Hi, please bump www-client/links to pre26. In the changelog, there's also a entry about a severe security bug http://links.twibright.com/download/ChangeLog Tue Nov 28 23:13:38 MET 2006 mikulas: Fixed severe security bug: '"' and ';' in smb:// url could be used for remote command execution. Thanks!
Thanks, 2.1_pre26 in cvs. Security, I believe you take it from here :-). Cheers
x86 done
sparc stable.
Stable for HPPA.
moved to prefix.
Stable on Alpha.
ppc stable
ppc64 stable
Correcting component.
amd64 done
hard to rate this... B3 might be closes from Secunia: Successful exploitation allows exposure of sensitive information or manipulation of data, but requires that the user visits a malicious "smb://" URL or gets redirected to such an URL by a malicious URL, and that the user has the smbclient program installed. security please vote
I tend to vote NO. How often do you use lins for smb:// stuff?
I guess it's not whether you would use it, but you could be enticed to use it by a malicious site. If this works for <IMG SRC="smb://..."> tags for example, you'll be screwed. (Note that I don't know whether it does, I just remember a bug like that in firefox.) Redirection will not automatically screw you, though (at least not in the default conf). I tend to vote yes. I admit it's "thin", but it's also bad ^_^
i vote yes... and isn't it a B2 instead of B3 ?
ok, agreed... let's have a GLSA
GLSA 200612-16
ia64 done