Re: lynx-dev Lynx buffer mismanagement

[Bela Lubkin]

Everyone, please stop being so defensive.  Theo is right.  He's just not
the most tactful person in the world.

Theo de Raadt is the principal maintainer of the OpenBSD operating
system.  OpenBSD is a full Unix operating system -- millions of lines of
code from thousands of different programmers.  It is well known for its
vigorous approach to security and software correctness.  Mr. de Raadt
has a lot of credibility in this area.

The lynx-dev reaction so far has been similar to a web site maintainer
telling Foteos Macrides that he "doesn't know anything about web
browsers" when he points out flaws in their HTML design.

Philip Webb wrote:

> all one can really say to Mr de Raadt is
> that he's the first person ever to make any such claim (in my memory):

Ok, then I will second it.  He is right.  The buffer management code in
Lynx *does* have a lot of problems.  Such problems are frequently
exploitable.  It is extremely likely that there are holes which would
let a user break out of a supposedly-closed Lynx sandbox account.  It is
also likely that there are holes which would let a carefully constructed
web page attack the account from which Lynx is being run (read, modify
or delete files; provide login access).  There may be holes which have
other security implications.  This is serious stuff.

On the other hand, do note that such exploits aren't easily constructed,
and tend to be very system-, compiler- and version-specific.  A page
that would attack one version of Lynx would tend to make another simply
dump core.  Pages that cause coredumps get reported to this list and
investigated by other Lynx users.  The fact that we haven't observed
such "attack pages" stands as fairly strong evidence that no such
attacks are *currently* underway.  Likewise, we can assume that future
"attack pages" will tend to be noticed, for the same reasons.

Just because we're likely to notice the attacks does not excuse us from
trying to prevent them in the first place.

> Lynx has many users & is supported by some pretty good programmers
> & no-one has run into security or other problems due to buffer overflows
> or at most only very occasionally during the past couple of years.

The right answer is "occasionally".  But that's mostly because nobody
has been actively trying to exploit those holes.

> > I'll continue to put lynx in the class of "buffer overflow disasters"
> > when people ask me for examples at my talks.
> 
> it's like someone walking into a store & telling everyone:
> "Hey! this stuff's all garbage! why don't you clean the place up?
> it's not even safe! i'm going to warn everybody about it".

Yes, it's like that, given the stipulations that (1) the person walking
in is an expert in the subject, and (2) the stuff _is_ actually garbage.
Like, uh, Paul Prudhomme walking into McDonald's...

(No, I'm not saying that Lynx is garbage, so please don't attack me for
this.  I'm saying that yes, it has a bit of a problem, which we should
fix.  I intend to spend some time on it myself.)

>Bela<