rpms/lynx/F-10 lynx-CVE-2008-4690.patch, NONE, 1.1 lynx.spec, 1.54, 1.55
Jiří Moskovčák
jmoskovc at fedoraproject.org
Mon Nov 10 11:51:10 UTC 2008
Author: jmoskovc
Update of /cvs/extras/rpms/lynx/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv7447
Modified Files:
lynx.spec
Added Files:
lynx-CVE-2008-4690.patch
Log Message:
CVE-2008-4690 lynx: remote arbitrary command execution via a crafted lynxcgi: URL
lynx-CVE-2008-4690.patch:
--- NEW FILE lynx-CVE-2008-4690.patch ---
--- lynx2-8-6/CHANGES.old 2008-11-06 15:29:26.000000000 +0100
+++ lynx2-8-6/CHANGES 2008-11-06 15:32:44.000000000 +0100
@@ -1,5 +1,11 @@
Changes since Lynx 2.8 release
===============================================================================
+2008-10-26
+* modify patch for CVE-2005-2929 to prompt user before executing command via
+ a lynxcgi link even in advanced mode, as the actual URL may not be shown but
+ hidden behind an HTTP redirect
+* set TRUSTED_LYNXCGI:none in lynx.cfg to disable all lynxcgi URLs by default
+ [CVE-2008-4690]
2007-05-09 (2.8.6rel.5 fix from 2.8.7dev.5)
* correct loop-limit in print_crawl_to_fd(), which broke
--- lynx2-8-6/src/LYCgi.c.old 2008-11-06 15:29:58.000000000 +0100
+++ lynx2-8-6/src/LYCgi.c 2008-11-06 15:30:53.000000000 +0100
@@ -165,7 +165,7 @@ static BOOL can_exec_cgi(const char *lin
if (!exec_ok(HTLoadedDocumentURL(), linktext, CGI_PATH)) {
/* exec_ok gives out msg. */
result = FALSE;
- } else if (user_mode < ADVANCED_MODE) {
+ } else {
StrAllocCopy(command, linktext);
if (non_empty(linkargs)) {
HTSprintf(&command, " %s", linkargs);
--- lynx2-8-5.orig/lynx.cfg 2008-10-26 21:45:02.000000000 +0100
+++ lynx2-8-5/lynx.cfg 2008-10-26 21:45:38.000000000 +0100
@@ -997,7 +997,7 @@ CHARACTER_SET:utf-8
# ====
# Do not define this.
#
-#TRUSTED_LYNXCGI:none
+TRUSTED_LYNXCGI:none
.h2 LYNXCGI_ENVIRONMENT
Index: lynx.spec
===================================================================
RCS file: /cvs/extras/rpms/lynx/F-10/lynx.spec,v
retrieving revision 1.54
retrieving revision 1.55
diff -u -r1.54 -r1.55
--- lynx.spec 7 Aug 2008 18:03:24 -0000 1.54
+++ lynx.spec 10 Nov 2008 11:50:40 -0000 1.55
@@ -1,7 +1,7 @@
Summary: A text-based Web browser
Name: lynx
Version: 2.8.6
-Release: 17%{?dist}
+Release: 18%{?dist}
License: GPLv2
Group: Applications/Internet
Source: http://lynx.isc.org/current/lynx%{version}.tar.bz2
@@ -13,6 +13,7 @@
Patch4: lynx-2.8.6-fmt_string.patch
Patch5: lynx-build-fixes.patch
Patch6: lynx-more-build-fixes.patch
+Patch7: lynx-CVE-2008-4690.patch
Requires: indexhtml
Provides: webclient
Provides: text-www-browser
@@ -35,6 +36,7 @@
%patch4 -p1 -b .fmt_string
%patch5 -p1 -b .build-fixes
%patch6 -p1 -b .more-build-fixes
+%patch7 -p1 -b .CVE-2008-4690
perl -pi -e "s,^HELPFILE:.*,HELPFILE:file://localhost/usr/share/doc/lynx-%{version}/lynx_help/lynx_help_main.html,g" lynx.cfg
perl -pi -e "s,^DEFAULT_INDEX_FILE:.*,DEFAULT_INDEX_FILE:http://www.google.com/,g" lynx.cfg
perl -pi -e 's,^#LOCALE_CHARSET:.*,LOCALE_CHARSET:TRUE,' lynx.cfg
@@ -106,6 +108,10 @@
%config(noreplace,missingok) %{_sysconfdir}/lynx-site.cfg
%changelog
+* Fri Nov 7 2008 Jiri Moskovcak <jmoskovc at redhat.com> - 2.8.6-18
+- Fixed CVE-2008-4690 lynx: remote arbitrary command execution.
+ via a crafted lynxcgi: URL (thoger)
+
* Thu Aug 7 2008 Tom "spot" Callaway <tcallawa at redhat.com> - 2.8.6-17
- fix license tag
More information about the fedora-extras-commits
mailing list