Quoting Josh Bressers: Clint Ruoho brought this to our attention, and I think there is a greater benefit in in sharing this than there is in keeping it embargoed. The fix for CVE-2005-2929 only disable the lynxcgi handler when you're not in advanced mode. It's considered to not be a flaw in advanced mode because it displays the URL that is selected. The potential problem here though is if lynx is called from the command line if it's your URL handler. Clint pointed out that the easiest way to fix this is to just disable CGI support in /etc/lynx.cfg, which I agree with, and is a wise default. Initially I thought this was an issue that should be fixed, but I'm starting to wonder this. So some open discussion is in order. Does anything allow the lynxcgi:// handler? A user would have to have defined this protocol handler, which I think is quite unlikely.
drizzt, can you advise on the situation please?
CVE-2008-4690 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4690): lynx 2.8.6dev.15 and earlier, when advanced mode is enabled and lynx is configured as a URL handler, allows remote attackers to execute arbitrary commands via a crafted lynxcgi: URL, a related issue to CVE-2005-2929. NOTE: this might only be a vulnerability in limited deployments that have defined a lynxcgi: handler.
RedHat appled the following patch, its impact is documented in CHANGES
Created attachment 170361 [details, diff] lynx-2.8.6-CVE-2008-4690.patch
+*lynx-2.8.7_rc2 (27 Apr 2009) + + 27 Apr 2009; Peter Alfredsen <loki_val@gentoo.org> metadata.xml, + +lynx-2.8.7_rc2.ebuild: + Bump. Take over as maintainer, since drizzt retired. This version fixes + security bug 243058 and addresses the issues raised by Pacho Ramos in bug + 262972. + From CHANGES: [...] * modify prompt in LYLoadCGI() from 2.8.6dev.15 to always prompt user (from FEDORA-2008-9597), and modify compiled-in configuration default for consistency with other lynx.cfg settings to require that lynx.cfg be set to permit use of lynxcgi scripts -TD
I just noticed lynx was orphaned and adopted it. As noted above, the newer lynx snapshots already include a fix, and now the recommended patch is being applied to the stable version. So, I don't think there's anything else that needs to be done for this bug; should be ok to close it.
Thanks for adopting lynx. I noticed you applied the patch without a rev-bump. We require revbumps and will request stabling for the new version on this bug afterwards. This way we make sure all users can actually upgrade to the fixed version. Please copy the -r2 ebuild to -r3 (or -r4, because there was an -r3 before) and drop stable on that copy. Thanks!
Ok, -r2 is reverted and the patch is in -r4, which you can have stabled.
Thanks, right away.
Arches, please test and mark stable: =www-client/lynx-2.8.6-r4 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
amd64/x86 stable
sparc stable
Keyworded for ppc.
(In reply to comment #14) > Keyworded for ppc. > I meant ppc stable...
alpha/arm/ia64/m68k/s390/sh/sparc stable
ppc64 done
GLSA 200909-15