Red Hat Bugzilla – Bug 468184
CVE-2008-4690 lynx: remote arbitrary command execution via a crafted lynxcgi: URL
Last modified: 2012-06-20 10:22:43 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4690 to
the following vulnerability:
lynx 2.8.6dev.15 and earlier, when advanced mode is enabled and lynx
is configured as a URL handler, allows remote attackers to execute
arbitrary commands via a crafted lynxcgi: URL, a related issue to
CVE-2005-2929. NOTE: this might only be a vulnerability in limited
deployments that have defined a lynxcgi: handler.
Affected Lynx versions: 2.8.6dev.15 and earlier
The versions of Lynx currently shipped in Red Hat Enterprise Linux 2.1, 3, 4 and 5, and Fedora 8 and 9 have original patch for CVE-2005-2929 applied. Their current behaviour is that whenever lynx is directed to open lynxcgi: URL and user has configured Novice (default) or Intermediate user mode (i.e. not Advanced), user is prompted whether command specified by the lynxcgi: URL should be executed or not. In the Advanced user mode, command is executed without user request.
There seem to be two changes we can do:
- set "TRUSTED_LYNXCGI:none" in the /etc/lynx.cfg file
- with TRUSTED_LYNXCGI set, user in Novice or Intermediate mode will only
be prompted for commands allowed by this directive, all other commands
will be rejected automatically
- modify original CVE-2005-2929 patch to prompt user even in the Advanced mode
- i.e. remove "if (user_mode < ADVANCED_MODE)" check from can_exec_cgi
I'm starting to lean towards applying both of these changes...
Suggested workaround that lynx users can apply on their systems before updates are released / installed:
Add "TRUSTED_LYNXCGI:none" line to the /etc/lynx-site.cfg configuration file, or temporarily switch to Novice or Intermediate user mode.
Created attachment 321584 [details]
Patch with both changes mentioned in the comment #1.
lynx-2.8.6-18.fc10 has been submitted as an update for Fedora 10.
lynx-2.8.6-17.fc9 has been submitted as an update for Fedora 9.
lynx-2.8.6-12.fc8 has been submitted as an update for Fedora 8.
lynx-2.8.6-18.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
lynx-2.8.6-17.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
lynx-2.8.6-12.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in:
Red Hat Enterprise Linux: