[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Ve
From: |
Thomas Dickey |
Subject: |
Re: [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability |
Date: |
Fri, 28 Oct 2005 17:51:09 -0400 (EDT) |
On Fri, 28 Oct 2005, Stef Caunter wrote:
Yet the last report from the source (of these apparently well-documented
submissions to the above) to this list was received and fixed subsequent to
Sept. 25, 2005, unless I am missing something.
yes - I received a report on 8 October, and made a fix that evening.
Perhaps it is unreasonable to expect at least a follow up from the poster, or
for the vulnerability database maintainers to find lynx.isc.org to publish a
report to the current developer list?
There are two sets of reports. Ulf Harnhammar reported the earlier
problems. He stated that he had a shell exploit based on the HTrjis()
change, and wanted to have the fix and announcement issued concurrently.
Also, he didn't want the CAN-number on my interim patch - I noticed after
dev.14 that I'd marked the wrong item. The changelog entry which applies
should read (is in my corrections toward dev.15):
* eliminate fixed-size buffers in HTrjis() and related functions to avoid
potential buffer overflow in nntp pages (report by Ulf Harnhammar,
CAN-2005-3120) -TD
Since packagers generally have 2.8.5, they wanted a patch against that.
It was in the context of email discussion of that, which someone mentioned
to the later report that I was the appropriate contact.
I'm actually more interested to see that these vulnerability reports
usually are simple to analyze - once noticed. (It would be nice to
motivate people to fix harder bugs, such as the display problems for the
"-notitle" option ;-)
Speaking of that, I probably would have made some fixes for it, but the
cutoff for dev.14 was determined by the HTrjis() fix.
--
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net