linux, säkerhet

4843066 2000-02-28  10:36  /38 rader/ Postmaster
Mottagare: Bugtraq (import) <9994>
Ärende: lynx - someone is deaf and blind ;)
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
X-Hate: Where do you want to go to die?
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID:  <Pine.LNX.4.21.0002271629490.15796-100000@dione.ids.pl>
Date:         Sun, 27 Feb 2000 16:30:03 +0100
Reply-To: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
X-To:         BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM

Over six months ago, I've reported nasty and easily exploitable
overflows in lynx while parsing some URLs - like
cso://AAAA... etc. I've given some examples, and it was fixed, but
then, month later, I've realized that other protocols, not mentioned
in previous post are still buggy in exactly the same way. Another
post resulted in patched lynx release. And what now, guess?...

Similar problems are present for example when lynx is using proxy
server (often sysadm puts proxy server settings in global lynx.cfg) -
even in recent 2.8.3dev2x releases - http://AAA... or
ftp://AAA... requests with over 2 kb of junk after protocol
indentifier (instead of valid hostname) - 0x41414141 SEGV - old,
good, exploitable overflow while preparing request for proxy
server. AND MORE FOLLOWS - for example some overflows when viewing
'Information about current document' and so on, all related to
extremely long URLs. I'm not going to give more examples here, as I'm
afraid I might miss one or two that won't be fixed - developers, use
your head, take a look at the code and fix every suspected piece of
code, not only already published / described bugs.

_______________________________________________________
Michal Zalewski * [lcamtuf@ags.pl] <=> [AGS WAN SYSADM]
[dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl]
[+48 22 551 45 93] [+48 603 110 160] bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
(4843066) ------------------------------------------(Ombruten)