Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 598910 (CVE-2016-9179) - <www-client/lynx-2.8.9_pre11: invalid URL parsing with '?' (CVE-2016-9179)
Summary: <www-client/lynx-2.8.9_pre11: invalid URL parsing with '?' (CVE-2016-9179)
Status: RESOLVED FIXED
Alias: CVE-2016-9179
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-11-04 09:11 UTC by Agostino Sarubbo
Modified: 2017-05-27 00:17 UTC (History)
1 user (show)

See Also:
Package list:
=www-client/lynx-2.8.9_pre11
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-11-04 09:11:56 UTC
From ${URL} :

redrain (rootredrain@...il.com)
Date:2016-11-03
Version: 2.8.8pre.4、2.8.9dev.8 and earlier
Platform: Linux and Windows
Vendor: http://lynx.browser.org/
Vendor Notified: 2016-11-03


VULNERABILITY
-------------------------

Lynx doesn't parse the authority component of the URL correctly when the
host
name part ends with '?', and could instead be tricked into
connecting to a different host.

Passing in `*http://google.com?@...kdog.me/
<http://google.com?@...kdog.me/>*` <http://example.com/#@...l.com/x.txt> would
wrongly make lynx send a
request to hackdog.me while your browser would connect to google.com given
the same URL.

PoC
------------------------
lynx  "http://google.com?@...kdog.me/"


SOLUTION
-------------------------
follow the RFC and check for domains before send request.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-09 22:24:48 UTC
Upstread addressed the issue in 

2016-11-08 (2.8.9dev.10)
* improved fix for OpenSSL 1.1 (Taketo Kabe).
* improve warning message when stripping user/password from URL; report on
  http://seclists.org/oss-sec/2016/q4/322 treated as a Lynx parsing error the
  punctuation such as "?" which is permitted by RFC-1738 in a user or password
  field.  RFC-3986 subsequently modified this.  The improved message points out
  the possible confusion by users when these fields contain punctuation -TD
[...]

From http://lynx.invisible-island.net/current/CHANGES


@ Maintainer(s): Can we start stabilization of =www-client/lynx-2.8.9_pre11?
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-30 02:12:32 UTC
@ Arches,

please test and mark stable: =www-client/lynx-2.8.9_pre11
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2017-02-03 22:05:33 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2017-02-04 15:21:45 UTC
amd64 stable
Comment 5 Michael Weber (RETIRED) gentoo-dev 2017-02-08 02:02:30 UTC
ppc and ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-02-12 15:44:37 UTC
x86 stable
Comment 7 Markus Meier gentoo-dev 2017-02-12 20:00:52 UTC
arm stable
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2017-02-15 13:50:57 UTC
Stable on alpha.
Comment 9 Agostino Sarubbo gentoo-dev 2017-02-17 10:57:38 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-02-18 14:45:17 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-21 20:36:29 UTC
GLSA Vote: No

@ Maintainer(s): Please cleanup and drop <www-client/lynx-2.8.9_pre11!
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2017-05-27 00:17:09 UTC
Arches and Maintainer(s), Thank you for your work.