rpms/lynx/F-9 lynx-CVE-2008-4690.patch, NONE, 1.1 lynx.spec, 1.55, 1.56
Jiří Moskovčák
jmoskovc at fedoraproject.org
Mon Nov 10 12:18:00 UTC 2008
Author: jmoskovc
Update of /cvs/extras/rpms/lynx/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv10817
Modified Files:
lynx.spec
Added Files:
lynx-CVE-2008-4690.patch
Log Message:
Fixed CVE-2008-4690 lynx: remote arbitrary command execution via a crafted lynxcgi: URL
lynx-CVE-2008-4690.patch:
--- NEW FILE lynx-CVE-2008-4690.patch ---
--- lynx2-8-6/CHANGES.old 2008-11-06 15:29:26.000000000 +0100
+++ lynx2-8-6/CHANGES 2008-11-06 15:32:44.000000000 +0100
@@ -1,5 +1,11 @@
Changes since Lynx 2.8 release
===============================================================================
+2008-10-26
+* modify patch for CVE-2005-2929 to prompt user before executing command via
+ a lynxcgi link even in advanced mode, as the actual URL may not be shown but
+ hidden behind an HTTP redirect
+* set TRUSTED_LYNXCGI:none in lynx.cfg to disable all lynxcgi URLs by default
+ [CVE-2008-4690]
2007-05-09 (2.8.6rel.5 fix from 2.8.7dev.5)
* correct loop-limit in print_crawl_to_fd(), which broke
--- lynx2-8-6/src/LYCgi.c.old 2008-11-06 15:29:58.000000000 +0100
+++ lynx2-8-6/src/LYCgi.c 2008-11-06 15:30:53.000000000 +0100
@@ -165,7 +165,7 @@ static BOOL can_exec_cgi(const char *lin
if (!exec_ok(HTLoadedDocumentURL(), linktext, CGI_PATH)) {
/* exec_ok gives out msg. */
result = FALSE;
- } else if (user_mode < ADVANCED_MODE) {
+ } else {
StrAllocCopy(command, linktext);
if (non_empty(linkargs)) {
HTSprintf(&command, " %s", linkargs);
--- lynx2-8-5.orig/lynx.cfg 2008-10-26 21:45:02.000000000 +0100
+++ lynx2-8-5/lynx.cfg 2008-10-26 21:45:38.000000000 +0100
@@ -997,7 +997,7 @@ CHARACTER_SET:utf-8
# ====
# Do not define this.
#
-#TRUSTED_LYNXCGI:none
+TRUSTED_LYNXCGI:none
.h2 LYNXCGI_ENVIRONMENT
Index: lynx.spec
===================================================================
RCS file: /cvs/extras/rpms/lynx/F-9/lynx.spec,v
retrieving revision 1.55
retrieving revision 1.56
diff -u -r1.55 -r1.56
--- lynx.spec 30 May 2008 10:42:22 -0000 1.55
+++ lynx.spec 10 Nov 2008 12:17:30 -0000 1.56
@@ -1,7 +1,7 @@
Summary: A text-based Web browser
Name: lynx
Version: 2.8.6
-Release: 16%{?dist}
+Release: 17%{?dist}
License: GPL
Group: Applications/Internet
Source: http://lynx.isc.org/current/lynx%{version}.tar.bz2
@@ -13,6 +13,7 @@
Patch4: lynx-2.8.6-fmt_string.patch
Patch5: lynx-build-fixes.patch
Patch6: lynx-more-build-fixes.patch
+Patch7: lynx-CVE-2008-4690.patch
Requires: indexhtml
Provides: webclient
Provides: text-www-browser
@@ -36,6 +37,7 @@
%patch4 -p1 -b .fmt_string
%patch5 -p1 -b .build-fix
%patch6 -p1 -b .build-fix-more
+%patch7 -p1 -b .CVE-2008-4690
perl -pi -e "s,^HELPFILE:.*,HELPFILE:file://localhost/usr/share/doc/lynx-%{version}/lynx_help/lynx_help_main.html,g" lynx.cfg
perl -pi -e "s,^DEFAULT_INDEX_FILE:.*,DEFAULT_INDEX_FILE:http://start.fedoraproject.org/,g" lynx.cfg
perl -pi -e 's,^#LOCALE_CHARSET:.*,LOCALE_CHARSET:TRUE,' lynx.cfg
@@ -111,6 +113,10 @@
%config(noreplace,missingok) %{_sysconfdir}/lynx-site.cfg
%changelog
+* Mon Nov 10 2008 Jiri Moskovcak <jmoskovc at redhat.com> 2.8.6-17
+- Fixed CVE-2008-4690 lynx: remote arbitrary command execution.
+ via a crafted lynxcgi: URL (thoger)
+
* Fri May 30 2008 Jiri Moskovcak <jmoskovc at redhat.com> 2.8.6-16
- updated to latest stable upstream version 2.8.6rel5
More information about the fedora-extras-commits
mailing list