lynx-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LYNX-DEV new security bulletin drafts

From: Jim Spath (Webmaster Jim)
Subject: Re: LYNX-DEV new security bulletin drafts
Date: Sat, 12 Jul 1997 09:43:46 -0400 (EDT) 
On Fri, 11 Jul 1997, Jonathan Sergent wrote:

> Jim posted some changes to version 3 of the drafts.
...
> See version 4 of both bulletins, same place as before.
> Mail from here is really slow...

All right, I admit it, I'm a lousy editor...  Here are some spelling and
style changes.  The only substantive changes are mentioning that single
user systems are not affected by /tmp being writable, and where to
actually find some binaries. 

FWIW, UNIX spell couldn't find "writeable" or "writable."  My paper
dictionary has "writable."~

[Subir, you'll probably need to flag "fixed" binaries...]

----><----><----><----><----><----><----><----><----><----><----><----
* Bulletin 1 patches *

*** b1v4.t      Sat Jul 12 09:07:48 1997
--- b1v5.t      Sat Jul 12 09:28:08 1997
***************
*** 6,12 ****
  the temporary file with a symbolic link or with another file.
  
  Installed versions of Lynx where the /tmp directory is used to store
! files during download are vulnerable.
  
  
  II. Impact
--- 6,13 ----
  the temporary file with a symbolic link or with another file.
  
  Installed versions of Lynx where the /tmp directory is used to store
! files during download are vulnerable.  Systems operated by a single
! user (e.g., Linux or NetBSD) are not vulnerable.
  
  
  II. Impact
***************
*** 53,63 ****
       Lynx 2.7.1 will replace "~" in the temp. space allocation with the
       path to the user's home directory.
  
!      Individual users may also set the LYNX_TEMP_SPACE environment variable to
!      point to another place known to be unwriteable by other users (for 
instanc
! e
!      a subdirectory of the users' home directory, or a mode 0700 directory of 
a
!      "sticky" /tmp).
  
     To do this with Lynx 2.7.1 with the FOTEMODS patch set applied:
  
--- 54,63 ----
       Lynx 2.7.1 will replace "~" in the temp. space allocation with the
       path to the user's home directory.
  
!      Individual users may also set the LYNX_TEMP_SPACE environment
!      variable to point to another place known to be unwriteable by other
!      users (for instance a subdirectory of the users' home directory, or a
!      mode 0700 directory of a "sticky" /tmp).
  
     To do this with Lynx 2.7.1 with the FOTEMODS patch set applied:
  

* Bulletin 2 patches *

*** b2v4.t      Sat Jul 12 09:10:32 1997
--- b2v5.t      Sat Jul 12 09:25:57 1997
***************
*** 1,7 ****
  I. Description
  
  Lynx, on Un*x systems, may be coerced to read or execute arbitrary
! files on the local system regardles of restrictions set by the
  system administrator.
  
  Installed versions of Lynx up to and including version 2.7.1 on Unix
--- 1,7 ----
  I. Description
  
  Lynx, on Un*x systems, may be coerced to read or execute arbitrary
! files on the local system regardless of restrictions set by the
  system administrator.
  
  Installed versions of Lynx up to and including version 2.7.1 on Unix
***************
*** 40,65 ****
  
  IV. Solution
  
! Current developmental releases of lynx have fixed this problem since
  1997-06-26.  Patches you may find from before that date may not
! entirely elimintate the vulnerability.
  
  The most recent stable version of Lynx (version 2.7.1) can be
  patched to fix this problem by replacing the file "lynx2-7-1/src/LYDownload.c"
  with a replacement file.
  
! The replacement file to eliminate this vulerability in version
  2.7.1 is available (courtesy of Foteos Macrides) at:
       http://www.slcc.edu/lynx/fote/patches/lynx2-7-1/src/LYDownload.c
  
  All systems running Lynx versions 2.7.1 or earlier should be
  updated to fix this problem.
  
! Two current developmental releases of lynx (which will be merged for
! the final release) are available at:
       http://www.slcc.edu/lynx/fote/patches/
       http://www.slcc.edu/lynx/current/
  
  
  V. Contact information
  
--- 40,69 ----
  
  IV. Solution
  
! Current developmental releases of Lynx have fixed this problem since
  1997-06-26.  Patches you may find from before that date may not
! entirely eliminate the vulnerability.
  
  The most recent stable version of Lynx (version 2.7.1) can be
  patched to fix this problem by replacing the file "lynx2-7-1/src/LYDownload.c"
  with a replacement file.
  
! The replacement file to eliminate this vulnerability in version
  2.7.1 is available (courtesy of Foteos Macrides) at:
       http://www.slcc.edu/lynx/fote/patches/lynx2-7-1/src/LYDownload.c
  
  All systems running Lynx versions 2.7.1 or earlier should be
  updated to fix this problem.
  
! Two branches of Lynx source code are available at:
       http://www.slcc.edu/lynx/fote/patches/
       http://www.slcc.edu/lynx/current/
  
+ Binary distributions of Lynx may be found at:
+      http://www.crl.com/~subir/lynx/binaries.html
+ 
+ Note that producing binaries is a volunteer job and the latest (or any)
+ version may not be available for a specific platform.
  
  V. Contact information
----><----><----><----><----><----><----><----><----><----><----><----
  
------
<http://www.cs.indiana.edu/picons/db/users/us/md/lib/bcpl/jspath/face.xbm>
Marvin the Paranoid Android says:
I'm not getting you down am I?

;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;
reply via email to
[Prev in Thread] Current Thread [Next in Thread]