Bug 297611 (CVE-2007-5034)

Summary: CVE-2007-5034 elinks reveals POST data to HTTPS proxy
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: kreilly, ovasik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://bugzilla.elinks.cz/show_bug.cgi?id=937
Whiteboard: source=vendorsec,reported=20070919,public=20070224,impact=moderate
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-07 13:39:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 297981, 297991, 303881, 303891, 303901, 303911, 833893    
Bug Blocks:    
Attachments:
Description Flags
0.10.6 upstream patch
none
Upstream patch for 0.11.1 none

Description Tomas Hoger 2007-09-20 09:42:01 UTC
Following problem was reported to elinks bugzilla [1]:

If ELinks is making a POST request to an https URL, and a proxy has been defined
for https, ELinks takes the body and Content-* headers of the POST request and
adds them to the CONNECT request in cleartext.  So the proxy can now snoop all
the data that was supposed to be hidden by TLS, as can anyone between ELinks and
the proxy.  Apparently some proxies also entirely refuse such requests.

[1] http://bugzilla.elinks.cz/show_bug.cgi?id=937

Fixed in 0.11.3, upstream bugzilla contains references to GIT commits in various
branches.

Comment 1 Tomas Hoger 2007-09-20 09:54:36 UTC
Support for HTTPS proxy was introduced in elinks version 0.5rc1.  Version of
elinks as shipped in Red Hat Enterprise Linux 3 is therefore not vulnerable. 
Also links as shipped in Red Hat Enterprise Linux 2.1 does not provide HTTPS
proxy support and is not affected by this problem.

Comment 2 Ondrej Vasik 2007-09-20 11:42:43 UTC
Ok, so it seems to be that affected supported versions are FC-6, F-7, RHEL4 and
RHEL5 - because devel contains 0.11.3 version.  I will update versions for
Fedora, because it is the easiest way, for RHEL4 and RHEL5 we should discuss the
way how to proceed.

Comment 4 Tomas Hoger 2007-09-20 12:06:50 UTC
Thanks Ondrej for feedback.  Created tracking bugs for current Fedora versions.

Comment 5 Josh Bressers 2007-09-24 19:26:03 UTC
Created attachment 204441 [details]
0.10.6 upstream patch

Comment 6 Josh Bressers 2007-09-24 19:26:55 UTC
Created attachment 204461 [details]
Upstream patch for 0.11.1

Comment 14 Tomas Hoger 2008-01-07 13:39:59 UTC
Fixed in all affected products:

Red Hat Enterprise Linux:  	
  http://rhn.redhat.com/errata/RHSA-2007-0933.html

Fedora
  updated to fixed upstream version