CVE-2012-4545 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4545): The http_negotiate_create_context function in protocol/http/http_negotiate.c in ELinks 0.12 before 0.12pre6, when using HTTP Negotiate or GSS-Negotiate authentication, delegates user credentials through GSSAPI, which allows remote servers to authenticate as the client via the delegated credentials.
A bump to pre6 would be enough
You are correct this was addressed in http://bugzilla.elinks.cz/show_bug.cgi?id=1124 I'll work on getting the ebuild finished.
ELinks 0.12pre6 Released on 2012-10-30. Security fix: bug 1124, CVE-2012-4545: Do not delegate GSSAPI credentials in HTTP Negotiate or GSS-Negotiate authentication. Reported by Marko Myllynen. (ELinks 0.12pre1 was the first release that supported GSSAPI; earlier releases are not vulnerable.) Fixed crashes and hangs: critical bug 943: Don't let user JavaScripts call any methods of “elinks.action” in tabs that do not have the focus. If a tab was closed with “elinks.action.tab_close” while it had pop-up windows, ELinks could crash; as a precaution, don't allow other actions either. (ELinks 0.12pre1 was the first release that supported “elinks.action”.) critical bug 1083: Avoid an infinite loop when trying to decompress malformed data. Caused by the bug 1068 fix in ELinks 0.12pre3. Fix a possible crash or information disclosure on big-endian 64-bit systems using HTTP Negotiate or GSS-Negotiate authentication. Incompatibilities: Dropped support for SEE. (ELinks 0.12pre1 was the first release that supported SEE.) Guile 2.0.0 (released on 2011-02-16) changed its license to LGPLv3-or-later, which is not compatible with the GPLv2 that covers ELinks. Also, Guile has deprecated many of the functions that ELinks calls. Other changes: major bug 764: Correctly initialize options on big-endian 64-bit systems. bug 983: Give preference to the Content-Type specified in the HTTP header over that specified via the HTML meta tag. bug 1084: Allow option names containing + and * in the option manager. bug 1112: Map most numeric character references € … Ÿ to graphical characters also when the output charset is UTF-8. (ELinks 0.12pre1 was the first release that supported UTF-8 as the terminal charset, and ELinks 0.12pre5 was the first release that supported UTF-8 as the dump charset.) minor bug 1113: Fix a small memory leak if a mailcap file is malformed. minor bug 1114: Decode SGML entities and NCRs only once in link/@title and other attributes. build: Fix several warnings reported by GCC 4.7.1. Harmless at runtime but could break the build if configured --enable-debug. (This version does not fix all such warnings.)
I did a naive bump of the ebuild to get _pre6 in the tree. All _pre5 patches were maintained since they all applied cleanly.
Thanks. Arches, please test and mark stable =www-client/elinks-0.12_pre6 Target keywords: alpha amd64 hppa ia64 ppc ppc64 sparc x86
Stable for HPPA.
amd64 stable
x86 stable
ppc stable
alpha stable
ia64 stable
ppc64 stable
sparc stable
Thanks for your work GLSA vote: no
GLSA vote: no. Closing noglsa.
