-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
CERT* Vendor-Initiated Bulletin VB-97.06
July 15, 1997

Topic:   Vulnerability in Lynx Downloading
Source:  Jim Spath

To aid in the wide distribution of essential security information, the CERT
Coordination Center is forwarding the following information from Jim Spath,
who coordinated this bulletin with several members of the lynx-dev mailing
list. They urge you to act on this information as soon as possible. Contact
information is included in the forwarded text below; please contact them if
you have any questions or need further information.

Questions about the bulletin only can be sent to Jim Spath
<jspath@mail.bcpl.lib.md.us>; questions about Lynx can be sent to
<lynx-dev@sig.net>.


=======================FORWARDED TEXT STARTS HERE============================

I. Description

Lynx, on Un*x systems, may be coerced to read or execute arbitrary
files on the local system regardless of restrictions set by the
system administrator.

Installed versions of Lynx up to and including version 2.7.1 on Unix
or Unix-like operating systems are vulnerable.


II. Impact

A. Captive Lynx installations

   Users of Lynx in a captive situation (where the Lynx user does not
   normally have access to a shell prompt, or to a menu system that allows
   the user to run arbitrary commands) can get access to a shell prompt.
   This includes public Lynxes as well as any setup where the user
   is restricted as to which programs can be run.

B. All Lynx installations

   This vulnerability could also conceivably allow malicious webmasters to
   add these carefully crafted URLs to their pages to cause unsuspecting
   Lynx users (in captive accounts or otherwise) to execute arbitrary commands.

   This vulnerability can be exploited by anyone who can provide Lynx a
   carefully crafted URL.

III. Workaround

If administrators of captive Lynxes cannot apply the code patches or
obtain updated binaries as described below, they are advised to disable
(g)oto on Lynx.

There is currently no workaround for impact "B" above.  The code patches
below must be applied (or updated binaries obtained) to eliminate
this impact.


IV. Solution

Current developmental releases of Lynx have fixed this problem since
1997-06-26.  Patches you may find from before that date may not
entirely eliminate the vulnerability.

The most recent stable version of Lynx (version 2.7.1) can be
patched to fix this problem by replacing the file "lynx2-7-1/src/LYDownload.c"
with a replacement file.

The replacement file to eliminate this vulnerability in version
2.7.1 is available (courtesy of Foteos Macrides) at:
     http://www.slcc.edu/lynx/fote/patches/lynx2-7-1/src/LYDownload.c

All systems running Lynx versions 2.7.1 or earlier should be
updated to fix this problem.

Two development branches of the Lynx source code are available at:
     http://www.slcc.edu/lynx/fote/patches/
     http://www.slcc.edu/lynx/current/

Binary distributions of Lynx may be found at:
     http://www.crl.com/~subir/lynx/binaries.html

Note that producing binaries is a volunteer job and the latest (or any)
version may not be available for a specific platform.


V. Contact information

If you believe you have found a security problem with the current
version of Lynx, we urge you to forward it to the LYNX-DEV
mailing list at <lynx-dev@sig.net>.

The LYNX-DEV mailing list (with further information about this
vulnerability) is archived at:
     http://www.flora.org/lynx-dev/

Lynx security information is available at:
     http://www.crl.com/~subir/lynx/security.html

General information about Lynx is available at:
     http://lynx.browser.org/

On-line help and documentation about Lynx is available using the
(h)elp command. More help is available in the source distribution.
Should your questions not be answered by these means, further
questions may be directed to <help@lynx.browser.org>.

Please don't contact Lynx developers personally about Lynx-related
issues; please use either the mailing list or the "help" addresses
given above.

========================FORWARDED TEXT ENDS HERE=============================

The CERT Coordination Center staff thanks Aaron of Internet Maine for calling
our attention to the problem and thanks Jim Spath and his lynx-dev colleagues
for their cooperation in developing this bulletin.

- ----------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (FIRST). See http://www.first.org/team-info/.

We strongly urge you to encrypt any sensitive information you send by email.
The CERT Coordination Center can support a shared DES key and PGP. Contact
the CERT staff for more information.

Location of CERT PGP key
         ftp://info.cert.org/pub/CERT_PGP.key


CERT Contact Information
- ------------------------
Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

CERT publications, information about FIRST representatives, and other
security-related information are available from
        http://www.cert.org/
        ftp://info.cert.org/pub/

CERT advisories and bulletins are also posted on the USENET newsgroup
        comp.security.announce

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
        cert-advisory-request@cert.org
In the subject line, type
        SUBSCRIBE  your-email-address



* Registered U.S. Patent and Trademark Office.

The CERT Coordination Center is part of the Software Engineering
Institute (SEI). The SEI is sponsored by the U. S. Department of Defense.


This file: ftp://info.cert.org/pub/cert_bulletins/VB-97.06.lynx

Last revised July 17, 1997 - added acknowledgements

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBM85rRHVP+x0t4w7BAQEkqwQAsmKlGUHTIHue3gkF1WJvN30wmXBRRASY
92zd5FYgA3KrONFfH4NIIZbNvet0kKyPINTQQvleYMw6n4zYxQ13iYzQ9dGgSu4U
rJkSkXhlJm6eELeTW4Q3L9L0aEQ6t8JfyIb6VgN5ehla6f4LqwW8NTN6Jnx1ZkdP
TG+6lWtTaQw=
=odkz
-----END PGP SIGNATURE-----