-----BEGIN PGP SIGNED MESSAGE-----

Subject: Caldera Security Advisory SA-1997.12: Vulnerabilities in Lynx

Caldera Security Advisory SA-1997.12

Original report date:  15-Jul-1997
RPM build date:        29-Jul-1997
Original issue date:   06-Aug-1997

Topic: Vulnerabilities in Lynx

Note: two vulnerabilities are addressed in this advisory.

I. Problem Description

Problem 1:
  Lynx typically stores persistent temporary files in /tmp on Un*x
  systems.  The filenames Lynx chooses can be predicted, and another
  user on the system may be able to exploit a race condition to replace
  the temporary file with a symbolic link or with another file.

  Installed versions of Lynx where a directory writable by other users
  (such as /tmp on a machine to which multiple users have access) is used
  to store files during download are vulnerable.  This vulnerability can
  only be exploited by a user with access to an account on the machine
  running Lynx.

Problem 2:
  Lynx, on Un*x systems, may be coerced to read or execute arbitrary
  files on the local system regardless of restrictions set by the
  system administrator.

  Installed versions of Lynx up to and including version 2.7.1 on Unix
  or Unix-like operating systems are vulnerable.


II. Impact

Problem 1:
  A malicious user with access to the same machine as other Lynx users
  may be able to cause another user's Lynx process to overwrite another
  file.  It may also be possible to replace the contents of a downloaded
  file with a file other than the one the user downloaded, or to cause
  the user to print a file other than the one selected for printing.

Problem 2:
A. Captive Lynx installations

  Users of Lynx in a captive situation (where the Lynx user does not
  normally have access to a shell prompt, or to a menu system that allows
  the user to run arbitrary commands) can get access to a shell prompt.
  This includes public Lynxes as well as any setup where the user
  is restricted as to which programs can be run.

B. All Lynx installations

  This vulnerability could also conceivably allow malicious
  webmasters to add these carefully crafted URLs to their pages to
  cause unsuspecting Lynx users (in captive accounts or otherwise)
  to execute arbitrary commands.

  This vulnerability can be exploited by anyone who can provide
  Lynx a carefully crafted URL.

  This problem was present on the following OpenLinux releases:
    CND 1.0
    Base 1.0
    Lite 1.1
    Base 1.1
    Standard 1.1
  To determine if you are effected and need this update you may do
  the following:
    rpm -q lynx
  If the results show a release earlier than lynx-2.7.1-4, you  
  should upgrade.

III. Solution


        Install the new lynx-2.7.1-4.i386.rpm package that contains
        the fixed version of lynx.  It is located on Caldera's 
  FTP server (ftp.caldera.com):

        /pub/openlinux/updates/1.1/current/RPMS/lynx-2.7.1-4.i386.rpm

  Source files are also available at:

  /pub/openlinux/updates/1.1/current/SRPMS/lynx-2.7.1-4.src.rpm

        The MD5 checksums (from the "md5sum" command) for these 
  packages are:
  
  f01a6209a99573216e810f7f507e296b  lynx-2.7.1-4.i386.rpm  
  6e3a1293679518d2e127399c9ea3f6ee  lynx-2.7.1-4.src.rpm
  
  Install the new version of lynx in the following manner:
            
        rpm -e lynx
        rpm -i lynx-2.7.1-4.i386.rpm                

  CND will need to upgrade to a newer version of the RPM tool to
  install this package.  See:

  ftp://ftp.caldera.com/pub/cnd-1.0/updates/rpm-upgrade.README

IV. References / Credits

  This and other Caldera security resources are located at:

    http://www.caldera.com/tech-ref/security/

  CERT Vendor-Initiated Bulletin VB-97.05 - Vul in Lynx Temporary Files
  ftp://info.cert.org/pub/cert_advisories/cert_bulletins/VB-97.05.lynx
  CERT Vendor-Initiated Bulletin VB-97.06 - Vul in Lynx Downloading
  ftp://info.cert.org/pub/cert_advisories/cert_bulletins/VB-97.06.lynx

  The LYNX-DEV mailing list (with further information about this
  vulnerability) is archived at:

    http://www.flora.org/lynx-dev/
    http://www.flora.org/lynx-dev/html/month0697/msg00234.html

  Lynx security information is available at:
    http://www.crl.com/~subir/lynx/security.html

  General information about Lynx is available at:
    http://lynx.browser.org/

  This advisory closes Caldera's internal bug reports #702 and #849.

V. PGP Signature

  This message was signed with the PGP key for <security@caldera.com>.

  This key can be obtained from:
    ftp://ftp.caldera.com/pub/pgp-keys/

  Or on an OpenLinux CDROM under:
    /OpenLinux/pgp-keys/

  $Id: SA-1997.12,v 1.1 1997/08/06 20:13:54 ron Exp ron $

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBM+jbVOn+9R4958LpAQF9LAP/SoISu5hZOvaRrDHr6jMCTg8ghe44LKkc
1BO2sRl4gnowvri7e5emntp1dbTCcZJB64LJDChcbyV1F98J2+WK4j79il53VBj8
28lKcAJToEmTklh9Og5BH1GdW9wDMFzQyJcGJqfv7uuh+RgB85c3pYUY9+zhD+Zz
1EpwHnG4oHU=
=+9uO
-----END PGP SIGNATURE-----