Debian Bug report logs -
#492744
CVE-2008-3329: Unspecified vulnerability
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Mon, 28 Jul 2008 15:48:02 UTC
Severity: important
Tags: patch, security
Fixed in version links2/2.1pre37-1.1
Done: Steffen Joeris <white@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Gürkan Sengün <gurkan@phys.ethz.ch>:
Bug#492744; Package links.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Gürkan Sengün <gurkan@phys.ethz.ch>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: links
Severity: important
Tags: security, patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for links.
CVE-2008-3329[0]:
| Unspecified vulnerability in Links before 2.1, when "only proxies" is
| enabled, has unknown impact and attack vectors related to providing
| "URLs to external programs."
Below you'll find a part of the diff between the current debian version
and the new upstream version. The first part is what I believe the patch
for this issue, the second part I am not sure about and thought I'd include
it in the report.
Since I am not sure how exploitable this issue is, I've set the severity
to "important" now, feel free to adjust it.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3329
http://security-tracker.debian.net/tracker/CVE-2008-3329
diff -ur new/links2-2.1pre37/session.c upstream/links-2.1/session.c
--- new/links2-2.1pre37/session.c 2008-06-21 16:12:07.000000000 +0000
+++ upstream/links-2.1/session.c 2008-06-29 16:47:21.000000000 +0000
@@ -2317,6 +2317,7 @@
if (a->accept_http && !strcasecmp(proto, "http")) ret = 1;
if (a->accept_ftp && !strcasecmp(proto, "ftp")) ret = 1;
mem_free(proto);
+ if (proxies.only_proxies) ret = 0;
return ret;
}
diff -ur new/links2-2.1pre37/url.c upstream/links-2.1/url.c
--- new/links2-2.1pre37/url.c 2007-12-26 04:00:49.000000000 +0000
+++ upstream/links-2.1/url.c 2008-06-29 16:47:21.000000000 +0000
@@ -16,7 +16,7 @@
int allow_post;
int bypasses_socks;
} protocols[]= {
- {"file", 0, file_func, NULL, 1, 1, 0, 0, 0},
+ {"file", 0, file_func, NULL, 1, 1, 0, 0, 1},
{"https", 443, https_func, NULL, 0, 1, 1, 1, 0},
{"http", 80, http_func, NULL, 0, 1, 1, 1, 0},
{"proxy", 3128, proxy_func, NULL, 0, 1, 1, 1, 0},
Information forwarded to debian-bugs-dist@lists.debian.org, Gürkan Sengün <gurkan@phys.ethz.ch>:
Bug#492744; Package links.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Gürkan Sengün <gurkan@phys.ethz.ch>.
(full text, mbox, link).
Message #10 received at 492744@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi
Attached you'll find my NMU proposal. It only includes the security fix.
Cheers
Steffen
[NMU.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Reply sent to Steffen Joeris <white@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #15 received at 492744-close@bugs.debian.org (full text, mbox, reply):
Source: links2
Source-Version: 2.1pre37-1.1
We believe that the bug you reported is fixed in the latest version of
links2, which is due to be installed in the Debian FTP archive:
links2_2.1pre37-1.1.diff.gz
to pool/main/l/links2/links2_2.1pre37-1.1.diff.gz
links2_2.1pre37-1.1.dsc
to pool/main/l/links2/links2_2.1pre37-1.1.dsc
links2_2.1pre37-1.1_i386.deb
to pool/main/l/links2/links2_2.1pre37-1.1_i386.deb
links_2.1pre37-1.1_i386.deb
to pool/main/l/links2/links_2.1pre37-1.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 492744@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated links2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 02 Aug 2008 03:33:53 +0000
Source: links2
Binary: links2 links
Architecture: source i386
Version: 2.1pre37-1.1
Distribution: unstable
Urgency: high
Maintainer: Gürkan Sengün <gurkan@phys.ethz.ch>
Changed-By: Steffen Joeris <white@debian.org>
Description:
links - Web browser running in text mode
links2 - Web browser running in both graphics and text mode
Closes: 492744
Changes:
links2 (2.1pre37-1.1) unstable; urgency=high
.
* Non-maintainer upload by the security team
* Make sure links cannot bypass the proxy, if it is configurered only
to use it in order to avoid leaking of sensitive information to
external programs, fix in session.c (Closes: #492744)
Fixes: CVE-2008-3329
Checksums-Sha1:
58f400cc7d49b14fde04b271f100565ba2f955cd 1283 links2_2.1pre37-1.1.dsc
dfd7c1db5243b313fe9e85eb4dac9f594778b7b4 31595 links2_2.1pre37-1.1.diff.gz
5de86cb5a1aded008e92cd7c318b6cb51bc9ce2d 1976042 links2_2.1pre37-1.1_i386.deb
73407f1c66f5ddb903400b5dbc9a80649167f992 491056 links_2.1pre37-1.1_i386.deb
Checksums-Sha256:
1cf8498685541e14410775ba88020a86885455cc87ebfd116242576c1e527f8b 1283 links2_2.1pre37-1.1.dsc
77a4c077871146994504d9ef231a82db6e8856e7686c8b2b54a61ce399553dbb 31595 links2_2.1pre37-1.1.diff.gz
6a1adc0be39502d2016fbfe5de4dc437d46be27702dfa947748df03645b4a6d5 1976042 links2_2.1pre37-1.1_i386.deb
53d2594534387bee9b11d0b443c0a4d44b8bd7e4485331da83157c01d0f58419 491056 links_2.1pre37-1.1_i386.deb
Files:
0ab9ee7871d1c484dfb822b6649866d3 1283 web optional links2_2.1pre37-1.1.dsc
387be028ea8abba54aa7cfc7b74c785c 31595 web optional links2_2.1pre37-1.1.diff.gz
3a0d7a5053a86403f70724875020b03f 1976042 web optional links2_2.1pre37-1.1_i386.deb
5cb027ae7fa3f637cb50b8832e9d1a3e 491056 web optional links_2.1pre37-1.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkiVHekACgkQ62zWxYk/rQdhQQCcD1ha7VVpvd7Nbsr7WacZfUI/
cwwAnjP6FdNEHAped/y9Ihpk6Gli0GRm
=FLvv
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 03 Sep 2008 07:32:28 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:18:48 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon