On Thu, Jun 01, 2006 at 10:20:21AM +0200, Martin Schulze wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - --------------------------------------------------------------------------
> Debian Security Advisory DSA 1085-1 security@xxxxxxxxxx
> http://www.debian.org/security/ Martin Schulze
> June 1st, 2006 http://www.debian.org/security/faq
> - --------------------------------------------------------------------------
>
> Package : lynx-ssl
> Vulnerability : several
> Problem type : remote
> Debian-specific: no
> CVE IDs : CVE-2004-1617 CAN-2005-3120
> BugTraq ID : 11443
> Debian Bug : 296340
>
>
> Several vulnerabilities have been discoverd in lynx, the popular
"Several" is more than two or three.
But it sounds good in an advisory, even if inaccurate.
> text-mode WWW browser. The Common Vulnerabilities and Exposures
> Project identifies the following vulnerabilities:
>
> CVE-2004-1617
>
> Michal Zalewski discovered that lynx is not able to grok invalid
> HTML including a TEXTAREA tag with a large COLS value and a large
> tag name in an element that is not terminated, and loops forever
> trying to render the broken HTML.
This is only partly true. As I noted in the Debian bug report which is
associated with this part of the advisory on the 29th:
The credits on the advisory are inaccurate. Quoting from Zalewski's
original mail:
>
> * lynx_die1.html
>
> Lynx loops forever trying to render broken HTML.
and your advisory states:
Michal Zalewski discovered that lynx, the popular text-mode WWW
Browser, is not able to grok invalid HTML including a TEXTAREA tag
with a large COLS value and a large tag name in an element that is not
terminated, and loops forever trying to render the broken HTML. The
same code is present in lynx-ssl.
Lynx was unaffected by the _broken_ html. It did not guard against the
large
COLS value. Zalewski did no analysis, but wrote something that sounded
nice(*)
Zalewski also stated on a followup that he had notified (as is expected
on this list) the vendors of the related programs. I'm certain this is
incorrect as well, but that's a different thread. For this discussion,
it is sufficient to point out that Martin Schulze misattributed a
substantial part of the work which was done, and that (read the bug
report) he was aware that this is incorrect.
> CAN-2005-3120
>
> Ulf Härnhammar discovered a buffer overflow that can be remotely
> exploited. During the handling of Asian characters when connecting
> to an NNTP server lynx can be tricked to write past the boundary
> of a buffer which can lead to the execution of arbitrary code.
>
> For the old stable distribution (woody) these problems have been fixed in
> version 2.8.5-2.5woody1.
>
> For the stable distribution (sarge) these problems have been fixed in
> version 2.8.6-9sarge1.
Indeed. I commented on these before, but was ignored.
Perhaps you read BugTraq, since you ignore followups to your bug reports.
> For the unstable distribution (sid) these problems will be fixed soon.
This also is inaccurate. To recap (and explain the "have been fixed",
Ulf sent me a small patch which truncated the buffer (introducing
two new problems: incorrect URL and possibly an incomplete character
sequence). I wrote a better patch which eliminated these problems:
* eliminate fixed-size buffers in HTrjis() and related functions to avoid
potential buffer overflow in nntp pages (report by Ulf Harnhammar,
CAN-2005-3120) -TD
Ulf stated also that he was a member of the Debian security team, and
requested that I not release the patch until a regular announcement of
the issue could be made. At the same time, there was ongoing
coordination with some packagers to back-port the fix (Redhat and Gentoo
come to mind).
However, someone in Debian's security team blundered and released a
package with Ulf's patch. (Since many people including Ulf inspected my
patch, the reason for this is not apparent).
I pointed that out and was ignored.
> We recommend that you upgrade your lynx-cur package.
lynx-cur already has the fix (from last year).
--
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net
Attachment:
pgpv4Ii9i3WxR.pgp
Description: PGP signature