Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4690 to the following vulnerability: lynx 2.8.6dev.15 and earlier, when advanced mode is enabled and lynx is configured as a URL handler, allows remote attackers to execute arbitrary commands via a crafted lynxcgi: URL, a related issue to CVE-2005-2929. NOTE: this might only be a vulnerability in limited deployments that have defined a lynxcgi: handler. Affected Lynx versions: 2.8.6dev.15 and earlier References: http://www.openwall.com/lists/oss-security/2008/10/09/2
The versions of Lynx currently shipped in Red Hat Enterprise Linux 2.1, 3, 4 and 5, and Fedora 8 and 9 have original patch for CVE-2005-2929 applied. Their current behaviour is that whenever lynx is directed to open lynxcgi: URL and user has configured Novice (default) or Intermediate user mode (i.e. not Advanced), user is prompted whether command specified by the lynxcgi: URL should be executed or not. In the Advanced user mode, command is executed without user request. There seem to be two changes we can do: - set "TRUSTED_LYNXCGI:none" in the /etc/lynx.cfg file - with TRUSTED_LYNXCGI set, user in Novice or Intermediate mode will only be prompted for commands allowed by this directive, all other commands will be rejected automatically - modify original CVE-2005-2929 patch to prompt user even in the Advanced mode - i.e. remove "if (user_mode < ADVANCED_MODE)" check from can_exec_cgi I'm starting to lean towards applying both of these changes...
Suggested workaround that lynx users can apply on their systems before updates are released / installed: Add "TRUSTED_LYNXCGI:none" line to the /etc/lynx-site.cfg configuration file, or temporarily switch to Novice or Intermediate user mode.
Created attachment 321584 [details] Possible patch Patch with both changes mentioned in the comment #1.
lynx-2.8.6-18.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/lynx-2.8.6-18.fc10
lynx-2.8.6-17.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/lynx-2.8.6-17.fc9
lynx-2.8.6-12.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/lynx-2.8.6-12.fc8
lynx-2.8.6-18.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
lynx-2.8.6-17.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
lynx-2.8.6-12.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0965.html Fedora: https://admin.fedoraproject.org/updates/F10/FEDORA-2008-9952 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-9597 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-9550