Re: [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability

[Thomas Dickey]

On Fri, 28 Oct 2005, Stef Caunter wrote:

> Yet the last report from the source (of these apparently well-documented 
> submissions to the above) to this list was received and fixed subsequent to 
> Sept. 25, 2005, unless I am missing something.

yes - I received a report on 8 October, and made a fix that evening.

> Perhaps it is unreasonable to expect at least a follow up from the poster, or 
> for the vulnerability database maintainers to find lynx.isc.org to publish a 
> report to the current developer list?

There are two sets of reports.  Ulf Harnhammar reported the earlier 
problems.  He stated that he had a shell exploit based on the HTrjis()
change, and wanted to have the fix and announcement issued concurrently.

Also, he didn't want the CAN-number on my interim patch - I noticed after
dev.14 that I'd marked the wrong item.  The changelog entry which applies
should read (is in my corrections toward dev.15):

* eliminate fixed-size buffers in HTrjis() and related functions to avoid
  potential buffer overflow in nntp pages (report by Ulf Harnhammar,
  CAN-2005-3120) -TD

Since packagers generally have 2.8.5, they wanted a patch against that.
It was in the context of email discussion of that, which someone mentioned
to the later report that I was the appropriate contact.

I'm actually more interested to see that these vulnerability reports 
usually are simple to analyze - once noticed.  (It would be nice to 
motivate people to fix harder bugs, such as the display problems for the 
"-notitle" option ;-)

Speaking of that, I probably would have made some fixes for it, but the
cutoff for dev.14 was determined by the HTrjis() fix.

--
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net