Quoting Josh Bressers:
Clint Ruoho brought this to our attention, and I think there is a greater benefit
in in sharing this than there is in keeping it embargoed.
The fix for CVE-2005-2929 only disable the lynxcgi handler when you're not in
advanced mode. It's considered to not be a flaw in advanced mode because it
displays the URL that is selected. The potential problem here though is if lynx
is called from the command line if it's your URL handler.
Clint pointed out that the easiest way to fix this is to just disable CGI support
in /etc/lynx.cfg, which I agree with, and is a wise default.
Initially I thought this was an issue that should be fixed, but I'm starting to
wonder this. So some open discussion is in order.
Does anything allow the lynxcgi:// handler? A user would have to have defined
this protocol handler, which I think is quite unlikely.
drizzt, can you advise on the situation please?
lynx 2.8.6dev.15 and earlier, when advanced mode is enabled and lynx
is configured as a URL handler, allows remote attackers to execute
arbitrary commands via a crafted lynxcgi: URL, a related issue to
CVE-2005-2929. NOTE: this might only be a vulnerability in limited
deployments that have defined a lynxcgi: handler.
RedHat appled the following patch, its impact is documented in CHANGES
Created attachment 170361 [details, diff]
+*lynx-2.8.7_rc2 (27 Apr 2009)
+ 27 Apr 2009; Peter Alfredsen <email@example.com> metadata.xml,
+ Bump. Take over as maintainer, since drizzt retired. This version fixes
+ security bug 243058 and addresses the issues raised by Pacho Ramos in bug
* modify prompt in LYLoadCGI() from 2.8.6dev.15 to always prompt user (from
FEDORA-2008-9597), and modify compiled-in configuration default for
consistency with other lynx.cfg settings to require that lynx.cfg be set to
permit use of lynxcgi scripts -TD
I just noticed lynx was orphaned and adopted it.
As noted above, the newer lynx snapshots already include a fix, and now the recommended patch is being applied to the stable version. So, I don't think there's anything else that needs to be done for this bug; should be ok to close it.
Thanks for adopting lynx. I noticed you applied the patch without a rev-bump. We require revbumps and will request stabling for the new version on this bug afterwards. This way we make sure all users can actually upgrade to the fixed version.
Please copy the -r2 ebuild to -r3 (or -r4, because there was an -r3 before) and drop stable on that copy. Thanks!
Ok, -r2 is reverted and the patch is in -r4, which you can have stabled.
Thanks, right away.
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
Keyworded for ppc.
(In reply to comment #14)
> Keyworded for ppc.
I meant ppc stable...