zalewski discovered that lynx, the popular text-mode WWW
Browser, is not able to grok invalid HTML including a TEXTAREA tag
with a large COLS value and a large tag name in an element that is not
terminated, and loops forever trying to render the broken HTML. The
same code is present in lynx-ssl.

Lynx was unaffected by the _broken_ html. It did not guard against the large
COLS value. Zalewski did no analysis, but wrote something that sounded nice(*)

Zalewski also stated on a followup that he had notified (as is expected
on this list) the vendors of the related programs. I'm certain this is
incorrect as well, but that's a different thread. For this discussion,
it is sufficient to point out that Martin Schulze misattributed a
substantial part of the work which was done, and that (read the bug
report) he was aware that this is incorrect.

> CAN-2005-3120
>
> Ulf Härnhammar discovered a buffer overflow that can be remotely
> exploited. During the handling of Asian characters when connecting
> to an NNTP server lynx can be tricked to write past the boundary
> of a buffer which can lead to the execution of arbitrary code.
>
> For the old stable distribution (woody) these problems have been fixed in
> version 2.8.5-2.5woody1.
>
> For the stable distribution (sarge) these problems have been fixed in
> version 2.8.6-9sarge1.

Indeed. I commented on these before, but was ignored.
Perhaps you read BugTraq, since you ignore followups to your bug reports.

> For the unstable distribution (sid) these problems will be fixed soon.

This also is inaccurate. To recap (and explain the "have been fixed",
Ulf sent me a small patch which truncated the buffer (introducing
two new problems: incorrect URL and possibly an incomplete character
sequence). I wrote a better patch which eliminated these problems:

* eliminate fixed-size buffers in HTrjis() and related functions to avoid
potential buffer overflow in nntp pages (report by Ulf Harnhammar,
CAN-2005-3120) -TD

Ulf stated also that he was a member of the Debian security team, and
requested that I not release the patch until a regular announcement of
the issue could be made. At the same time, there was ongoing
coordination with some packagers to back-port the fix (Redhat and Gentoo
come to mind).

However, someone in Debian's security team blundered and released a
package with Ulf's patch. (Since many people including Ulf inspected my
patch, the reason for this is not apparent).

I pointed that out and was ignored.

> We recommend that you upgrade your lynx-cur package.

lynx-cur already has the fix (from last year).

--
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SunOS)
Comment: For info see http://www.gnupg.org

iD8DBQFEgDAGtIqByHxlDocRAqJSAKCPQuXWjRHkpKiZWGBC3WXN3afi8ACgsR/k
GzJGKGX1eAvJ1GONx7M/0fs=
=0TF6
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus