MDKSA-2005:186 - Updated lynx packages fix remote buffer overflow

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: MDKSA-2005:186 - Updated lynx packages fix remote buffer overflow
From: Mandriva Security Team <security@xxxxxxxxxxxx>
Date: Tue, 18 Oct 2005 05:16:03 -0600
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Sender: QATeam User <qateam@xxxxxxxxxxxxxxxxxxxx>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                Mandriva Linux Security Update Advisory
 _______________________________________________________________________

 Package name:           lynx
 Advisory ID:            MDKSA-2005:186
 Date:                   October 17th, 2005

 Affected versions:      10.1, 10.2, 2006.0, Corporate 3.0,
                         Corporate Server 2.1,
                         Multi Network Firewall 2.0
 ______________________________________________________________________

 Problem Description:

 Ulf Harnhammar discovered a remote buffer overflow in lynx versions
 2.8.2 through 2.8.5.
 
 When Lynx connects to an NNTP server to fetch information about the
 available articles in a newsgroup, it will call a function called
 HTrjis() with the information from certain article headers. The
 function adds missing ESC characters to certain data, to support
 Asian character sets. However, it does not check if it writes outside
 of the char array buf, and that causes a remote stack-based buffer
 overflow, with full control over EIP, EBX, EBP, ESI and EDI.                   
 
                                                                                
 
 Two attack vectors to make a victim visit a URL to a dangerous news
 server are: (a) *redirecting scripts*, where the victim visits some
 web page and it redirects automatically to a malicious URL, and
 (b) *links in web pages*, where the victim visits some web page
 and selects a link on the page to a malicious URL. Attack vector
 (b) is helped by the fact that Lynx does not automatically display
 where links lead to, unlike many graphical web browsers.                 
 
 The updated packages have been patched to address this issue.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3120
 ______________________________________________________________________

 Updated Packages:
  
 Mandrivalinux 10.1:
 03a47f29118c2291a3bf9a355273560c  10.1/RPMS/lynx-2.8.5-1.1.101mdk.i586.rpm
 0e7e4cd9c64861a7d0a284fb6b9be9e3  10.1/SRPMS/lynx-2.8.5-1.1.101mdk.src.rpm

 Mandrivalinux 10.1/X86_64:
 657c0cd7d9226c5b1f8b57c19e72f657  
x86_64/10.1/RPMS/lynx-2.8.5-1.1.101mdk.x86_64.rpm
 0e7e4cd9c64861a7d0a284fb6b9be9e3  
x86_64/10.1/SRPMS/lynx-2.8.5-1.1.101mdk.src.rpm

 Mandrivalinux 10.2:
 e81251fccbdd21bdaebd963e6e2ed1d2  10.2/RPMS/lynx-2.8.5-1.1.102mdk.i586.rpm
 6e5cceb1a9bdf36e7f8eab2ecc08799f  10.2/SRPMS/lynx-2.8.5-1.1.102mdk.src.rpm

 Mandrivalinux 10.2/X86_64:
 411f4dc65bf8c58a55a92cdb3be9ef53  
x86_64/10.2/RPMS/lynx-2.8.5-1.1.102mdk.x86_64.rpm
 6e5cceb1a9bdf36e7f8eab2ecc08799f  
x86_64/10.2/SRPMS/lynx-2.8.5-1.1.102mdk.src.rpm

 Mandrivalinux 2006.0:
 ee92cfae1cce73b8084cf6ad2c6d1381  2006.0/RPMS/lynx-2.8.5-4.1.20060mdk.i586.rpm
 a022a76a884e198cf4f331a4d71c7d20  2006.0/SRPMS/lynx-2.8.5-4.1.20060mdk.src.rpm

 Mandrivalinux 2006.0/X86_64:
 46833e32f2c958d8fb544654efd4ab83  
x86_64/2006.0/RPMS/lynx-2.8.5-4.1.20060mdk.x86_64.rpm
 a022a76a884e198cf4f331a4d71c7d20  
x86_64/2006.0/SRPMS/lynx-2.8.5-4.1.20060mdk.src.rpm

 Multi Network Firewall 2.0:
 f43a161be8fb6049d3f2361b5ead799a  mnf/2.0/RPMS/lynx-2.8.5-1.1.M20mdk.i586.rpm
 570c3679d4d38e62c21e570ab37f5bfe  mnf/2.0/SRPMS/lynx-2.8.5-1.1.M20mdk.src.rpm

 Corporate Server 2.1:
 b18b5f89f3a8389362a9f67acfb87a2c  
corporate/2.1/RPMS/lynx-2.8.5-0.10.2.C21mdk.dev.8.i586.rpm
 3d6af86d010f884152fd30f7fdd0bcb9  
corporate/2.1/SRPMS/lynx-2.8.5-0.10.2.C21mdk.dev.8.src.rpm

 Corporate Server 2.1/X86_64:
 d4e5c0107a09cef8d142ca666d049303  
x86_64/corporate/2.1/RPMS/lynx-2.8.5-0.10.2.C21mdk.dev.8.x86_64.rpm
 3d6af86d010f884152fd30f7fdd0bcb9  
x86_64/corporate/2.1/SRPMS/lynx-2.8.5-0.10.2.C21mdk.dev.8.src.rpm

 Corporate 3.0:
 970bef84ca43e8855569efad58455c47  
corporate/3.0/RPMS/lynx-2.8.5-1.1.C30mdk.i586.rpm
 c456757c4be351906911fc7827ffb348  
corporate/3.0/SRPMS/lynx-2.8.5-1.1.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 5df091387574a783a1a9cae4008f7dcb  
x86_64/corporate/3.0/RPMS/lynx-2.8.5-1.1.C30mdk.x86_64.rpm
 c456757c4be351906911fc7827ffb348  
x86_64/corporate/3.0/SRPMS/lynx-2.8.5-1.1.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDVNlzmqjQ0CJFipgRAiK/AKDjzBUwzaHQMJdid4dk85XnzAyFRQCgukjX
uETiVPPn6yJFpJUZwhcA1oo=
=6SF+
-----END PGP SIGNATURE-----

Prev by Date: SECURECon 2006 Call for papers!
Next by Date: Re: [Full-disclosure] Ciscos VPN-Client-Passwords can be decrypted
Previous by thread: SECURECon 2006 Call for papers!
Next by thread: NetFlow Analyzer 4 XSS Vulnerability
Index(es):
- Date
- Thread