Bug 468184 - (CVE-2008-4690) CVE-2008-4690 lynx: remote arbitrary command execution via a crafted lynxcgi: URL
CVE-2008-4690 lynx: remote arbitrary command execution via a crafted lynxcgi:...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
reported=20081007,public=20081009,sou...
: Security
Depends On: 468541 468542 468543 468544 468545 468546 468549 468550 468551 833938
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-23 10:07 EDT by Jan Lieskovsky
Modified: 2012-06-20 10:22 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-12-03 02:29:49 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Possible patch (857 bytes, patch)
2008-10-27 03:40 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2008-10-23 10:07:14 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4690 to
the following vulnerability:

lynx 2.8.6dev.15 and earlier, when advanced mode is enabled and lynx
is configured as a URL handler, allows remote attackers to execute
arbitrary commands via a crafted lynxcgi: URL, a related issue to
CVE-2005-2929. NOTE: this might only be a vulnerability in limited
deployments that have defined a lynxcgi: handler.

Affected Lynx versions: 2.8.6dev.15 and earlier

References:
http://www.openwall.com/lists/oss-security/2008/10/09/2
Comment 1 Tomas Hoger 2008-10-25 14:40:09 EDT
The versions of Lynx currently shipped in Red Hat Enterprise Linux 2.1, 3, 4 and 5, and Fedora 8 and 9 have original patch for CVE-2005-2929 applied.  Their current behaviour is that whenever lynx is directed to open lynxcgi: URL and user has configured Novice (default) or Intermediate user mode (i.e. not Advanced), user is prompted whether command specified by the lynxcgi: URL should be executed or not.  In the Advanced user mode, command is executed without user request.

There seem to be two changes we can do:
- set "TRUSTED_LYNXCGI:none" in the /etc/lynx.cfg file
  - with TRUSTED_LYNXCGI set, user in Novice or Intermediate mode will only
    be prompted for commands allowed by this directive, all other commands
    will be rejected automatically
- modify original CVE-2005-2929 patch to prompt user even in the Advanced mode
  - i.e. remove "if (user_mode < ADVANCED_MODE)" check from can_exec_cgi

I'm starting to lean towards applying both of these changes...
Comment 4 Tomas Hoger 2008-10-25 14:52:08 EDT
Suggested workaround that lynx users can apply on their systems before updates are released / installed:

Add "TRUSTED_LYNXCGI:none" line to the /etc/lynx-site.cfg configuration file, or temporarily switch to Novice or Intermediate user mode.
Comment 7 Tomas Hoger 2008-10-27 03:40:59 EDT
Created attachment 321584 [details]
Possible patch

Patch with both changes mentioned in the comment #1.
Comment 9 Fedora Update System 2008-11-10 07:01:23 EST
lynx-2.8.6-18.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/lynx-2.8.6-18.fc10
Comment 10 Fedora Update System 2008-11-10 07:28:16 EST
lynx-2.8.6-17.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/lynx-2.8.6-17.fc9
Comment 11 Fedora Update System 2008-11-10 07:30:05 EST
lynx-2.8.6-12.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/lynx-2.8.6-12.fc8
Comment 12 Fedora Update System 2008-12-02 20:19:09 EST
lynx-2.8.6-18.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2008-12-02 20:19:15 EST
lynx-2.8.6-17.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2008-12-02 20:24:53 EST
lynx-2.8.6-12.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.