Bug 1522617 (CVE-2017-1000211)

Summary: CVE-2017-1000211 lynx: Use after free in HTML.c:HTML_put_string() can lead to memory disclosure
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: kdudka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: lynx 2.8.9dev.16 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-12 10:01:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1522618, 1522619    
Bug Blocks: 1522622    

Description Sam Fowler 2017-12-06 06:06:04 UTC
Lynx before 2.8.9dev.16 is vulnerable to a use after free in the HTML parser resulting in memory disclosure, because HTML.c:HTML_put_string() can append a chunk onto itself.


Comment 1 Sam Fowler 2017-12-06 06:06:34 UTC
Created lynx tracking bugs for this issue:

Affects: fedora-25 [bug 1522618]
Affects: fedora-26 [bug 1522619]

Comment 2 Kamil Dudka 2017-12-06 08:58:30 UTC
It makes no sense to create tracking bugs for each release of Fedora separately when they both describe the same issue.  Moreover, Fedora 25 will shortly reach EOL, so the f25 update would hardly ever reach stable update repositories...

Comment 4 Stefan Cornelius 2017-12-12 10:01:43 UTC

This issue did not affect the versions of lynx as shipped with Red Hat Enterprise Linux 5 and 6.

This issue affects the versions of lynx as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.