Bug 1522617 – CVE-2017-1000211 lynx: Use after free in HTML.c:HTML_put_string() can lead to memory disclosure

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1522617 - (CVE-2017-1000211) CVE-2017-1000211 lynx: Use after free in HTML.c:HTML_put_string() can lead to memory disclosure

Summary:	CVE-2017-1000211 lynx: Use after free in HTML.c:HTML_put_string() can lead to...

Status:	CLOSED WONTFIX

Aliases:	CVE-2017-1000211

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20171206,reported=2...
Keywords:	Security

Depends On:	1522618 1522619
Blocks:	1522622
	Show dependency tree / graph

Reported:	2017-12-06 01:06 EST by Sam Fowler
Modified:	2017-12-12 05:01 EST (History)
CC List:	1 user (show)

See Also:
Fixed In Version:	lynx 2.8.9dev.16
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-12-12 05:01:35 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Sam Fowler 2017-12-06 01:06:04 EST

Lynx before 2.8.9dev.16 is vulnerable to a use after free in the HTML parser resulting in memory disclosure, because HTML.c:HTML_put_string() can append a chunk onto itself.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000211
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000211.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000211
https://github.com/ThomasDickey/lynx-snapshots/commit/280a61b300a1614f6037efc0902ff7ecf17146e9

Comment 1 Sam Fowler 2017-12-06 01:06:34 EST

Created lynx tracking bugs for this issue:

Affects: fedora-25 [bug 1522618]
Affects: fedora-26 [bug 1522619]

Comment 2 Kamil Dudka 2017-12-06 03:58:30 EST

It makes no sense to create tracking bugs for each release of Fedora separately when they both describe the same issue.  Moreover, Fedora 25 will shortly reach EOL, so the f25 update would hardly ever reach stable update repositories...

Comment 4 Stefan Cornelius 2017-12-12 05:01:43 EST

Statement:

This issue did not affect the versions of lynx as shipped with Red Hat Enterprise Linux 5 and 6.

This issue affects the versions of lynx as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.