[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/lynx/FC-3 lynx-CVE-2005-2929.patch, NONE, 1.1 lynx.spec, 1.21, 1.22



Author: twaugh

Update of /cvs/dist/rpms/lynx/FC-3
In directory cvs.devel.redhat.com:/tmp/cvs-serv15204

Modified Files:
	lynx.spec 
Added Files:
	lynx-CVE-2005-2929.patch 
Log Message:
* Mon Nov 14 2005 Tim Waugh <twaugh redhat com> 2.8.5-18.0.2
- Apply patch to fix CVE-2005-2929 (bug #172973).


lynx-CVE-2005-2929.patch:
 CHANGES         |    7 +++++++
 src/LYCgi.c     |   40 ++++++++++++++++++++++++++++++++++++----
 src/LYGetFile.c |    2 ++
 3 files changed, 45 insertions(+), 4 deletions(-)

--- NEW FILE lynx-CVE-2005-2929.patch ---
--- lynx2-8-5/src/LYCgi.c.CVE-2005-2929	2003-04-28 01:38:00.000000000 +0100
+++ lynx2-8-5/src/LYCgi.c	2005-11-11 18:07:04.000000000 +0000
@@ -140,6 +140,40 @@
     }
 }
 
+#ifdef LYNXCGI_LINKS
+/*
+ * Wrapper for exec_ok(), confirming with user if the link text is not visible
+ * in the status line.
+ */
+static BOOL can_exec_cgi(const char *linktext, const char *linkargs)
+{
+    const char *format = gettext("Do you want to execute \"%s\"?");
+    char *message = NULL;
+    char *command = NULL;
+    char *p;
+    BOOL result = TRUE;
+
+    if (!exec_ok(HTLoadedDocumentURL(), linktext, CGI_PATH)) {
+	/* exec_ok gives out msg. */
+	result = FALSE;
+    } else if (user_mode < ADVANCED_MODE) {
+	StrAllocCopy(command, linktext);
+	if (non_empty(linkargs)) {
+	    HTSprintf(&command, " %s", linkargs);
+	}
+	HTUnEscape(command);
+	for (p = command; *p; ++p)
+	    if (*p == '+')
+		*p = ' ';
+	HTSprintf0(&message, format, command);
+	result = HTConfirm(message);
+	FREE(message);
+	FREE(command);
+    }
+    return result;
+}
+#endif /* LYNXCGI_LINKS */
+
 PRIVATE int LYLoadCGI ARGS4(
 	CONST char *, 		arg,
 	HTParentAnchor *,	anAnchor,
@@ -271,8 +305,7 @@
 	       strcmp(arg, HTLoadedDocumentURL()) &&
 	       HText_AreDifferent(anAnchor, arg) &&
 	       HTUnEscape(orig_pgm) &&
-	       !exec_ok(HTLoadedDocumentURL(), orig_pgm,
-			CGI_PATH)) { /* exec_ok gives out msg. */
+	       !can_exec_cgi(orig_pgm, "")) {
 	/*
 	 *  If we have extra path info and are not just reloading
 	 *  the current, check the full file path (after unescaping)
@@ -303,8 +336,7 @@
 	       !(reloading && anAnchor->document) &&
 	       strcmp(arg, HTLoadedDocumentURL()) &&
 	       HText_AreDifferent(anAnchor, arg) &&
-	       !exec_ok(HTLoadedDocumentURL(), pgm,
-			CGI_PATH)) { /* exec_ok gives out msg. */
+	       !can_exec_cgi(pgm, pgm_args)) {
 	/*
 	 *  If we are reloading a lynxcgi document that had already been
 	 *  loaded, the various checks above should allow it even if
--- lynx2-8-5/src/LYGetFile.c.CVE-2005-2929	2003-06-02 02:16:28.000000000 +0100
+++ lynx2-8-5/src/LYGetFile.c	2005-11-11 18:03:27.000000000 +0000
@@ -1478,6 +1478,8 @@
 	    if (strstr(command,"//") == linktext) {
 		command += 2;
 	    }
+	    CTRACE((tfp, "comparing source\n\t'%s'\n\t'%s'\n", source, tp->src));
+	    CTRACE((tfp, "comparing command\n\t'%s'\n\t'%s'\n", command, tp->path));
 	    if (STRNADDRCOMP(source, tp->src, strlen(tp->src)) == 0 &&
 		STRNADDRCOMP(command, tp->path, strlen(tp->path)) == 0)
 		return TRUE;
--- lynx2-8-5/CHANGES.CVE-2005-2929	2005-11-11 18:02:29.000000000 +0000
+++ lynx2-8-5/CHANGES	2005-11-11 18:08:10.000000000 +0000
@@ -3,6 +3,13 @@
 * eliminate fixed-size buffers in HTrjis() and related functions to avoid
   potential buffer overflow in nntp pages (report by Ulf Harnhammar) -TD
 
+2005-10-30 (2.8.6dev.15)
+* modify LYLoadCGI() to prompt user, displaying the command that would be
+  executed, to confirm that it should be.  This makes it easier to notice when
+  a local program would be run by activating a lynxcgi link.  This is not done
+  in advanced mode, since the URL is already visible in the status line (report
+  by vade79, comments by Greg MacManus) -TD
+
 2003-06-01 (2.8.5dev.16)
 + add zh_CN.po from
   http://www.iro.umontreal.ca/contrib/po/maint/lynx/


Index: lynx.spec
===================================================================
RCS file: /cvs/dist/rpms/lynx/FC-3/lynx.spec,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- lynx.spec	17 Oct 2005 09:51:32 -0000	1.21
+++ lynx.spec	14 Nov 2005 12:32:44 -0000	1.22
@@ -1,7 +1,7 @@
 Summary: A text-based Web browser.
 Name: lynx
 Version: 2.8.5
-Release: 18.0.1
+Release: 18.0.2
 License: GPL
 Group: Applications/Internet
 Source: http://lynx.isc.org/current/lynx2.8.5dev.16.tar.bz2
@@ -12,6 +12,7 @@
 Patch0: lynx-2.8.4-redhat.patch
 Patch2: lynx-284-i18ncfg.patch
 Patch3: lynx-CAN-2005-3120.patch
+Patch4: lynx-CVE-2005-2929.patch
 Requires: indexhtml
 Provides: webclient
 BuildRequires: openssl-devel, pkgconfig, ncurses-devel >= 5.3-5, slang-devel, zlib-devel
@@ -28,6 +29,7 @@
 %patch0 -p1 -b .redhat
 %patch2 -p1 -b .i18ncfg
 %patch3 -p1 -b .CAN-2005-3120
+%patch4 -p1 -b .CVE-2005-2929
 perl -pi -e "s,^HELPFILE:.*,HELPFILE:file://localhost/usr/share/doc/lynx-%{version}/lynx_help/lynx_help_main.html,g" lynx.cfg
 perl -pi -e "s,^DEFAULT_INDEX_FILE:.*,DEFAULT_INDEX_FILE:http://www.google.com/,g"; lynx.cfg
 
@@ -101,6 +103,9 @@
 %lang(sk) %config %{_sysconfdir}/lynx.cfg.sk
 
 %changelog
+* Mon Nov 14 2005 Tim Waugh <twaugh redhat com> 2.8.5-18.0.2
+- Apply patch to fix CVE-2005-2929 (bug #172973).
+
 * Tue Oct 11 2005 Tim Waugh <twaugh redhat com> 2.8.5-18.0.1
 - Apply patch to fix CAN-2005-3120 (bug #170253).
 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]