Bug 468184 (CVE-2008-4690) - CVE-2008-4690 lynx: remote arbitrary command execution via a crafted lynxcgi: URL
Summary: CVE-2008-4690 lynx: remote arbitrary command execution via a crafted lynxcgi:...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-4690
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 468541 468542 468543 468544 468545 468546 468549 468550 468551 833938
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-10-23 14:07 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:26 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-12-03 07:29:49 UTC


Attachments (Terms of Use)
Possible patch (857 bytes, patch)
2008-10-27 07:40 UTC, Tomas Hoger
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0965 0 normal SHIPPED_LIVE Important: lynx security update 2008-10-27 17:09:50 UTC

Description Jan Lieskovsky 2008-10-23 14:07:14 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4690 to
the following vulnerability:

lynx 2.8.6dev.15 and earlier, when advanced mode is enabled and lynx
is configured as a URL handler, allows remote attackers to execute
arbitrary commands via a crafted lynxcgi: URL, a related issue to
CVE-2005-2929. NOTE: this might only be a vulnerability in limited
deployments that have defined a lynxcgi: handler.

Affected Lynx versions: 2.8.6dev.15 and earlier

References:
http://www.openwall.com/lists/oss-security/2008/10/09/2

Comment 1 Tomas Hoger 2008-10-25 18:40:09 UTC
The versions of Lynx currently shipped in Red Hat Enterprise Linux 2.1, 3, 4 and 5, and Fedora 8 and 9 have original patch for CVE-2005-2929 applied.  Their current behaviour is that whenever lynx is directed to open lynxcgi: URL and user has configured Novice (default) or Intermediate user mode (i.e. not Advanced), user is prompted whether command specified by the lynxcgi: URL should be executed or not.  In the Advanced user mode, command is executed without user request.

There seem to be two changes we can do:
- set "TRUSTED_LYNXCGI:none" in the /etc/lynx.cfg file
  - with TRUSTED_LYNXCGI set, user in Novice or Intermediate mode will only
    be prompted for commands allowed by this directive, all other commands
    will be rejected automatically
- modify original CVE-2005-2929 patch to prompt user even in the Advanced mode
  - i.e. remove "if (user_mode < ADVANCED_MODE)" check from can_exec_cgi

I'm starting to lean towards applying both of these changes...

Comment 4 Tomas Hoger 2008-10-25 18:52:08 UTC
Suggested workaround that lynx users can apply on their systems before updates are released / installed:

Add "TRUSTED_LYNXCGI:none" line to the /etc/lynx-site.cfg configuration file, or temporarily switch to Novice or Intermediate user mode.

Comment 7 Tomas Hoger 2008-10-27 07:40:59 UTC
Created attachment 321584 [details]
Possible patch

Patch with both changes mentioned in the comment #1.

Comment 9 Fedora Update System 2008-11-10 12:01:23 UTC
lynx-2.8.6-18.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/lynx-2.8.6-18.fc10

Comment 10 Fedora Update System 2008-11-10 12:28:16 UTC
lynx-2.8.6-17.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/lynx-2.8.6-17.fc9

Comment 11 Fedora Update System 2008-11-10 12:30:05 UTC
lynx-2.8.6-12.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/lynx-2.8.6-12.fc8

Comment 12 Fedora Update System 2008-12-03 01:19:09 UTC
lynx-2.8.6-18.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2008-12-03 01:19:15 UTC
lynx-2.8.6-17.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2008-12-03 01:24:53 UTC
lynx-2.8.6-12.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.