Klaus,
Thank you for the time and information. I visited the Lynx source site and
discovered that
The current development sources have the latest version of Lynx
available (2.8.3).
The most recent stable release is lynx2-8-2.
According to Michael, the issues he reports face release 2.8.x (of course
2.8.x = 2-8-x).
In your email (included below), you state
the first two are adequately addressed in the current[*]
development code (since 2.8.3dev.17, patch originally by me).
and
As for buffer overruns, all known (exploitable) ones,
including some brought up more recently on Bugtraq, are
fixed since 2.8.3dev.22
Is there any information that is provided to the public and/or to anyone
wishing to
procure the "most recent stable release" regarding these security issues? It
is not likely that
new users (or the faint of heart, in general) will be attracted to using a
"development" release,
under which 2.8.3dev.x is categorized, and may unwittingly expose themselves
to the aforementioned
concerns with the latest "stable" release 2.8.2. You see what I'm saying?
Your last email was not ccd to the lynx-dev list, heads up.
Lastly, thanks again for your continued time and efforts.
Servio
-----Original Message-----
From: Klaus Weide [ mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
]
Sent: Thursday, March 23, 2000 10:21 PM
To: Servio Medina
Cc: [EMAIL PROTECTED]
Subject: RE: lynx 2.8.x - 'special URLs' anti-spoofing protection is
weak
On Fri, 17 Mar 2000, Servio Medina wrote:
> Klaus,
>
> Thank you for the reply. I am following up on a post from Michael Zalewski
> to the Bugtraq mailing list on Nov. 17, 1999 which spawned a thread in the
> lynx-dev mailing list. One post (submitted by yourself) states "Yes, there
> are two nasties that he found. And he's right about both of them." This
> together with the FreeBSD Advisory (previous email to you) both caught my
> attention and I started digging for more information. However, I was
unable
> to ascertain whether this was necessary to fix, and if so, the nature of
the
> correction(s) : where to obtain, who should obtain, etc.
Ok, so there were three concrete issues raised in the messages you
refer to (am I overlooking anything?):
- relying on title string comparison for determining whether a page
is what it appears to be (including, can it be trusted),
- a hidden form field in lynx-generated HTML, named "secure", wasn't
secure,
- buffer overruns.
These could be used, possibly in combination, for exploits.
To my knowledge, the first two are adequately addressed in the current[*]
development code (since 2.8.3dev.17, patch originally by me). As for
buffer overruns, all known (exploitable) ones, including some brought
up more recently on Bugtraq, are fixed since 2.8.3dev.22 (according to
CHANGES file - I haven't looked at the actual code).
So, the most recent code from http://lynx.isc.org/current/
<http://lynx.isc.org/current/> does not
have known exploitable bugs as far as I know. This isn't true of
the previous code.
[*] "current" == what lynx-dev and http://lynx.isc.org/
<http://lynx.isc.org/> calls "current
development" code. I don't know what "current" means for FreeBSD.
Their advisory didn't say.
In general, we fix them as we find them (or are made aware of them).
It is true that parts of the lynx code are written in an insecure
style. Other (large) parts aren't. Recent additions to the code have
been made with security in mind[**], or are being reviewed as they are
added. In general, the most recent "current" code should therefore be
regarded as the most secure.
[**] Perhaps with the exception of some code added specifically for
MS Windows and for improved CJK character set support (also mostly
meant for Windows) - things #ifdef'd with WIN_EX, CJK_EX, SH_EX.
These arent' relevant under Unix, or nedd to be specially enabled.
Klaus
(message from unsubscribed address forwarded by Lynx-Dev moderator)
