155358 2006-11-16 07:16 0000 www-client/elinks arbitrary file access flaw was found in the SMB protocol handler (CVE-2006-5925) 2007-02-10 18:57:54 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://rhn.redhat.com/errata/RHSA-2006-0742.html B2?? [glsa] P2 normal --- 1 jaervosz@gentoo.org security@gentoo.org spock@gentoo.org jaervosz@gentoo.org 2006-11-16 07:16:44 0000 An arbitrary file access flaw was found in the Elinks SMB protocol handler. A malicious web page could have caused Elinks to read or write files with the permissions of the user running Elinks. (CVE-2006-5925) vorlon@gentoo.org 2006-11-18 11:26:04 0000 http://marc.theaimsgroup.com/?l=full-disclosure&m=116355556512780&w=2 http://secunia.com/advisories/22920/ upstream bug: http://bugzilla.elinks.cz/show_bug.cgi?id=841 perhaps patches could be extracted from RH update, that was for an older version though, maybe someone could check that out aetius@gentoo.org 2006-11-21 04:18:05 0000 Red Hat "fixed" the problem by disabling smb support: http://rhn.redhat.com/errata/RHSA-2006-0742.html So did the guy working on the vulnerability in the elinks bugzilla. The bug to watch for the fix is apparently: http://bugzilla.elinks.cz/show_bug.cgi?id=844 vorlon@gentoo.org 2007-01-22 19:58:44 0000 this appears to have been "fixed" in 0.11.2 by disabling SMB support http://pasky.or.cz/gitweb.cgi?p=elinks.git;a=commitdiff;h=6f14725204fdd0a5f5a054ad7ab7340cd1ce27cb Bug 841, CVE-2006-5925: Prevent enabling the SMB protocol. src/protocol/smb/smb.c: Added #error directives so that this vulnerable code cannot be accidentally compiled in. features.conf: Disable CONFIG_SMB by default and explain why. configure.in: If the user set CONFIG_SMB in features.conf or --enable-smb in the command line, disable them and warn the user. ____ since the ebuild is in the tree already and stable on several arches, we should go on marking it stable for the others too... www-client/elinks-0.11.2 current KEYWORDS="alpha ~amd64 ~hppa ~mips ~ppc ~ppc64 sparc ~x86 ~x86-fbsd" target KEYWORDS="alpha amd64 hppa ~mips ppc ppc64 sparc x86 ~x86-fbsd" armin76@gentoo.org 2007-01-22 21:19:08 0000 x86 stable jer@gentoo.org 2007-01-23 03:59:49 0000 Stable for HPPA. beandog@gentoo.org 2007-01-23 09:55:10 0000 removed the samba use flag and amd64 stable. dertobi123@gentoo.org 2007-01-23 20:38:34 0000 ppc stable corsair@gentoo.org 2007-01-27 09:49:47 0000 ppc64 stable. sorry for being late vorlon@gentoo.org 2007-01-27 10:46:03 0000 we issued GLSA 200612-16, so we should have one for links too... falco@gentoo.org 2007-02-10 18:57:54 0000 old GLSA 200701-27