From ${URL} : redrain (rootredrain@...il.com) Date:2016-11-03 Version: 2.8.8pre.4、2.8.9dev.8 and earlier Platform: Linux and Windows Vendor: http://lynx.browser.org/ Vendor Notified: 2016-11-03 VULNERABILITY ------------------------- Lynx doesn't parse the authority component of the URL correctly when the host name part ends with '?', and could instead be tricked into connecting to a different host. Passing in `*http://google.com?@...kdog.me/ <http://google.com?@...kdog.me/>*` <http://example.com/#@...l.com/x.txt> would wrongly make lynx send a request to hackdog.me while your browser would connect to google.com given the same URL. PoC ------------------------ lynx "http://google.com?@...kdog.me/" SOLUTION ------------------------- follow the RFC and check for domains before send request. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Upstread addressed the issue in 2016-11-08 (2.8.9dev.10) * improved fix for OpenSSL 1.1 (Taketo Kabe). * improve warning message when stripping user/password from URL; report on http://seclists.org/oss-sec/2016/q4/322 treated as a Lynx parsing error the punctuation such as "?" which is permitted by RFC-1738 in a user or password field. RFC-3986 subsequently modified this. The improved message points out the possible confusion by users when these fields contain punctuation -TD [...] From http://lynx.invisible-island.net/current/CHANGES @ Maintainer(s): Can we start stabilization of =www-client/lynx-2.8.9_pre11?
@ Arches, please test and mark stable: =www-client/lynx-2.8.9_pre11
Stable for HPPA.
amd64 stable
ppc and ppc64 stable
x86 stable
arm stable
Stable on alpha.
sparc stable
ia64 stable. Maintainer(s), please cleanup. Security, please vote.
GLSA Vote: No @ Maintainer(s): Please cleanup and drop <www-client/lynx-2.8.9_pre11!
Arches and Maintainer(s), Thank you for your work.
