Links buffer over-read vulnerability
Author : qflb.wu
Links is a text and graphics mode WWW browser. It includes support for rendering tables and frames, features background
downloads, can display colors and has many other features.
the put_chars function in html_r.c in Links 2.14 can cause a denial of service(buffer over-read) via a crafted html
./links -dump links_2.14_buffer_over_read.html
==10690==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000002303d00 at pc 0x667c5e bp 0x7ffca2e786f0 sp
READ of size 1 at 0x000002303d00 thread T0
#0 0x667c5d in put_chars /home/a/Documents/links-2.14/html_r.c:662
#1 0x635815 in put_chars_conv /home/a/Documents/links-2.14/html.c:725
#2 0x5e92ec in put_chrs /home/a/Documents/links-2.14/html.c:764
#3 0x5d23f0 in parse_html /home/a/Documents/links-2.14/html.c:2865
#4 0x64814e in do_format /home/a/Documents/links-2.14/html_r.c:1015
#5 0x64814e in format_html_part /home/a/Documents/links-2.14/html_r.c:1092
#6 0x64c42b in really_format_html /home/a/Documents/links-2.14/html_r.c:1248
#7 0x7e528e in format_html /home/a/Documents/links-2.14/session.c:1177
#8 0x7e528e in cached_format_html /home/a/Documents/links-2.14/session.c:1420
#9 0x73fe2a in end_dump /home/a/Documents/links-2.14/main.c:306
#10 0x77a08e in object_timer /home/a/Documents/links-2.14/objreq.c:425
#11 0x7beaf2 in check_timers /home/a/Documents/links-2.14/select.c:468
#12 0x7bc09d in select_loop /home/a/Documents/links-2.14/select.c:890
#13 0x73bdc9 in main /home/a/Documents/links-2.14/main.c:616
#14 0x7f2765871ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#15 0x48619c in _start (/home/a/Documents/links-2.14/links+0x48619c)
0x000002303d00 is located 0 bytes to the right of global variable 'put_chars_conv.buffer' from 'html.c' (0x2303c00) of
SUMMARY: AddressSanitizer: global-buffer-overflow /home/a/Documents/links-2.14/html_r.c:662 put_chars
Shadow bytes around the buggy address:
0x000080458750: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x000080458760: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x000080458770: 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x000080458780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080458790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000804587a0:[f9]f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0000804587b0: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0000804587c0: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0000804587d0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0000804587e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000804587f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
qflb.wu () dbappsecurity com cn
I don't care if a CVE was assigned (I can't find it atm at https://nvd.nist.gov/vuln/full-listing ). A buffer over read of size 1 in a command line tool is not a security risk.
Denial of Service can be vulnerability even in a command line tool.. this might e.g stop certain workflows in automated systems. We generally dont analyze the vulnerabilities to a great extent for our tracking downstream and certainly dont allow maintainers to make that determinatin without prior discussion with the security team.
The details are at https://nvd.nist.gov/vuln/detail/CVE-2017-11114 , if disagreeing dispute it upstream.
Upstream has yet to provide a fix for this CVE. Not sure links is still maintained. Debian still ships the same version as us by reading the links ChangeLog file .
Should we last rite this package? :/
RedHat has this fixed in: links-2.17-1.fc29
Monsieurp can you please evaluate and see if we can address this vulnerability.
I read about this CVE in links ChangeLog file for 2.15 release too. Not sure if it's a complete fix or what, but still only 2.14 in stable tree.
(In reply to Mart Raudsepp from comment #5)
> I read about this CVE in links ChangeLog file for 2.15 release too. Not sure
> if it's a complete fix or what, but still only 2.14 in stable tree.
Yep, fixed in 2.15: http://links.twibright.com/download/ChangeLog.
Tree is clean. Tentatively marking [glsa?] but this is pretty old.
GLSA Vote: No
Arches and Maintainer(s), Thank you for your work.