lynx-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor

From: vendor-disclosure
Subject: [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability
Date: Fri, 28 Oct 2005 15:18:04 -0400 
Sorry, the report should have been attached to the last email. Let me know
if it doesn't arrive this time.

I have also attached a PoC exploit.

Michael

-----Original Message-----
From: Thomas Dickey [mailto:address@hidden 
Sent: Friday, October 28, 2005 2:06 PM
To: vendor-disclosure
Cc: address@hidden
Subject: Re: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx
Command Injection Vulnerability

On Fri, 28 Oct 2005, vendor-disclosure wrote:

> Thomas,
>
> Thank you for responding. Please let us know how you'd like to proceed.

Well, I need to know the technical details, to see what type of fix is 
needed, how it is tested, etc.  Given the context in which your email 
arrived, I'm expecting to have to patch 2.8.5 and the current version. 
Without seeing the report, I can't make an estimate on how long it takes 
to fix, but would like to deal with it now.

btw - address@hidden hasn't been used for several years (1998),
and address@hidden since early 2004.

>
> Michael
>
> -----Original Message-----
> From: vendor-disclosure [mailto:address@hidden
> Sent: Thursday, October 27, 2005 1:53 PM
> To: address@hidden
> Cc: vendor-disclosure
> Subject: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx
> Command Injection Vulnerability
>
> The attached advisory and email was originally submitted on 09/08/2005,
but
> a response has not yet been received. In accordance with our vendor
> disclosure policy (http://www.idefense.com/legal_disclosure.jsp) we will
> proceed with public disclosure of this issue if acknowledgement of receipt
> is not received within five business days.
>
> Regards,
> Michael Sutton
>
> Michael Sutton
> Director, iDEFENSE Labs
> iDEFENSE
> 1875 Campus Commons Drive, Suite 210
> Reston, VA 20191
> direct: 703.480.5628
> voice: 703.390.1230
> fax: 703.390.9456
> address@hidden
> www.idefense.com
>
> -----Original Message-----
> From: vendor-disclosure [mailto:address@hidden
> Sent: Thursday, September 08, 2005 11:50 PM
> To: address@hidden
> Cc: vendor-disclosure
> Subject: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx
> Command Injection Vulnerability
>
> The message below bounced.
>
> -----Original Message-----
> From: vendor-disclosure [mailto:address@hidden
> Sent: Thursday, September 08, 2005 11:27 PM
> To: address@hidden
> Cc: vendor-disclosure
> Subject: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx
Command
> Injection Vulnerability
>
> iDEFENSE has identified a Command Injection vulnerability in Lynx. This
> vulnerability was submitted to iDEFENSE through our Vulnerability
> Contributor Program:
>
>       http://www.idefense.com/poi/teams/vcp.jsp
>
> iDEFENSE Labs has validated this vulnerability and has drafted the
> attached advisory. In accordance with our vendor disclosure policy
>
>       http://www.idefense.com/legal_disclosure.jsp
>
> We would request that you acknowledge receipt of this initial
> notification within five business days so that we may begin the process
> of coordinating an appropriate public disclosure date for this issue
> that will provide your company with adequate time to develop a patch or
> workaround to mitigate this vulnerability. If you have questions
> regarding this issue or require further details to assist with your own
> analysis, please do not hesitate to contact us.
>
> It is always our goal to coordinate on the public disclosure of
> patches/advisories as quickly as possible after a vulnerability is
> discovered. If however a reasonable timeframe cannot be agreed upon for
> this issue, it will be publicly released in 60 days on 11/08/2005.
> iDEFENSE is willing to work with a vendor to find a mutually agreeable
> release date beyond this timeframe so long as the vendor continues to
> make good faith efforts to produce patches in a timely fashion and
> regularly informs iDEFENSE of their progress in doing so.
>
> Please note that if the affected product is included within other
> applications and/or operating systems, iDEFENSE will not be coordinating
> disclosure of the vulnerability to affected third parties. We would ask
> that you handle this coordination separately.
>
> Regards,
> Michael Sutton
>
> Michael Sutton
> Director, iDEFENSE Labs
> iDEFENSE
> 1875 Campus Commons Drive, Suite 210
> Reston, VA 20191
> direct: 703.480.5628
> voice: 703.390.1230
> fax: 703.390.9456
> address@hidden
> www.idefense.com
>

-- 
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net

Attachment: pub_Multiple Vendor Lynx Command Injection Vulnerability.txt
Description: Text document


This will create /tmp/lynx-test if vulnerable.

test me
reply via email to
[Prev in Thread] Current Thread [Next in Thread]