malformed html causes memory exhaustion DOS

Debian Bug report logs - #296340
malformed html causes memory exhaustion DOS

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <joeyh@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: malformed html causes memory exhaustion DOS

Date: Mon, 21 Feb 2005 16:01:04 -0500

Package: lynx
Version: 2.8.5-2
Severity: normal
Tags: security

The following page, if viewed in lynx, causes it to run out of memory:
http://lcamtuf.coredump.cx/mangleme/gallery/lynx_die1.html

This is CAN-2004-1617:
 
 Lynx allows remote attackers to cause a denial of service (infinite loop) via a
 web page or HTML email that contains invalid HTML including (1) a TEXTAREA tag
 with a large COLS value and (2) a large tag name in an element that is not
 terminated, as demonstrated by mangleme.

Details: 
http://marc.theaimsgroup.com/?l=bugtraq&m=109811406620511&w=2
http://xforce.iss.net/xforce/xfdb/17804

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27-2-686-smp
Locale: LANG=, LC_CTYPE= (charmap=ANSI_X3.4-1968)

Versions of packages lynx depends on:
ii  libbz2-1.0                  1.0.2-5      high-quality block-sorting file co
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  libgnutls11                 1.0.16-13    GNU TLS library - runtime library
ii  libncursesw5                5.4-4        Shared libraries for terminal hand
ii  zlib1g                      1:1.2.2-4    compression library - runtime

-- no debconf information

-- 
see shy jo

Message #10 received at 296340@bugs.debian.org (full text, mbox, reply):

From: Thomas Dickey <dickey@his.com>

To: 296340@bugs.debian.org

Subject: re: #296340 malformed html causes memory exhaustion DOS

Date: Sun, 11 Dec 2005 18:08:14 -0500

[Message part 1 (text/plain, inline)]

This was fixed in lynx 2.8.6dev.6

The cited webpage does not give the correct reason for the problem, btw.

-- 
Thomas E. Dickey <dickey@invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 296340@bugs.debian.org (full text, mbox, reply):

From: Alec Berryman <alec@thened.net>

To: Debian Bug Tracking System <296340@bugs.debian.org>

Subject: lynx: patch to fix CVE-2004-1617

Date: Fri, 12 May 2006 15:42:27 +0100

[Message part 1 (text/plain, inline)]

Package: lynx
Version: 2.8.5-2sarge1
Followup-For: Bug #296340

Attached is a patch from OpenBSD to fix CVE-2004-1617.  It has been
reformatted as a dpatch.  After applying the patch and rebuilding, pages
like http://lcamtuf.coredump.cx/mangleme/gallery/lynx_die1.html no
longer causes lynx to exhaust memory and crash.

Patch obtained from:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/004_lynx.patch

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/dash
Kernel: Linux 2.6.16-alec-laptop
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages lynx depends on:
ii  libbz2-1.0                  1.0.3-2      high-quality block-sorting file co
ii  libc6                       2.3.6-7      GNU C Library: Shared libraries
ii  libgnutls11                 1.0.16-14+b1 GNU TLS library - runtime library
ii  libncursesw5                5.5-2        Shared libraries for terminal hand
ii  zlib1g                      1:1.2.3-11   compression library - runtime

Versions of packages lynx recommends:
ii  mime-support                  3.36-1     MIME files 'mime.types' & 'mailcap

-- no debconf information

[04_CVE-2004-1617.dpatch (application/x-shellscript, attachment)]

Message #22 received at 296340@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>

To: Alec Berryman <alec@thened.net>

Cc: Debian Bug Tracking System <296340@bugs.debian.org>

Subject: Re: Bug#296340: lynx: patch to fix CVE-2004-1617

Date: Sat, 13 May 2006 08:49:57 +0200

Alec Berryman wrote:
> Package: lynx
> Version: 2.8.5-2sarge1
> Followup-For: Bug #296340
> 
> Attached is a patch from OpenBSD to fix CVE-2004-1617.  It has been
> reformatted as a dpatch.  After applying the patch and rebuilding, pages
> like http://lcamtuf.coredump.cx/mangleme/gallery/lynx_die1.html no
> longer causes lynx to exhaust memory and crash.
> 
> Patch obtained from:
> ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/004_lynx.patch

Thanks a lot.  I can confirm that the patch works and looks good.
Will puth the three packages into the buildd network.

Regards,

	Joey

-- 
Linux - the choice of a GNU generation.

Please always Cc to me when replying to me on the lists.

Message #27 received at 296340@bugs.debian.org (full text, mbox, reply):

From: Thomas Dickey <dickey@radix.net>

To: Martin Schulze <joey@infodrom.org>, 296340@bugs.debian.org

Subject: Re: Bug#296340: lynx: patch to fix CVE-2004-1617

Date: Sat, 13 May 2006 09:57:34 -0400

[Message part 1 (text/plain, inline)]

On Sat, May 13, 2006 at 09:20:08AM +0200, Martin Schulze wrote:
> Alec Berryman wrote:
> > Package: lynx
> > Version: 2.8.5-2sarge1
> > Followup-For: Bug #296340
> > 
> > Attached is a patch from OpenBSD to fix CVE-2004-1617.  It has been

hmm - no.  It's not from OpenBSD.

> > reformatted as a dpatch.  After applying the patch and rebuilding, pages
> > like http://lcamtuf.coredump.cx/mangleme/gallery/lynx_die1.html no
> > longer causes lynx to exhaust memory and crash.
> > 
> > Patch obtained from:
> > ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/004_lynx.patch
> 
> Thanks a lot.  I can confirm that the patch works and looks good.
> Will puth the three packages into the buildd network.

That's a piece of my patch for lynx 2.8.6dev.8, which one can see here:

http://lynx.isc.org/current/index.html

Here's the proper cite for it:

2004-11-07 (2.8.6dev.8)
* limit TEXTAREA columns to the screen width, and rows to 3 times the screen
  height (report by FLWM) -TD

-- 
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net

[Message part 2 (application/pgp-signature, inline)]

Message #32 received at 296340@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>

To: Thomas Dickey <dickey@radix.net>

Cc: 296340@bugs.debian.org

Subject: Re: Bug#296340: lynx: patch to fix CVE-2004-1617

Date: Sat, 13 May 2006 16:14:27 +0200

Thomas Dickey wrote:
> > > reformatted as a dpatch.  After applying the patch and rebuilding, pages
> > > like http://lcamtuf.coredump.cx/mangleme/gallery/lynx_die1.html no
> > > longer causes lynx to exhaust memory and crash.
> > > 
> > > Patch obtained from:
> > > ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/004_lynx.patch
> > 
> > Thanks a lot.  I can confirm that the patch works and looks good.
> > Will puth the three packages into the buildd network.
> 
> That's a piece of my patch for lynx 2.8.6dev.8, which one can see here:

Oh.  I see.  I'm sorry for the wrong credits.

Regards,

	Joey

-- 
Linux - the choice of a GNU generation.

Please always Cc to me when replying to me on the lists.

Message #35 received at 296340-submitter@bugs.debian.org (full text, mbox, reply):

From: Thomas Dickey <dickey@his.com>

To: 296340-submitter@bugs.debian.org

Subject: re: #296340 malformed html causes memory exhaustion DOS

Date: Mon, 29 May 2006 20:15:58 -0400

[Message part 1 (text/plain, inline)]

still no.

The credits on the advisory are inaccurate.  Quoting from Zalewski's
original mail:
>
>  * lynx_die1.html
>
>    Lynx loops forever trying to render broken HTML.

and your advisory states:

          Michal  Zalewski  discovered  that  lynx,  the  popular  text-mode WWW
          Browser,  is  not  able  to grok invalid HTML including a TEXTAREA tag
          with a large COLS value and a large tag name in an element that is not
          terminated,  and  loops  forever trying to render the broken HTML. The
          same code is present in lynx-ssl.

Lynx was unaffected by the _broken_ html.  It did not guard against the large
COLS value.  Zalewski did no analysis, but wrote something that sounded nice(*).
So most of your description is inaccurate (everything after the first line).

regards

(*) hmm - not "nice", but typical for BugTraq

-- 
Thomas E. Dickey <dickey@invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net

[signature.asc (application/pgp-signature, inline)]

Message #42 received at 296340@bugs.debian.org (full text, mbox, reply):

From: Alec Berryman <alec@thened.net>

To: 296340@bugs.debian.org

Subject: lynx: severity raise rational

Date: Thu, 17 Aug 2006 11:35:43 -0400

[Message part 1 (text/plain, inline)]

My rational wasn't included with the severity increase (used bts but
didn't escape the comment):

If this was serious enough to issue a DSA for woody/sarge, it will
again be serious enough to issue a DSA for etch; this vulnerability
should be taken care of before the release.

[signature.asc (application/pgp-signature, inline)]

Message #47 received at 296340@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Alec Berryman <alec@thened.net>, 296340@bugs.debian.org

Subject: Re: Bug#296340: lynx: severity raise rational

Date: Thu, 17 Aug 2006 12:58:49 -0700

severity 296340 important
thanks

On Thu, Aug 17, 2006 at 11:35:43AM -0400, Alec Berryman wrote:
> My rational wasn't included with the severity increase (used bts but
> didn't escape the comment):

> If this was serious enough to issue a DSA for woody/sarge, it will
> again be serious enough to issue a DSA for etch; this vulnerability
> should be taken care of before the release.

I don't find this to be a very compelling rationale for making this a
release-critical issue.  In particular, the maintainer should *not* be
expected to take any further action here, since the latest DSA is supposed
to propagate automatically to testing and unstable from proposed-updates. 
And "serious enough" here was still only a DoS, which shouldn't block a
package from inclusion is stable AFAICS.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Send a report that this bug log contains spam.