Re: Draft CERT bulletin (was Re: LYNX-DEV security.html)

[Matthew Kelly]

On Mon, 7 Jul 1997, Foteos Macrides wrote:
> "Jim Spath (Webmaster Jim)" <address@hidden> wrote:
> >III. Workaround
> >
> >Sites which are concerned with this problem are advised to change the setting
> >of TEMP_SPACE from the default ("/tmp") to "~" to cause temporary files to
> >be put in the user's home directory. This may cause problems for users with
> >unwriteable home directories (such as captive or public accounts) or users
> >with low quotas. This may be done in two ways:
> >[...]
> >Solution
> >
> >The next release of Lynx will contain a permanent (and complete) fix to this
> >problem.
> 
>       You leave the impression that there presently is no alternative but
> to use home paths, which is problematic for many multi-user systems, and that
> they must otherwise wait for a next release (who know when that might be???).
> The fotemods code deals with this, and there is Klaus's earlier patch
> available as well.
> 
> 
> >1.  http://www.tryc.on.ca/hypermail/security.11/0004.html
> 
>       Note that this message claims Lynx uses .html in all cases
> for temporary files, which is untrue.  It's warning should be, and
> has been, dealt with, but what it says appears to be based on simply
> looking at tempname() in LYUtils.c, without adequate knowledge or
> understanding of what Lynx actually does with the names that returns.
> Do bear this in mind.
> 
> 
> >Contact
> >
> >If you believe you have found a security problem with Lynx that is not
> >listed here, please forward it to <address@hidden>.
> 
>       I assume address@hidden was set up by Subir so that
> he can answer the repetitive, already well answered questions about security,
> and that he will forward others to lynx-dev.  I'm not keen on changing it
> to lynx-dev unless we get confirmation that it's open again and will stay
> that way.

I agree there are other ways to deal with the problem, and we should try
and make this as painless as possible for people trying to protect their
computers ... (eg add sticky bit to /tmp is alot easier if available)

We definately shouldn't be giving out an address that isn't open to
non-subscribers as a place to post questions or security info to.  If we
can't keep lynx-dev open, perhaps we have to have another address
(although my preference is to have lynx-dev open and bop any spammers we
come across on the head for their trouble) 

-matt
-------------------------------------------------------------------------
Matthew Kelly
address@hidden

;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;