Bug 468184 (CVE-2008-4690)
| Summary: | CVE-2008-4690 lynx: remote arbitrary command execution via a crafted lynxcgi: URL | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | unspecified | CC: | jmoskovc, kreilly, mjc, rcvalle | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2008-12-03 07:29:49 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 468541, 468542, 468543, 468544, 468545, 468546, 468549, 468550, 468551, 833938 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
|
Description
Jan Lieskovsky
2008-10-23 14:07:14 UTC
The versions of Lynx currently shipped in Red Hat Enterprise Linux 2.1, 3, 4 and 5, and Fedora 8 and 9 have original patch for CVE-2005-2929 applied. Their current behaviour is that whenever lynx is directed to open lynxcgi: URL and user has configured Novice (default) or Intermediate user mode (i.e. not Advanced), user is prompted whether command specified by the lynxcgi: URL should be executed or not. In the Advanced user mode, command is executed without user request. There seem to be two changes we can do: - set "TRUSTED_LYNXCGI:none" in the /etc/lynx.cfg file - with TRUSTED_LYNXCGI set, user in Novice or Intermediate mode will only be prompted for commands allowed by this directive, all other commands will be rejected automatically - modify original CVE-2005-2929 patch to prompt user even in the Advanced mode - i.e. remove "if (user_mode < ADVANCED_MODE)" check from can_exec_cgi I'm starting to lean towards applying both of these changes... Suggested workaround that lynx users can apply on their systems before updates are released / installed: Add "TRUSTED_LYNXCGI:none" line to the /etc/lynx-site.cfg configuration file, or temporarily switch to Novice or Intermediate user mode. Created attachment 321584 [details] Possible patch Patch with both changes mentioned in the comment #1. lynx-2.8.6-18.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/lynx-2.8.6-18.fc10 lynx-2.8.6-17.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/lynx-2.8.6-17.fc9 lynx-2.8.6-12.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/lynx-2.8.6-12.fc8 lynx-2.8.6-18.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. lynx-2.8.6-17.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. lynx-2.8.6-12.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0965.html Fedora: https://admin.fedoraproject.org/updates/F10/FEDORA-2008-9952 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-9597 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-9550 |