Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 155358 - www-client/elinks arbitrary file access flaw was found in the SMB protocol handler (CVE-2006-5925)
Summary: www-client/elinks arbitrary file access flaw was found in the SMB protocol ha...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2?? [glsa]
Depends on:
Reported: 2006-11-16 07:16 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2007-02-10 18:57 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-16 07:16:44 UTC
An arbitrary file access flaw was found in the Elinks SMB protocol handler. 
A malicious web page could have caused Elinks to read or write files with 
the permissions of the user running Elinks. (CVE-2006-5925)
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-18 11:26:04 UTC

upstream bug:

perhaps patches could be extracted from RH update, that was for an older version though, maybe someone could check that out
Comment 2 Matt Drew (RETIRED) gentoo-dev 2006-11-21 04:18:05 UTC
Red Hat "fixed" the problem by disabling smb support:

So did the guy working on the vulnerability in the elinks bugzilla.  The bug to watch for the fix is apparently:

Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2007-01-22 19:58:44 UTC
this appears to have been "fixed" in 0.11.2 by disabling SMB support;a=commitdiff;h=6f14725204fdd0a5f5a054ad7ab7340cd1ce27cb

Bug 841, CVE-2006-5925: Prevent enabling the SMB protocol.
src/protocol/smb/smb.c: Added #error directives so that this
vulnerable code cannot be accidentally compiled in.

features.conf: Disable CONFIG_SMB by default and explain why. If the user set CONFIG_SMB in features.conf or
--enable-smb in the command line, disable them and warn the user.


since the ebuild is in the tree already and stable on several arches, we should go on marking it stable for the others too...


current KEYWORDS="alpha ~amd64 ~hppa ~mips ~ppc ~ppc64 sparc ~x86 ~x86-fbsd"
target KEYWORDS="alpha amd64 hppa ~mips ppc ppc64 sparc x86 ~x86-fbsd"
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2007-01-22 21:19:08 UTC
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2007-01-23 03:59:49 UTC
Stable for HPPA.
Comment 6 Steve Dibb (RETIRED) gentoo-dev 2007-01-23 09:55:10 UTC
removed the samba use flag

and amd64 stable.
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2007-01-23 20:38:34 UTC
ppc stable
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2007-01-27 09:49:47 UTC
ppc64 stable. sorry for being late
Comment 9 Matthias Geerdsen (RETIRED) gentoo-dev 2007-01-27 10:46:03 UTC
we issued GLSA 200612-16, so we should have one for links too...
Comment 10 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-10 18:57:54 UTC
old GLSA 200701-27