-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2005:186-1 http://www.mandriva.com/security/ _______________________________________________________________________ Package : lynx Date : October 26, 2005 Affected: 10.1, 10.2, 2006.0, Corporate 2.1, Corporate 3.0, Multi Network Firewall 2.0 _______________________________________________________________________ Problem Description: Ulf Harnhammar discovered a remote buffer overflow in lynx versions 2.8.2 through 2.8.5. When Lynx connects to an NNTP server to fetch information about the available articles in a newsgroup, it will call a function called HTrjis() with the information from certain article headers. The function adds missing ESC characters to certain data, to support Asian character sets. However, it does not check if it writes outside of the char array buf, and that causes a remote stack-based buffer overflow, with full control over EIP, EBX, EBP, ESI and EDI. Two attack vectors to make a victim visit a URL to a dangerous news server are: (a) *redirecting scripts*, where the victim visits some web page and it redirects automatically to a malicious URL, and (b) *links in web pages*, where the victim visits some web page and selects a link on the page to a malicious URL. Attack vector (b) is helped by the fact that Lynx does not automatically display where links lead to, unlike many graphical web browsers. The updated packages have been patched to address this issue. Update: The previous patchset had a bug in the patches themselves, which was uncovered by Klaus Singvogel of Novell/SUSE in auditing crashes on some architectures. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3120 _______________________________________________________________________ Updated Packages: Corporate Server 2.1: 8f85c354b06417711e13abe45dcbf0d8 corporate/2.1/RPMS/lynx-2.8.5-0.10.3.C21mdk.dev.8.i586.rpm 74becbc3b1be96908c069180e36ff3b2 corporate/2.1/SRPMS/lynx-2.8.5-0.10.3.C21mdk.dev.8.src.rpm Corporate Server 2.1/X86_64: 0a4e7145d0920dde82734f8036c50baa x86_64/corporate/2.1/RPMS/lynx-2.8.5-0.10.3.C21mdk.dev.8.x86_64.rpm 74becbc3b1be96908c069180e36ff3b2 x86_64/corporate/2.1/SRPMS/lynx-2.8.5-0.10.3.C21mdk.dev.8.src.rpm Mandriva Linux 10.1: 80e0addf6efd297866bba33f4b8070b6 10.1/RPMS/lynx-2.8.5-1.2.101mdk.i586.rpm 13e5e506a05b448426d639d5e88a8896 10.1/SRPMS/lynx-2.8.5-1.2.101mdk.src.rpm Mandriva Linux 10.1/X86_64: db1f977046a8e8abd7d45d7345fde701 x86_64/10.1/RPMS/lynx-2.8.5-1.2.101mdk.x86_64.rpm 13e5e506a05b448426d639d5e88a8896 x86_64/10.1/SRPMS/lynx-2.8.5-1.2.101mdk.src.rpm Corporate 3.0: a8ab3968700c864e01df9c74ccb017ca corporate/3.0/RPMS/lynx-2.8.5-1.2.C30mdk.i586.rpm 221f02f4e097a52c261bb6b3bfc2bbab corporate/3.0/SRPMS/lynx-2.8.5-1.2.C30mdk.src.rpm Corporate 3.0/X86_64: af94e8d31c6a756137dd04351ad61f08 x86_64/corporate/3.0/RPMS/lynx-2.8.5-1.2.C30mdk.x86_64.rpm 221f02f4e097a52c261bb6b3bfc2bbab x86_64/corporate/3.0/SRPMS/lynx-2.8.5-1.2.C30mdk.src.rpm Multi Network Firewall 2.0: 6f0684f762fa2ac999d7ef2517525152 mnf/2.0/RPMS/lynx-2.8.5-1.2.M20mdk.i586.rpm 13cad2c8ec6a61159e5b580758dad58b mnf/2.0/SRPMS/lynx-2.8.5-1.2.M20mdk.src.rpm Mandriva Linux 10.2: d8007bd3e271f0f602babf443d9d2304 10.2/RPMS/lynx-2.8.5-1.2.102mdk.i586.rpm 60109bc6dc9630175c87dd66c23a8e05 10.2/SRPMS/lynx-2.8.5-1.2.102mdk.src.rpm Mandriva Linux 10.2/X86_64: 9ceb656aac6be9eb6af021a2bfd661a6 x86_64/10.2/RPMS/lynx-2.8.5-1.2.102mdk.x86_64.rpm 60109bc6dc9630175c87dd66c23a8e05 x86_64/10.2/SRPMS/lynx-2.8.5-1.2.102mdk.src.rpm Mandriva Linux 2006.0: f7887db43f04613eef47a56fd175a1cb 2006.0/RPMS/lynx-2.8.5-4.2.20060mdk.i586.rpm b121d10b5f27c29b8096c64c6c4416bb 2006.0/SRPMS/lynx-2.8.5-4.2.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 55cbe960a042601656919aa944602de2 x86_64/2006.0/RPMS/lynx-2.8.5-4.2.20060mdk.x86_64.rpm b121d10b5f27c29b8096c64c6c4416bb x86_64/2006.0/SRPMS/lynx-2.8.5-4.2.20060mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDX/UmmqjQ0CJFipgRAiGWAJ9b6TiacajkwntF9TP8/BIsnGjvMwCgpC+F kgnO6Okdn8A00QbVdbmB0a4= =W6E5 -----END PGP SIGNATURE-----