Debian Bug report logs -
#296340
malformed html causes memory exhaustion DOS
Reported by: Joey Hess <joeyh@debian.org>
Date: Mon, 21 Feb 2005 21:18:01 UTC
Severity: important
Tags: fixed-upstream, security
Found in versions 2.8.5-2, lynx/2.8.5-2sarge1
Fixed in version 2.8.5-2sarge2.2
Done: Joey Hess <joeyh@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>
:
Bug#296340
; Package lynx
.
(full text, mbox, link).
Acknowledgement sent to Joey Hess <joeyh@debian.org>
:
New Bug report received and forwarded. Copy sent to James Troup <james@nocrew.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: lynx
Version: 2.8.5-2
Severity: normal
Tags: security
The following page, if viewed in lynx, causes it to run out of memory:
http://lcamtuf.coredump.cx/mangleme/gallery/lynx_die1.html
This is CAN-2004-1617:
Lynx allows remote attackers to cause a denial of service (infinite loop) via a
web page or HTML email that contains invalid HTML including (1) a TEXTAREA tag
with a large COLS value and (2) a large tag name in an element that is not
terminated, as demonstrated by mangleme.
Details:
http://marc.theaimsgroup.com/?l=bugtraq&m=109811406620511&w=2
http://xforce.iss.net/xforce/xfdb/17804
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27-2-686-smp
Locale: LANG=, LC_CTYPE= (charmap=ANSI_X3.4-1968)
Versions of packages lynx depends on:
ii libbz2-1.0 1.0.2-5 high-quality block-sorting file co
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libgnutls11 1.0.16-13 GNU TLS library - runtime library
ii libncursesw5 5.4-4 Shared libraries for terminal hand
ii zlib1g 1:1.2.2-4 compression library - runtime
-- no debconf information
--
see shy jo
Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>
:
Bug#296340
; Package lynx
.
(full text, mbox, link).
Acknowledgement sent to dickey@his.com
:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>
.
(full text, mbox, link).
Message #10 received at 296340@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
This was fixed in lynx 2.8.6dev.6
The cited webpage does not give the correct reason for the problem, btw.
--
Thomas E. Dickey <dickey@invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net
[signature.asc (application/pgp-signature, inline)]
Tags added: fixed-upstream
Request was from Thomas Dickey <dickey@his.com>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, security@debian.org, James Troup <james@nocrew.org>
:
Bug#296340
; Package lynx
.
(full text, mbox, link).
Acknowledgement sent to Alec Berryman <alec@thened.net>
:
Extra info received and forwarded to list. Copy sent to security@debian.org, James Troup <james@nocrew.org>
.
(full text, mbox, link).
Message #17 received at 296340@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: lynx
Version: 2.8.5-2sarge1
Followup-For: Bug #296340
Attached is a patch from OpenBSD to fix CVE-2004-1617. It has been
reformatted as a dpatch. After applying the patch and rebuilding, pages
like http://lcamtuf.coredump.cx/mangleme/gallery/lynx_die1.html no
longer causes lynx to exhaust memory and crash.
Patch obtained from:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/004_lynx.patch
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.16-alec-laptop
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages lynx depends on:
ii libbz2-1.0 1.0.3-2 high-quality block-sorting file co
ii libc6 2.3.6-7 GNU C Library: Shared libraries
ii libgnutls11 1.0.16-14+b1 GNU TLS library - runtime library
ii libncursesw5 5.5-2 Shared libraries for terminal hand
ii zlib1g 1:1.2.3-11 compression library - runtime
Versions of packages lynx recommends:
ii mime-support 3.36-1 MIME files 'mime.types' & 'mailcap
-- no debconf information
[04_CVE-2004-1617.dpatch (application/x-shellscript, attachment)]
Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>
:
Bug#296340
; Package lynx
.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>
:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>
.
(full text, mbox, link).
Message #22 received at 296340@bugs.debian.org (full text, mbox, reply):
Alec Berryman wrote:
> Package: lynx
> Version: 2.8.5-2sarge1
> Followup-For: Bug #296340
>
> Attached is a patch from OpenBSD to fix CVE-2004-1617. It has been
> reformatted as a dpatch. After applying the patch and rebuilding, pages
> like http://lcamtuf.coredump.cx/mangleme/gallery/lynx_die1.html no
> longer causes lynx to exhaust memory and crash.
>
> Patch obtained from:
> ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/004_lynx.patch
Thanks a lot. I can confirm that the patch works and looks good.
Will puth the three packages into the buildd network.
Regards,
Joey
--
Linux - the choice of a GNU generation.
Please always Cc to me when replying to me on the lists.
Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>
:
Bug#296340
; Package lynx
.
(full text, mbox, link).
Acknowledgement sent to Thomas Dickey <dickey@radix.net>
:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>
.
(full text, mbox, link).
Message #27 received at 296340@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sat, May 13, 2006 at 09:20:08AM +0200, Martin Schulze wrote:
> Alec Berryman wrote:
> > Package: lynx
> > Version: 2.8.5-2sarge1
> > Followup-For: Bug #296340
> >
> > Attached is a patch from OpenBSD to fix CVE-2004-1617. It has been
hmm - no. It's not from OpenBSD.
> > reformatted as a dpatch. After applying the patch and rebuilding, pages
> > like http://lcamtuf.coredump.cx/mangleme/gallery/lynx_die1.html no
> > longer causes lynx to exhaust memory and crash.
> >
> > Patch obtained from:
> > ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/004_lynx.patch
>
> Thanks a lot. I can confirm that the patch works and looks good.
> Will puth the three packages into the buildd network.
That's a piece of my patch for lynx 2.8.6dev.8, which one can see here:
http://lynx.isc.org/current/index.html
Here's the proper cite for it:
2004-11-07 (2.8.6dev.8)
* limit TEXTAREA columns to the screen width, and rows to 3 times the screen
height (report by FLWM) -TD
--
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>
:
Bug#296340
; Package lynx
.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>
:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>
.
(full text, mbox, link).
Message #32 received at 296340@bugs.debian.org (full text, mbox, reply):
Thomas Dickey wrote:
> > > reformatted as a dpatch. After applying the patch and rebuilding, pages
> > > like http://lcamtuf.coredump.cx/mangleme/gallery/lynx_die1.html no
> > > longer causes lynx to exhaust memory and crash.
> > >
> > > Patch obtained from:
> > > ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/004_lynx.patch
> >
> > Thanks a lot. I can confirm that the patch works and looks good.
> > Will puth the three packages into the buildd network.
>
> That's a piece of my patch for lynx 2.8.6dev.8, which one can see here:
Oh. I see. I'm sorry for the wrong credits.
Regards,
Joey
--
Linux - the choice of a GNU generation.
Please always Cc to me when replying to me on the lists.
Message sent on to Joey Hess <joeyh@debian.org>
:
Bug#296340.
(full text, mbox, link).
Message #35 received at 296340-submitter@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
still no.
The credits on the advisory are inaccurate. Quoting from Zalewski's
original mail:
>
> * lynx_die1.html
>
> Lynx loops forever trying to render broken HTML.
and your advisory states:
Michal Zalewski discovered that lynx, the popular text-mode WWW
Browser, is not able to grok invalid HTML including a TEXTAREA tag
with a large COLS value and a large tag name in an element that is not
terminated, and loops forever trying to render the broken HTML. The
same code is present in lynx-ssl.
Lynx was unaffected by the _broken_ html. It did not guard against the large
COLS value. Zalewski did no analysis, but wrote something that sounded nice(*).
So most of your description is inaccurate (everything after the first line).
regards
(*) hmm - not "nice", but typical for BugTraq
--
Thomas E. Dickey <dickey@invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net
[signature.asc (application/pgp-signature, inline)]
Severity set to `serious' from `normal'
Request was from Alec Berryman <alec@thened.net>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>
:
Bug#296340
; Package lynx
.
(full text, mbox, link).
Acknowledgement sent to Alec Berryman <alec@thened.net>
:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>
.
(full text, mbox, link).
Message #42 received at 296340@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
My rational wasn't included with the severity increase (used bts but
didn't escape the comment):
If this was serious enough to issue a DSA for woody/sarge, it will
again be serious enough to issue a DSA for etch; this vulnerability
should be taken care of before the release.
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>
:
Bug#296340
; Package lynx
.
(full text, mbox, link).
Acknowledgement sent to Steve Langasek <vorlon@debian.org>
:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>
.
(full text, mbox, link).
Message #47 received at 296340@bugs.debian.org (full text, mbox, reply):
severity 296340 important
thanks
On Thu, Aug 17, 2006 at 11:35:43AM -0400, Alec Berryman wrote:
> My rational wasn't included with the severity increase (used bts but
> didn't escape the comment):
> If this was serious enough to issue a DSA for woody/sarge, it will
> again be serious enough to issue a DSA for etch; this vulnerability
> should be taken care of before the release.
I don't find this to be a very compelling rationale for making this a
release-critical issue. In particular, the maintainer should *not* be
expected to take any further action here, since the latest DSA is supposed
to propagate automatically to testing and unstable from proposed-updates.
And "serious enough" here was still only a DoS, which shouldn't block a
package from inclusion is stable AFAICS.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
Severity set to `important' from `serious'
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug marked as fixed in version 2.8.5-2sarge2.2, send any further explanations to Joey Hess <joeyh@debian.org>
Request was from Joey Hess <joeyh@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 25 Jun 2007 07:49:43 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:37:12 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.