Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 243058 - <www-client/lynx-2.8.6-r4 lynxcgi url handler issue (CVE-2008-4690)
Summary: <www-client/lynx-2.8.6-r4 lynxcgi url handler issue (CVE-2008-4690)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://thread.gmane.org/gmane.comp.se...
Whiteboard: C2? [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-10-21 14:29 UTC by Robert Buchholz (RETIRED)
Modified: 2009-09-12 16:33 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
lynx-2.8.6-CVE-2008-4690.patch (lynx-2.8.6-CVE-2008-4690.patch,1.56 KB, patch)
2008-10-30 22:53 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-10-21 14:29:34 UTC
Quoting Josh Bressers:
Clint Ruoho brought this to our attention, and I think there is a greater benefit
in in sharing this than there is in keeping it embargoed.

The fix for CVE-2005-2929 only disable the lynxcgi handler when you're not in
advanced mode.  It's considered to not be a flaw in advanced mode because it
displays the URL that is selected.  The potential problem here though is if lynx
is called from the command line if it's your URL handler.

Clint pointed out that the easiest way to fix this is to just disable CGI support
in /etc/lynx.cfg, which I agree with, and is a wise default.

Initially I thought this was an issue that should be fixed, but I'm starting to
wonder this.  So some open discussion is in order.

Does anything allow the lynxcgi:// handler?  A user would have to have defined
this protocol handler, which I think is quite unlikely.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-10-21 14:30:12 UTC
drizzt, can you advise on the situation please?
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-10-30 22:34:01 UTC
CVE-2008-4690 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4690):
  lynx 2.8.6dev.15 and earlier, when advanced mode is enabled and lynx
  is configured as a URL handler, allows remote attackers to execute
  arbitrary commands via a crafted lynxcgi: URL, a related issue to
  CVE-2005-2929.  NOTE: this might only be a vulnerability in limited
  deployments that have defined a lynxcgi: handler.

Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-10-30 22:53:36 UTC
RedHat appled the following patch, its impact is documented in CHANGES
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-10-30 22:53:56 UTC
Created attachment 170361 [details, diff]
lynx-2.8.6-CVE-2008-4690.patch
Comment 5 Peter Alfredsen (RETIRED) gentoo-dev 2009-04-27 11:32:21 UTC
+*lynx-2.8.7_rc2 (27 Apr 2009)
+
+  27 Apr 2009; Peter Alfredsen <loki_val@gentoo.org> metadata.xml,
+  +lynx-2.8.7_rc2.ebuild:
+  Bump. Take over as maintainer, since drizzt retired. This version fixes
+  security bug 243058 and addresses the issues raised by Pacho Ramos in bug
+  262972.
+

From CHANGES:
[...]
* modify prompt in LYLoadCGI() from 2.8.6dev.15 to always prompt user (from
  FEDORA-2008-9597), and modify compiled-in configuration default for
  consistency with other lynx.cfg settings to require that lynx.cfg be set to
  permit use of lynxcgi scripts -TD
Comment 6 Wormo (RETIRED) gentoo-dev 2009-07-26 21:51:55 UTC
I just noticed lynx was orphaned and adopted it. 

As noted above, the newer lynx snapshots already include a fix, and now the recommended patch is being applied to the stable version. So, I don't think there's anything else that needs to be done for this bug; should be ok to close it.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-07-27 09:59:51 UTC
Thanks for adopting lynx. I noticed you applied the patch without a rev-bump. We require revbumps and will request stabling for the new version on this bug afterwards. This way we make sure all users can actually upgrade to the fixed version.

Please copy the -r2 ebuild to -r3 (or -r4, because there was an -r3 before) and drop stable on that copy. Thanks!
Comment 8 Wormo (RETIRED) gentoo-dev 2009-07-28 05:23:44 UTC
Ok, -r2 is reverted and the patch is in -r4, which you can have stabled.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2009-07-28 05:56:16 UTC
Thanks, right away.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2009-07-28 05:56:43 UTC
Arches, please test and mark stable:
=www-client/lynx-2.8.6-r4
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2009-07-28 17:54:12 UTC
Stable for HPPA.
Comment 12 Markus Meier gentoo-dev 2009-07-29 21:15:21 UTC
amd64/x86 stable
Comment 13 Tiago Cunha (RETIRED) gentoo-dev 2009-07-31 14:14:49 UTC
sparc stable
Comment 14 Mounir Lamouri (volkmar) (RETIRED) gentoo-dev 2009-08-02 10:01:54 UTC
Keyworded for ppc.
Comment 15 Mounir Lamouri (volkmar) (RETIRED) gentoo-dev 2009-08-02 10:02:36 UTC
(In reply to comment #14)
> Keyworded for ppc.
> 

I meant ppc stable...
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2009-08-02 10:38:18 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 17 Brent Baude (RETIRED) gentoo-dev 2009-08-02 15:14:05 UTC
ppc64 done
Comment 18 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-12 16:33:20 UTC
GLSA 200909-15