Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 152832

Summary: Lynx issues (CVE-2005-2929 and CVE-2005-3120)
Product: [Retired] Fedora Legacy Reporter: John Dalbec <jpdalbec>
Component: lynxAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: unspecifiedCC: deisenst, dickey, jimpop, pekkas, redhat-bugzilla, sheltren
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: LEGACY, 1, 2, rh73, rh9
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-12-18 05:03:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
More info
none
More info none

Description David Lawrence 2005-03-30 23:29:00 UTC 
04.42.20 CVE: Not Available
Platform: Cross Platform
Title: Lynx Malformed HTML Infinite Loop Denial of Service
Description: The Lynx web browser is vulnerable to a denial of service
condition while handling certain malformed HTML pages. This issue
sends the software into an infinite loop, consuming CPU resources for
the system.
Ref: http://www.securityfocus.com/archive/1/378632



------- Additional Comments From jpdalbec 2004-12-08 10:23:17 ----

backtrace:
#0  0x4207a7eb in chunk_alloc () from /lib/i686/libc.so.6
#1  0x4207a158 in malloc () from /lib/i686/libc.so.6
#2  0x08057c22 in mem_is_avail ()
#3  0x08057c6d in LY_check_calloc ()
#4  0x0805a208 in split_line ()
#5  0x0805c46d in HText_appendCharacter ()
#6  0x0809d9a5 in HTML_put_character ()
#7  0x080ac491 in HTML_end_element ()
#8  0x080e1ade in SGML_free ()
#9  0x080f30ce in HTMIME_free ()
#10 0x080d3906 in HTLoadHTTP ()
#11 0x080cfcf3 in HTLoad ()
#12 0x080d00f6 in HTLoadDocument ()
#13 0x080d0626 in HTLoadAbsolute ()
#14 0x0806ae79 in getfile ()
#15 0x08078bbe in mainloop ()
#16 0x0806da93 in main ()
#17 0x42017589 in __libc_start_main () from /lib/i686/libc.so.6




------- Additional Comments From pekkas 2005-02-15 06:56:02 ----

FWIW, Red Hat has not released updates to this.



------- Bug moved to this database by dkl 2005-03-30 18:29 -------

This bug previously known as bug 2215 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2215
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P3. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Unknown severity minor. Setting to default severity "normal".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.
Comment 1 TSUDA Fumika 2005-05-03 03:19:45 UTC 
CVE: CAN-2004-1617
Comment 2 Thomas E. Dickey 2005-05-15 23:07:37 UTC 
That was fixed in lynx development several months ago -
2004-11-07 (2.8.6dev.8)
Comment 3 David Eisenstein 2005-11-12 04:37:48 UTC 
Red Hat has in the last month issued two new CRITICAL security advisories for
Lynx.

1)  RHSA-2005:803-01 <http://rhn.redhat.com/errata/RHSA-2005-803.html>

    Ulf Harnhammar discovered a stack overflow bug in Lynx when handling
    connections to NNTP (news) servers.  An attacker could create a web page
    redirecting to a malicious news server which could execute arbitrary
    code as the user running lynx.  The Common Vulnerabilities and Exposures
    project assigned the name CAN-2005-3120 to this issue.

    References:

    * CVE-2005-3120
      <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3210>
    * Full-disclosure:
  <http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038019.html>
    * Bugzilla Bug # 170253

2)  RHSA-2005:839-01  <http://rhn.redhat.com/errata/RHSA-2005-839.html>

    An arbitrary command execute bug was found in the lynx "lynxcgi:" URI
    handler. An attacker could create a web page redirecting to a malicious
    URL which could execute arbitrary code as the user running lynx. The
    Common Vulnerabilities and Exposures project assigned the name
    CVE-2005-2929 to this issue.

    References:

    * CVE-2005-2929
      <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2929>
    * Full-disclosure:
      <http://marc.theaimsgroup.com/?l=full-disclosure&m=113172754719215&w=2>
    * RH Bugzilla Bug # 172972

It looks like Red Hat never did issue any errata for the original bug this
ticket was opened for, CAN-2004-1617.
Comment 4 David Eisenstein 2005-11-12 06:09:23 UTC 
Created attachment 120975 [details]
More info


The severity of this bug ticket should be raised to HIGH
The two CRITICAL bugs affect RHL 7.3, RHL 9, FC1 and FC2.
Comment 5 Jeff Sheltren 2005-11-12 12:11:24 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've created packages fixing CVE-2005-2929 and CVE-2005-3120
I skipped CAN-2004-1617 (the initial report in this bug), since
RedHat hasn't fixed that either - do we want to fix this?

Anyway, here are the packages:
http://www.cs.ucsb.edu/~jeff/legacy/lynx/

rh73:
d56b869942f18a62ad65d6906609a757356ba5ee  lynx-2.8.4-18.2.legacy.src.rpm
rh9:
f5215490250faba74aafcccec1cf60c5e8d43d5c  lynx-2.8.5-11.1.legacy.src.rpm
fc1:
ee27d0cf0611b5dd3ea4c05b8dc2ac2e94fb529c  lynx-2.8.5-13.1.legacy.src.rpm
fc2:
4d964ea8218868bd1c5d725c4ac3cbdc9c5a4915  lynx-2.8.5-15.1.legacy.src.rpm

Patches all come from RHEL sources.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDddxtKe7MLJjUbNMRAkr3AKDPBmbwE0VqtcPpHPi9Q/8vav8VoQCfXBjl
FQKONDVPfiJfgcK/sFqXSMg=
=EghG
-----END PGP SIGNATURE-----
Comment 6 Pekka Savola 2005-11-13 18:03:12 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:
 - source integrity OK
 - spec file changes minimal
 - patches verified to come from RHEL and are OK

+PUBLISH RHL73, RHL9, FC1, FC2

d56b869942f18a62ad65d6906609a757356ba5ee  lynx-2.8.4-18.2.legacy.src.rpm
f5215490250faba74aafcccec1cf60c5e8d43d5c  lynx-2.8.5-11.1.legacy.src.rpm
ee27d0cf0611b5dd3ea4c05b8dc2ac2e94fb529c  lynx-2.8.5-13.1.legacy.src.rpm
4d964ea8218868bd1c5d725c4ac3cbdc9c5a4915  lynx-2.8.5-15.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFDd4BzGHbTkzxSL7QRAi+qAJ9zbeQD+k9BNYCbj32IMNlKIjoEBgCgnB2v
79dfvTFs735/TY4BdvO5EJA=
=7IFT
-----END PGP SIGNATURE-----
Comment 7 David Eisenstein 2005-11-13 23:14:33 UTC 
Created attachment 121001 [details]
More info

Typo in previous attachment.
Comment 8 Marc Deslauriers 2005-11-15 04:57:20 UTC 
pushed to updates-testing
Comment 9 Tom Yates 2005-11-15 12:32:26 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

e3f8bdd24f77bd9122afe9550b1711ec39580c30 lynx-2.8.5-11.2.legacy.i386.rpm

installs OK.  http and https pages browse OK.  i don't have access to an
NNTP server from the updated machine, so cannot check news: URL handling
other than to access one and note that it fails because it can't talk to
news.harvard.net.

+VERIFY RH9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDedXlePtvKV31zw4RAjl4AJ4haBaiBkuQd52lRRSTq51aSBpZ6ACeNwXD
k8C/oXPIxXq0qDaSDB3zXRI=
=J9lQ
-----END PGP SIGNATURE-----
Comment 10 Pekka Savola 2005-11-16 06:46:01 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA for RHL73: the checksum is valid; lynx browsing on a couple of pages
seems to work as normal.
 
+VERIFY RHL73
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFDetYnGHbTkzxSL7QRAkw3AKC49hPrjk8X22UZCXVwDvYI7ZNwmgCgv4Ir
OkyDB+Th603a+Je0RONsYSE=
=y/Yp
-----END PGP SIGNATURE-----


Timeout in two weeks.
Comment 11 David Eisenstein 2005-11-17 11:02:16 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for FC1 lynx in updates-testing.

f9a79fc5425d1d853614c53c1ab158c9328c3078  lynx-2.8.5-13.2.legacy.i386.rpm

  * RPM signatures fine
  * sha1sum fine
  * rpm-build-compare.sh compares well (incidentally, my version of that shell
    script is at <http://tinyurl.com/e2dsx>).
  * Installs well.
  * Reads Eric S. Raymond's website without breaking, strangely enough.
  * Does fine with https:// pages.
  * Reads 850 pages of news.gmane.org newsgroups just fine; goes to
    gmane.comp.security.full-disclosure just fine; reads posted messages
    okay, though it's not pretty when reading MIME messages.  
    <nntp://news.gmane.org/gmane.comp.security.full-disclosure>
  * Didn't try posting nntp.
  * Lynx is not my favorite usenet news reader.

   VERIFY++ FC1

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDfGOkxou1V/j9XZwRAjYnAKCXn0/jlyp1mXwhac8ji2ZX16ln8QCgjZez
t0k3rC2yQgs9OAV0l/CbVaw=
=97RJ
-----END PGP SIGNATURE-----
Comment 12 Pekka Savola 2005-11-29 17:31:08 UTC 
Timeout over.
Comment 13 Jim Popovitch 2005-12-05 02:58:15 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

++VERIFIED RH73

Works well.  Could not reproduce oo loop.

f90ed394ffb119c628f30cbe24af00980e21ddec  lynx-2.8.4-18.3.legacy.i386.rpm

- -Jim P.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFDk615CgSTzgd8+fwRAvmAAJ0VWSVCgNrNhIfkOwEVjyEg8jdqtACg3IRo
7hLbTsq7SVoQuS+MPqh9lzI=
=YFpT
-----END PGP SIGNATURE-----
Comment 14 Marc Deslauriers 2005-12-18 05:03:59 UTC 
Packages were released.