Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 598910 (CVE-2016-9179)

Summary: <www-client/lynx-2.8.9_pre11: invalid URL parsing with '?' (CVE-2016-9179)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: radhermit
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2016/11/03/4
Whiteboard: B3 [noglsa cve]
Package list:
=www-client/lynx-2.8.9_pre11
 Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2016-11-04 09:11:56 UTC 
From ${URL} :

redrain (rootredrain@...il.com)
Date:2016-11-03
Version: 2.8.8pre.4、2.8.9dev.8 and earlier
Platform: Linux and Windows
Vendor: http://lynx.browser.org/
Vendor Notified: 2016-11-03


VULNERABILITY
-------------------------

Lynx doesn't parse the authority component of the URL correctly when the
host
name part ends with '?', and could instead be tricked into
connecting to a different host.

Passing in `*http://google.com?@...kdog.me/
<http://google.com?@...kdog.me/>*` <http://example.com/#@...l.com/x.txt> would
wrongly make lynx send a
request to hackdog.me while your browser would connect to google.com given
the same URL.

PoC
------------------------
lynx  "http://google.com?@...kdog.me/"


SOLUTION
-------------------------
follow the RFC and check for domains before send request.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-09 22:24:48 UTC 
Upstread addressed the issue in 

2016-11-08 (2.8.9dev.10)
* improved fix for OpenSSL 1.1 (Taketo Kabe).
* improve warning message when stripping user/password from URL; report on
  http://seclists.org/oss-sec/2016/q4/322 treated as a Lynx parsing error the
  punctuation such as "?" which is permitted by RFC-1738 in a user or password
  field.  RFC-3986 subsequently modified this.  The improved message points out
  the possible confusion by users when these fields contain punctuation -TD
[...]

From http://lynx.invisible-island.net/current/CHANGES


@ Maintainer(s): Can we start stabilization of =www-client/lynx-2.8.9_pre11?
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-30 02:12:32 UTC 
@ Arches,

please test and mark stable: =www-client/lynx-2.8.9_pre11
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2017-02-03 22:05:33 UTC 
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2017-02-04 15:21:45 UTC 
amd64 stable
Comment 5 Michael Weber (RETIRED) gentoo-dev 2017-02-08 02:02:30 UTC 
ppc and ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-02-12 15:44:37 UTC 
x86 stable
Comment 7 Markus Meier gentoo-dev 2017-02-12 20:00:52 UTC 
arm stable
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2017-02-15 13:50:57 UTC 
Stable on alpha.
Comment 9 Agostino Sarubbo gentoo-dev 2017-02-17 10:57:38 UTC 
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-02-18 14:45:17 UTC 
ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-21 20:36:29 UTC 
GLSA Vote: No

@ Maintainer(s): Please cleanup and drop <www-client/lynx-2.8.9_pre11!
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2017-05-27 00:17:09 UTC 
Arches and Maintainer(s), Thank you for your work.