[8339] in bugtraq
Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice)
daemon@ATHENA.MIT.EDU (brian j. pardy)
Fri Oct 30 12:53:19 1998
Mail-Followup-To: BUGTRAQ@netspace.org, lynx-dev@sig.net
Date: Wed, 28 Oct 1998 21:47:53 -0800
Reply-To: "brian j. pardy" <posterkid@PSNW.COM>
From: "brian j. pardy" <posterkid@PSNW.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.4.00.9809060047320.1137-100000@lcamtuf.ids.pl>; from
"Michal Zalewski" on Sun, Sep 06, 1998 at 12:53:24AM
Michal Zalewski wrote:
> Bugs in lynx 2.8.x (including latest development versions):
> -----------------------------------------------------------
>
> Trivial overflows in protocol handlers:
>
> <a href="rlogin://(approx. 1454 times 'A')">...</a>,
> <a href="telnet://(approx. 1454 times 'A')">...</a> or
> <a href="tn3270://(approx. 1454 times 'A')">...</a>
>
> Choose your favourite protocol. Beautiful SEGV at 0x41414141. Also,
> overflows in finger://, cso://, nntp:// and news:// handlers,
> unfortunately not-so-easily exploitable. 1454 bytes is more than perfect
> for common lynx 2.8.x under Linux. May vary under other platforms.
>
> Not much to say. I reported similar overflow in mailto: protocol months
> ago. I have no idea why it hasn't been fixed.
>
> Samples: http://dione.ids.pl/~lcamtuf/pliki/browsers.html.gz
>
> Solution: ehh...
Since you obviously knew of the development versions enough to download
and test them for this, my sincere thanks for NOT informing the lynx-dev
list of this at all.
lynx-dev@sig.net is mentioned PROMINENTLY in the lynx documentation.
It's only common courtesy to report these things to the developers before
a public list.
<sigh>
FWIW, from CHANGES (for 2.8.1rel.2, the most recent version):
1998-05-10 (2.8.1dev.10)
[...]
* fix for buffer-overrun in LYMail.c when processing a mailto:very-log-address
URL - BL
--
"There is hopeful symbolism in the fact that flags do not wave in a
vacuum."
-- Arthur C. Clarke
