Support / Security / Advisories / Corporate Server 2.1 / MDKSA-2005:186

Package name: lynx
Date: 2005-10-17
Advisory ID: MDKSA-2005:186
Affected versions: MNF2.0 i586 , 2006.0 i586 , CS2.1 i586 , 10.2 i586 , 10.1 i586 , CS2.1 x86_64 , CS3.0 x86_64 , CS3.0 i586 , 10.2 x86_64 , 2006.0 x86_64 , 10.1 x86_64

Problem description

Ulf Harnhammar discovered a remote buffer overflow in lynx versions 2.8.2 through 2.8.5. When Lynx connects to an NNTP server to fetch information about the available articles in a newsgroup, it will call a function called HTrjis() with the information from certain article headers. The function adds missing ESC characters to certain data, to support Asian character sets. However, it does not check if it writes outside of the char array buf, and that causes a remote stack-based buffer overflow, with full control over EIP, EBX, EBP, ESI and EDI. Two attack vectors to make a victim visit a URL to a dangerous news server are: (a) *redirecting scripts*, where the victim visits some web page and it redirects automatically to a malicious URL, and (b) *links in web pages*, where the victim visits some web page and selects a link on the page to a malicious URL. Attack vector (b) is helped by the fact that Lynx does not automatically display where links lead to, unlike many graphical web browsers. The updated packages have been patched to address this issue.

Updated packages

MNF2.0 i586

 f43a161be8fb6049d3f2361b5ead799a  mnf/2.0/RPMS/lynx-2.8.5-1.1.M20mdk.i586.rpm
570c3679d4d38e62c21e570ab37f5bfe  mnf/2.0/SRPMS/lynx-2.8.5-1.1.M20mdk.src.rpm

2006.0 i586

 ee92cfae1cce73b8084cf6ad2c6d1381  2006.0/RPMS/lynx-2.8.5-4.1.20060mdk.i586.rpm
a022a76a884e198cf4f331a4d71c7d20  2006.0/SRPMS/lynx-2.8.5-4.1.20060mdk.src.rpm

CS2.1 i586

 b18b5f89f3a8389362a9f67acfb87a2c  corporate/2.1/RPMS/lynx-2.8.5-0.10.2.C21mdk.dev.8.i586.rpm
3d6af86d010f884152fd30f7fdd0bcb9  corporate/2.1/SRPMS/lynx-2.8.5-0.10.2.C21mdk.dev.8.src.rpm

10.2 i586

 e81251fccbdd21bdaebd963e6e2ed1d2  10.2/RPMS/lynx-2.8.5-1.1.102mdk.i586.rpm
6e5cceb1a9bdf36e7f8eab2ecc08799f  10.2/SRPMS/lynx-2.8.5-1.1.102mdk.src.rpm

10.1 i586

 03a47f29118c2291a3bf9a355273560c  10.1/RPMS/lynx-2.8.5-1.1.101mdk.i586.rpm
0e7e4cd9c64861a7d0a284fb6b9be9e3  10.1/SRPMS/lynx-2.8.5-1.1.101mdk.src.rpm

CS2.1 x86_64

 d4e5c0107a09cef8d142ca666d049303  x86_64/corporate/2.1/RPMS/lynx-2.8.5-0.10.2.C21mdk.dev.8.x86_64.rpm
3d6af86d010f884152fd30f7fdd0bcb9  x86_64/corporate/2.1/SRPMS/lynx-2.8.5-0.10.2.C21mdk.dev.8.src.rpm

CS3.0 x86_64

 5df091387574a783a1a9cae4008f7dcb  x86_64/corporate/3.0/RPMS/lynx-2.8.5-1.1.C30mdk.x86_64.rpm
c456757c4be351906911fc7827ffb348  x86_64/corporate/3.0/SRPMS/lynx-2.8.5-1.1.C30mdk.src.rpm

CS3.0 i586

 970bef84ca43e8855569efad58455c47  corporate/3.0/RPMS/lynx-2.8.5-1.1.C30mdk.i586.rpm
c456757c4be351906911fc7827ffb348  corporate/3.0/SRPMS/lynx-2.8.5-1.1.C30mdk.src.rpm

10.2 x86_64

 411f4dc65bf8c58a55a92cdb3be9ef53  x86_64/10.2/RPMS/lynx-2.8.5-1.1.102mdk.x86_64.rpm
6e5cceb1a9bdf36e7f8eab2ecc08799f  x86_64/10.2/SRPMS/lynx-2.8.5-1.1.102mdk.src.rpm

2006.0 x86_64

 46833e32f2c958d8fb544654efd4ab83  x86_64/2006.0/RPMS/lynx-2.8.5-4.1.20060mdk.x86_64.rpm
a022a76a884e198cf4f331a4d71c7d20  x86_64/2006.0/SRPMS/lynx-2.8.5-4.1.20060mdk.src.rpm

10.1 x86_64

 657c0cd7d9226c5b1f8b57c19e72f657  x86_64/10.1/RPMS/lynx-2.8.5-1.1.101mdk.x86_64.rpm
0e7e4cd9c64861a7d0a284fb6b9be9e3  x86_64/10.1/SRPMS/lynx-2.8.5-1.1.101mdk.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3120