SA-1997.12.txt
a6529b83f3db11be920f8d4110d64a72d032786614de8a77ed2f03af6af66cf5
-----BEGIN PGP SIGNED MESSAGE-----
Subject: Caldera Security Advisory SA-1997.12: Vulnerabilities in Lynx
Caldera Security Advisory SA-1997.12
Original report date: 15-Jul-1997
RPM build date: 29-Jul-1997
Original issue date: 06-Aug-1997
Topic: Vulnerabilities in Lynx
Note: two vulnerabilities are addressed in this advisory.
I. Problem Description
Problem 1:
Lynx typically stores persistent temporary files in /tmp on Un*x
systems. The filenames Lynx chooses can be predicted, and another
user on the system may be able to exploit a race condition to replace
the temporary file with a symbolic link or with another file.
Installed versions of Lynx where a directory writable by other users
(such as /tmp on a machine to which multiple users have access) is used
to store files during download are vulnerable. This vulnerability can
only be exploited by a user with access to an account on the machine
running Lynx.
Problem 2:
Lynx, on Un*x systems, may be coerced to read or execute arbitrary
files on the local system regardless of restrictions set by the
system administrator.
Installed versions of Lynx up to and including version 2.7.1 on Unix
or Unix-like operating systems are vulnerable.
II. Impact
Problem 1:
A malicious user with access to the same machine as other Lynx users
may be able to cause another user's Lynx process to overwrite another
file. It may also be possible to replace the contents of a downloaded
file with a file other than the one the user downloaded, or to cause
the user to print a file other than the one selected for printing.
Problem 2:
A. Captive Lynx installations
Users of Lynx in a captive situation (where the Lynx user does not
normally have access to a shell prompt, or to a menu system that allows
the user to run arbitrary commands) can get access to a shell prompt.
This includes public Lynxes as well as any setup where the user
is restricted as to which programs can be run.
B. All Lynx installations
This vulnerability could also conceivably allow malicious
webmasters to add these carefully crafted URLs to their pages to
cause unsuspecting Lynx users (in captive accounts or otherwise)
to execute arbitrary commands.
This vulnerability can be exploited by anyone who can provide
Lynx a carefully crafted URL.
This problem was present on the following OpenLinux releases:
CND 1.0
Base 1.0
Lite 1.1
Base 1.1
Standard 1.1
To determine if you are effected and need this update you may do
the following:
rpm -q lynx
If the results show a release earlier than lynx-2.7.1-4, you
should upgrade.
III. Solution
Install the new lynx-2.7.1-4.i386.rpm package that contains
the fixed version of lynx. It is located on Caldera's
FTP server (ftp.caldera.com):
/pub/openlinux/updates/1.1/current/RPMS/lynx-2.7.1-4.i386.rpm
Source files are also available at:
/pub/openlinux/updates/1.1/current/SRPMS/lynx-2.7.1-4.src.rpm
The MD5 checksums (from the "md5sum" command) for these
packages are:
f01a6209a99573216e810f7f507e296b lynx-2.7.1-4.i386.rpm
6e3a1293679518d2e127399c9ea3f6ee lynx-2.7.1-4.src.rpm
Install the new version of lynx in the following manner:
rpm -e lynx
rpm -i lynx-2.7.1-4.i386.rpm
CND will need to upgrade to a newer version of the RPM tool to
install this package. See:
ftp://ftp.caldera.com/pub/cnd-1.0/updates/rpm-upgrade.README
IV. References / Credits
This and other Caldera security resources are located at:
http://www.caldera.com/tech-ref/security/
CERT Vendor-Initiated Bulletin VB-97.05 - Vul in Lynx Temporary Files
ftp://info.cert.org/pub/cert_advisories/cert_bulletins/VB-97.05.lynx
CERT Vendor-Initiated Bulletin VB-97.06 - Vul in Lynx Downloading
ftp://info.cert.org/pub/cert_advisories/cert_bulletins/VB-97.06.lynx
The LYNX-DEV mailing list (with further information about this
vulnerability) is archived at:
http://www.flora.org/lynx-dev/
http://www.flora.org/lynx-dev/html/month0697/msg00234.html
Lynx security information is available at:
http://www.crl.com/~subir/lynx/security.html
General information about Lynx is available at:
http://lynx.browser.org/
This advisory closes Caldera's internal bug reports #702 and #849.
V. PGP Signature
This message was signed with the PGP key for <security@caldera.com>.
This key can be obtained from:
ftp://ftp.caldera.com/pub/pgp-keys/
Or on an OpenLinux CDROM under:
/OpenLinux/pgp-keys/
$Id: SA-1997.12,v 1.1 1997/08/06 20:13:54 ron Exp ron $
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBM+jbVOn+9R4958LpAQF9LAP/SoISu5hZOvaRrDHr6jMCTg8ghe44LKkc
1BO2sRl4gnowvri7e5emntp1dbTCcZJB64LJDChcbyV1F98J2+WK4j79il53VBj8
28lKcAJToEmTklh9Og5BH1GdW9wDMFzQyJcGJqfv7uuh+RgB85c3pYUY9+zhD+Zz
1EpwHnG4oHU=
=+9uO
-----END PGP SIGNATURE-----