From $URL: Links buffer over-read vulnerability ================ Author : qflb.wu =============== Introduction: ============= Links is a text and graphics mode WWW browser. It includes support for rendering tables and frames, features background downloads, can display colors and has many other features. Affected version: ===== 2.14 Vulnerability Description: ========================== the put_chars function in html_r.c in Links 2.14 can cause a denial of service(buffer over-read) via a crafted html file. ./links -dump links_2.14_buffer_over_read.html ================================================================= ==10690==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000002303d00 at pc 0x667c5e bp 0x7ffca2e786f0 sp 0x7ffca2e786e8 READ of size 1 at 0x000002303d00 thread T0 #0 0x667c5d in put_chars /home/a/Documents/links-2.14/html_r.c:662 #1 0x635815 in put_chars_conv /home/a/Documents/links-2.14/html.c:725 #2 0x5e92ec in put_chrs /home/a/Documents/links-2.14/html.c:764 #3 0x5d23f0 in parse_html /home/a/Documents/links-2.14/html.c:2865 #4 0x64814e in do_format /home/a/Documents/links-2.14/html_r.c:1015 #5 0x64814e in format_html_part /home/a/Documents/links-2.14/html_r.c:1092 #6 0x64c42b in really_format_html /home/a/Documents/links-2.14/html_r.c:1248 #7 0x7e528e in format_html /home/a/Documents/links-2.14/session.c:1177 #8 0x7e528e in cached_format_html /home/a/Documents/links-2.14/session.c:1420 #9 0x73fe2a in end_dump /home/a/Documents/links-2.14/main.c:306 #10 0x77a08e in object_timer /home/a/Documents/links-2.14/objreq.c:425 #11 0x7beaf2 in check_timers /home/a/Documents/links-2.14/select.c:468 #12 0x7bc09d in select_loop /home/a/Documents/links-2.14/select.c:890 #13 0x73bdc9 in main /home/a/Documents/links-2.14/main.c:616 #14 0x7f2765871ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #15 0x48619c in _start (/home/a/Documents/links-2.14/links+0x48619c) 0x000002303d00 is located 0 bytes to the right of global variable 'put_chars_conv.buffer' from 'html.c' (0x2303c00) of size 256 SUMMARY: AddressSanitizer: global-buffer-overflow /home/a/Documents/links-2.14/html_r.c:662 put_chars Shadow bytes around the buggy address: 0x000080458750: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 0x000080458760: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 0x000080458770: 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 0x000080458780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x000080458790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0000804587a0:[f9]f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 0x0000804587b0: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 0x0000804587c0: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 0x0000804587d0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x0000804587e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000804587f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==10690==ABORTING POC: links_2.14_buffer_over_read.html CVE: CVE-2017-11114 =============================== qflb.wu () dbappsecurity com cn
I don't care if a CVE was assigned (I can't find it atm at https://nvd.nist.gov/vuln/full-listing ). A buffer over read of size 1 in a command line tool is not a security risk.
Denial of Service can be vulnerability even in a command line tool.. this might e.g stop certain workflows in automated systems. We generally dont analyze the vulnerabilities to a great extent for our tracking downstream and certainly dont allow maintainers to make that determinatin without prior discussion with the security team. The details are at https://nvd.nist.gov/vuln/detail/CVE-2017-11114 , if disagreeing dispute it upstream.
Upstream has yet to provide a fix for this CVE. Not sure links is still maintained. Debian still ships the same version as us by reading the links ChangeLog file [1]. Should we last rite this package? :/ [1]: http://metadata.ftp-master.debian.org/changelogs/main/l/links2/links2_2.14-2_changelog
RedHat has this fixed in: links-2.17-1.fc29 Monsieurp can you please evaluate and see if we can address this vulnerability. Thanks
I read about this CVE in links ChangeLog file for 2.15 release too. Not sure if it's a complete fix or what, but still only 2.14 in stable tree.
(In reply to Mart Raudsepp from comment #5) > I read about this CVE in links ChangeLog file for 2.15 release too. Not sure > if it's a complete fix or what, but still only 2.14 in stable tree. Yep, fixed in 2.15: http://links.twibright.com/download/ChangeLog. Tree is clean. Tentatively marking [glsa?] but this is pretty old.
GLSA Vote: No Arches and Maintainer(s), Thank you for your work.