[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

lynx-dev (forw) Possible buffer overflows in Lynx?

From: Rob Partington
Subject: lynx-dev (forw) Possible buffer overflows in Lynx?
Date: Mon, 28 Feb 2000 11:34:50 +0000

I'm a bit behind wrt Lynx development, sorry if this has already been
dealt with.  Is this as bad as he claims?

------- Forwarded Message

Date:    Sun, 27 Feb 2000 16:30:03 +0100
From:    Michal Zalewski <address@hidden>
To:      address@hidden
Subject: lynx - someone is deaf and blind ;)

Over six months ago, I've reported nasty and easily exploitable overflows
in lynx while parsing some URLs - like cso://AAAA... etc. I've given some
examples, and it was fixed, but then, month later, I've realized that
other protocols, not mentioned in previous post are still buggy in exactly
the same way. Another post resulted in patched lynx release. And what now,

Similar problems are present for example when lynx is using proxy server
(often sysadm puts proxy server settings in global lynx.cfg) - even in
recent 2.8.3dev2x releases - http://AAA... or ftp://AAA... requests with
over 2 kb of junk after protocol indentifier (instead of valid hostname) -
0x41414141 SEGV - old, good, exploitable overflow while preparing request
for proxy server. AND MORE FOLLOWS - for example some overflows when
viewing 'Information about current document' and so on, all related to
extremely long URLs. I'm not going to give more examples here, as I'm
afraid I might miss one or two that won't be fixed - developers, use your
head, take a look at the code and fix every suspected piece of code, not
only already published / described bugs.

Michal Zalewski * address@hidden <=> [AGS WAN SYSADM]
[ SYSADM] <-> []
[+48 22 551 45 93] [+48 603 110 160] bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=

------- End of Forwarded Message

reply via email to

[Prev in Thread] Current Thread [Next in Thread]