Gentoo Linux Security Advisory GLSA 200909-15 - An incomplete fix for an issue related to the Lynx URL handler might allow for the remote execution of arbitrary commands. Clint Ruoho reported that the fix for CVE-2005-2929 (GLSA 200511-09) only disabled the lynxcgi:// handler when not using the advanced mode. Versions less than 2.8.6-r4 are affected.
02bc04e4d8cec2c90bdae6e8c11d3a1946370660f56aa9c92e266e97300b5684
iDEFENSE Security Advisory 11.11.05 - Remote exploitation of a command injection vulnerability in various vendors' implementations of Lynx could allow attackers to execute arbitrary commands with the privileges of the underlying user. The problem specifically exists within the feature to execute local cgi-bin programs via the lynxcgi: URI handler. The handler is generally intended to be restricted to a specific directory or program(s). However, due to a configuration error on multiple platforms, the default settings allow for arbitrary websites to specify commands to run as the user running Lynx. iDEFENSE has confirmed the existence of this vulnerability in the latest stable release of Lynx, version 2.8.5. It is suspected that earlier versions are also affected.
b4e1e54bc83530521503bfe91f4bca692869b0c1e30589c117f27fa98dc41e55