Re: Draft CERT bulletin (was Re: LYNX-DEV security.html)

[Foteos Macrides]

"Jim Spath (Webmaster Jim)" <address@hidden> wrote:
>On Mon, 7 Jul 1997, Jonathan Sergent wrote:
>
>> Fote's version is better than the one at the URL I posted earlier,
>> so I'm getting rid of that one.  Subir should probably pick a
>> copy of it up.
>> 
>> Does anyone have any opinions as to what email address should be
>> listed at the bottom?  It seems like LYNX-DEV would be appropriate
>> but we don't want security info going into the bit bucket for non-
>> subscribers.
>
>Yes, use lynx-dev...  I've reformatted the above html a bit so it can be
>distributed as text CERT bulletins.  Please review the *two* parts below
>before I pass them on to CERT (I've appointed myself go-between :0) 
>
>=========================================================================
>
>I. Description
>
>Lynx will follow symlinks in /tmp when opening temp files.  All systems that
>support symlinks are vulnerable.
>[...]
>III. Workaround
>
>Sites which are concerned with this problem are advised to change the setting
>of TEMP_SPACE from the default ("/tmp") to "~" to cause temporary files to
>be put in the user's home directory. This may cause problems for users with
>unwriteable home directories (such as captive or public accounts) or users
>with low quotas. This may be done in two ways:
>[...]
>Solution
>
>The next release of Lynx will contain a permanent (and complete) fix to this
>problem.

        You leave the impression that there presently is no alternative but
to use home paths, which is problematic for many multi-user systems, and that
they must otherwise wait for a next release (who know when that might be???).
The fotemods code deals with this, and there is Klaus's earlier patch
available as well.


>1.  http://www.tryc.on.ca/hypermail/security.11/0004.html

        Note that this message claims Lynx uses .html in all cases
for temporary files, which is untrue.  It's warning should be, and
has been, dealt with, but what it says appears to be based on simply
looking at tempname() in LYUtils.c, without adequate knowledge or
understanding of what Lynx actually does with the names that returns.
Do bear this in mind.


>Contact
>
>If you believe you have found a security problem with Lynx that is not
>listed here, please forward it to <address@hidden>.

        I assume address@hidden was set up by Subir so that
he can answer the repetitive, already well answered questions about security,
and that he will forward others to lynx-dev.  I'm not keen on changing it
to lynx-dev unless we get confirmation that it's open again and will stay
that way.

                                Fote

=========================================================================
 Foteos Macrides            Worcester Foundation for Biomedical Research
 address@hidden         222 Maple Avenue, Shrewsbury, MA 01545
=========================================================================
;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;