An arbitrary file access flaw was found in the Elinks SMB protocol handler. A malicious web page could have caused Elinks to read or write files with the permissions of the user running Elinks. (CVE-2006-5925) RH Announcement: https://rhn.redhat.com/errata/RHSA-2006-0742.html Looks like this was "fixed" in RHEL4 by disabling SMB within elinks - any objections to doing similar for FC3/FC4?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Since it turns out smb is disabled within elinks on all RHEL versions, I think we should be safe to do the same. I've created updated packages for FC3 and FC4 to fix this issue. The FC3 package uses the patch from EL4. For the FC4 package, I have simply added the "--disable-smb" flag to the configure line in the spec. This seems cleaner to me than creating a new patch, especially since I know very little about automake and autoconf :) FC3: http://www.cs.ucsb.edu/~jeff/legacy/elinks-0.9.2-2.2.legacy.src.rpm 6a55680e935e1a43f5dfd75bfd6a65bfebbdef03 elinks-0.9.2-2.2.legacy.src.rpm FC4: http://www.cs.ucsb.edu/~jeff/legacy/elinks-0.10.3-3.2.legacy.src.rpm 7af60eef166015d6fdeba755e1a879ac2cb52bd3 elinks-0.10.3-3.2.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFFW7ndKe7MLJjUbNMRAtszAJ9FuIi8kFAViEHk8cKxe2HRa6x2bQCfYNPp bRu0QO/XRF8sAVQvlJQWqGc= =xDxD -----END PGP SIGNATURE-----
Can we close this bug?
Sure. Legacy is no longer providing security updates, so I don't see any reason to keep this open.