Advisories | Mandriva

Package name	lynx
Date	October 28th, 2008
Advisory ID	MDVSA-2008:217
Affected versions	CS3.0, MNF2.0, CS4.0

Problem Description

A flaw was found in the way Lynx handled .mailcap and .mime.types
configuration files. If these files were present in the current
working directory, they would be loaded prior to similar files in
the user's home directory. This could allow a local attacker to
possibly execute arbitrary code as the user running Lynx, if they
could convince the user to run Lynx in a directory under their control
(CVE-2006-7234).

A vulnerability was found in the Lynxcgi: URI handler that could allow
an attacker to create a web page redirecting to a malicious URL that
would execute arbitrary code as the user running Lynx, if they were
using the non-default Advanced user mode (CVE-2008-4690).

This update corrects these issues and, in addition, makes Lynx always
prompt the user before loading a lynxcgi: URI. As well, the default
lynx.cfg configuration file marks all lynxcgi: URIs as untrusted.

Updated Packages

Corporate Server 3.0

 52caf1fa68f721262582a92b206d37cd  corporate/3.0/i586/lynx-2.8.5-1.4.C30mdk.i586.rpm 
 3c047c7623e2225f8756b0c5bafda34d  corporate/3.0/SRPMS/lynx-2.8.5-1.4.C30mdk.src.rpm

Corporate Server 3.0/X86_64

 5cb50d077a5e7e7e0a013a2587d56c18  corporate/3.0/x86_64/lynx-2.8.5-1.4.C30mdk.x86_64.rpm 
 3c047c7623e2225f8756b0c5bafda34d  corporate/3.0/SRPMS/lynx-2.8.5-1.4.C30mdk.src.rpm

Multi Network Firewall 2.0

 b7f3f30424e5ce4c4592f1ec0ff70e04  mnf/2.0/i586/lynx-2.8.5-1.4.C30mdk.i586.rpm 
 5cabc724908b48f46f7eb039390db4d0  mnf/2.0/SRPMS/lynx-2.8.5-1.4.C30mdk.src.rpm

Corporate Server 4.0

 e1759c02ffc4435cd36344c6e5739a0f  corporate/4.0/i586/lynx-2.8.5-4.4.20060mlcs4.i586.rpm 
 18e40caa595ef9220aef5d988c656ef4  corporate/4.0/SRPMS/lynx-2.8.5-4.4.20060mlcs4.src.rpm

Corporate Server 4.0/X86_64

 4c89dec9780616b58132b4632f81ec38  corporate/4.0/x86_64/lynx-2.8.5-4.4.20060mlcs4.x86_64.rpm 
 18e40caa595ef9220aef5d988c656ef4  corporate/4.0/SRPMS/lynx-2.8.5-4.4.20060mlcs4.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4690
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7234

Upgrade

To upgrade automatically, use MandrivaUpdate.

Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

		rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.