Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 108451 - www-client/lynx Remote Buffer Overflow (CAN-2005-3120)
Summary: www-client/lynx Remote Buffer Overflow (CAN-2005-3120)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://lists.grok.org.uk/pipermail/fu...
Whiteboard: B2 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-10-07 23:59 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2007-05-31 10:54 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
lynx.security.patch (lynx.security.patch,637 bytes, patch)
2005-10-08 00:00 UTC, Sune Kloppenborg Jeppesen (RETIRED)
no flags Details | Diff
new ebuild for lynx (lynx-2.8.5-r1.ebuild,1.95 KB, text/plain)
2005-10-12 06:35 UTC, Seemant Kulleen (RETIRED)
no flags Details
Thomas Dickey's patch, back-ported to 2.8.5 (lynx-2.8.5-CAN-2005-3120.patch,10.15 KB, patch)
2005-10-12 06:35 UTC, Seemant Kulleen (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-07 23:59:27 UTC
I have found a remote buffer overflow in Lynx. It occurs when a Lynx 
user selects malicious links or simply visits malicious web pages! 
 
When Lynx connects to an NNTP server to fetch information about the 
available articles in a newsgroup, it will call a function called 
HTrjis() with the information from certain article headers. The 
function adds missing ESC characters to certain data, to support 
Asian character sets. However, it does not check if it writes outside 
of the char array buf, and that causes a remote stack-based buffer 
overflow, with full control over EIP, EBX, EBP, ESI and EDI. 
 
Two attack vectors to make a victim visit a URL to a dangerous news 
server are: (a) *redirecting scripts*, where the victim visits some 
web page and it redirects automatically to a malicious URL, and 
(b) *links in web pages*, where the victim visits some web page 
and selects a link on the page to a malicious URL. Attack vector 
(b) is helped by the fact that Lynx does not automatically display 
where links lead to, unlike many graphical web browsers. 
 
A victim is in danger when his or her Lynx session is forced to 
visit a URL of the types "nntp://some.news.server/group.name" or 
"news:group.name", and the server that Lynx connects to must send 
back article headers with certain malicious data. It may be possible 
to make real news servers distribute such articles without technical 
problems, but that has not been tested. 
 
The vulnerable versions are at least 2.8.5, 2.8.6dev.13, 2.8.4 and 
2.8.3. The old version 2.8.2 is not vulnerable. 
 
I have attached a malicious NNTP server that exhibits this 
problem. (As noted above, it might be possible to exploit 
this issue through legitimate news servers as well.) You just 
run this server, then you start Lynx with a URL of the type 
"nntp://malicious.server/group.name", and it will crash immediately. 
 
To test the attack vectors, I have also included a redirecting 
script and a web page with a link to a malicious server. 
 
Finally, I have attached a patch for this issue. It simply stops 
copying when it comes close to the end of the array. (I thought 
about expanding the size of the array, but I thought that might 
have repercussions in other parts of the code.) 
 
I hope that we can coordinate our respective updates for Lynx by 
agreeing on a release date. 
 
// Ulf Harnhammar for the Debian Security Audit Project 
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-07 23:59:27 UTC
I have found a remote buffer overflow in Lynx. It occurs when a Lynx 
user selects malicious links or simply visits malicious web pages! 
 
When Lynx connects to an NNTP server to fetch information about the 
available articles in a newsgroup, it will call a function called 
HTrjis() with the information from certain article headers. The 
function adds missing ESC characters to certain data, to support 
Asian character sets. However, it does not check if it writes outside 
of the char array buf, and that causes a remote stack-based buffer 
overflow, with full control over EIP, EBX, EBP, ESI and EDI. 
 
Two attack vectors to make a victim visit a URL to a dangerous news 
server are: (a) *redirecting scripts*, where the victim visits some 
web page and it redirects automatically to a malicious URL, and 
(b) *links in web pages*, where the victim visits some web page 
and selects a link on the page to a malicious URL. Attack vector 
(b) is helped by the fact that Lynx does not automatically display 
where links lead to, unlike many graphical web browsers. 
 
A victim is in danger when his or her Lynx session is forced to 
visit a URL of the types "nntp://some.news.server/group.name" or 
"news:group.name", and the server that Lynx connects to must send 
back article headers with certain malicious data. It may be possible 
to make real news servers distribute such articles without technical 
problems, but that has not been tested. 
 
The vulnerable versions are at least 2.8.5, 2.8.6dev.13, 2.8.4 and 
2.8.3. The old version 2.8.2 is not vulnerable. 
 
I have attached a malicious NNTP server that exhibits this 
problem. (As noted above, it might be possible to exploit 
this issue through legitimate news servers as well.) You just 
run this server, then you start Lynx with a URL of the type 
"nntp://malicious.server/group.name", and it will crash immediately. 
 
To test the attack vectors, I have also included a redirecting 
script and a web page with a link to a malicious server. 
 
Finally, I have attached a patch for this issue. It simply stops 
copying when it comes close to the end of the array. (I thought 
about expanding the size of the array, but I thought that might 
have repercussions in other parts of the code.) 
 
I hope that we can coordinate our respective updates for Lynx by 
agreeing on a release date. 
 
// Ulf Harnhammar for the Debian Security Audit Project 
   http://www.debian.org/security/audit/
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-08 00:00:18 UTC
Created attachment 70132 [details, diff]
lynx.security.patch
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-08 22:16:02 UTC
New patch from Thomas Dickey <dickey@his.com> up at: 
   
ftp://invisible-island.net/temp/lynx2.8.6dev.13e-special.patch.gz  
  
Deedra, please attach an updated ebuild. Do NOT commit anything to portage.   
   
   
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-11 14:05:21 UTC
Trying seemant instead. 
Comment 5 Seemant Kulleen (RETIRED) gentoo-dev 2005-10-11 14:15:39 UTC
I'll have something up for you guys shortly
Comment 6 Seemant Kulleen (RETIRED) gentoo-dev 2005-10-12 05:39:11 UTC
ok, so thomas' patch applies to the current development version of lynx
(2.8.6dev13).  I've asked him if he has a backport, else I'll be trying to
backport this myself to 2.8.5 (I'll probably need to bring Spanky or solar into
the picture to verify).

Thanks,
Comment 7 Seemant Kulleen (RETIRED) gentoo-dev 2005-10-12 06:35:01 UTC
Created attachment 70451 [details]
new ebuild for lynx

This is the new ebuild
Comment 8 Seemant Kulleen (RETIRED) gentoo-dev 2005-10-12 06:35:56 UTC
Created attachment 70452 [details, diff]
Thomas Dickey's patch, back-ported to 2.8.5

This is the patch -- please place into ${FILESDIR} for testing purposes.  For
release, this will go onto mirrors.
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-12 06:43:34 UTC
Thx Seemant.  
  
Calling arch security liaisons for testing:  
  
alpha  kloeri  
amd64  blubb  
hppa  hansmi  
ppc  hansmi  
ppc64  tgall  
sparc  gustavoz  
x86  tester  
  
Please test and report back on this bug. 
Comment 10 Gustavo Zacarias (RETIRED) gentoo-dev 2005-10-12 08:37:07 UTC
Looks sane for sparc.

Comment 11 Simon Stelling (RETIRED) gentoo-dev 2005-10-12 10:43:32 UTC
seems to work fine on amd64 too
Comment 12 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-10-12 12:15:21 UTC
Looks good on ppc and hppa
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-12 12:18:54 UTC
Status so far. Good on:  sparc, amd64, ppc and hppa 
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-10-14 01:33:40 UTC
Still missing alpha, ppc64 and x86 tests.
Adding rangerpb to handle ppc64.
Comment 15 Brent Baude (RETIRED) gentoo-dev 2005-10-14 08:46:53 UTC
Looks good for ppc64
Comment 16 Olivier Crete (RETIRED) gentoo-dev 2005-10-15 21:00:17 UTC
looks good on x86
Comment 17 Bryan Østergaard (RETIRED) gentoo-dev 2005-10-16 08:01:38 UTC
Alpha is good.
Comment 18 Thierry Carrez (RETIRED) gentoo-dev 2005-10-16 09:12:32 UTC
OK, all ready to be committed directly stable at disclosure date.
seemant: that should be sometime tomorrow.
Comment 19 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-16 22:31:27 UTC
This is public now, please commit the updated ebuild. I'll open a new bug or 
remove restrictions on this one when I get up to date on my bug inbox later 
today. 
Comment 20 Thierry Carrez (RETIRED) gentoo-dev 2005-10-17 00:31:15 UTC
Opening.
Comment 21 Seemant Kulleen (RETIRED) gentoo-dev 2005-10-17 05:09:13 UTC
it's in portage now.
Comment 22 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-17 08:10:06 UTC
Thx everyone. 
 
GLSA 200510-15