-----BEGIN PGP SIGNED MESSAGE----- Subject: Caldera Security Advisory SA-1997.12: Vulnerabilities in Lynx Caldera Security Advisory SA-1997.12 Original report date: 15-Jul-1997 RPM build date: 29-Jul-1997 Original issue date: 06-Aug-1997 Topic: Vulnerabilities in Lynx Note: two vulnerabilities are addressed in this advisory. I. Problem Description Problem 1: Lynx typically stores persistent temporary files in /tmp on Un*x systems. The filenames Lynx chooses can be predicted, and another user on the system may be able to exploit a race condition to replace the temporary file with a symbolic link or with another file. Installed versions of Lynx where a directory writable by other users (such as /tmp on a machine to which multiple users have access) is used to store files during download are vulnerable. This vulnerability can only be exploited by a user with access to an account on the machine running Lynx. Problem 2: Lynx, on Un*x systems, may be coerced to read or execute arbitrary files on the local system regardless of restrictions set by the system administrator. Installed versions of Lynx up to and including version 2.7.1 on Unix or Unix-like operating systems are vulnerable. II. Impact Problem 1: A malicious user with access to the same machine as other Lynx users may be able to cause another user's Lynx process to overwrite another file. It may also be possible to replace the contents of a downloaded file with a file other than the one the user downloaded, or to cause the user to print a file other than the one selected for printing. Problem 2: A. Captive Lynx installations Users of Lynx in a captive situation (where the Lynx user does not normally have access to a shell prompt, or to a menu system that allows the user to run arbitrary commands) can get access to a shell prompt. This includes public Lynxes as well as any setup where the user is restricted as to which programs can be run. B. All Lynx installations This vulnerability could also conceivably allow malicious webmasters to add these carefully crafted URLs to their pages to cause unsuspecting Lynx users (in captive accounts or otherwise) to execute arbitrary commands. This vulnerability can be exploited by anyone who can provide Lynx a carefully crafted URL. This problem was present on the following OpenLinux releases: CND 1.0 Base 1.0 Lite 1.1 Base 1.1 Standard 1.1 To determine if you are effected and need this update you may do the following: rpm -q lynx If the results show a release earlier than lynx-2.7.1-4, you should upgrade. III. Solution Install the new lynx-2.7.1-4.i386.rpm package that contains the fixed version of lynx. It is located on Caldera's FTP server (ftp.caldera.com): /pub/openlinux/updates/1.1/current/RPMS/lynx-2.7.1-4.i386.rpm Source files are also available at: /pub/openlinux/updates/1.1/current/SRPMS/lynx-2.7.1-4.src.rpm The MD5 checksums (from the "md5sum" command) for these packages are: f01a6209a99573216e810f7f507e296b lynx-2.7.1-4.i386.rpm 6e3a1293679518d2e127399c9ea3f6ee lynx-2.7.1-4.src.rpm Install the new version of lynx in the following manner: rpm -e lynx rpm -i lynx-2.7.1-4.i386.rpm CND will need to upgrade to a newer version of the RPM tool to install this package. See: ftp://ftp.caldera.com/pub/cnd-1.0/updates/rpm-upgrade.README IV. References / Credits This and other Caldera security resources are located at: http://www.caldera.com/tech-ref/security/ CERT Vendor-Initiated Bulletin VB-97.05 - Vul in Lynx Temporary Files ftp://info.cert.org/pub/cert_advisories/cert_bulletins/VB-97.05.lynx CERT Vendor-Initiated Bulletin VB-97.06 - Vul in Lynx Downloading ftp://info.cert.org/pub/cert_advisories/cert_bulletins/VB-97.06.lynx The LYNX-DEV mailing list (with further information about this vulnerability) is archived at: http://www.flora.org/lynx-dev/ http://www.flora.org/lynx-dev/html/month0697/msg00234.html Lynx security information is available at: http://www.crl.com/~subir/lynx/security.html General information about Lynx is available at: http://lynx.browser.org/ This advisory closes Caldera's internal bug reports #702 and #849. V. PGP Signature This message was signed with the PGP key for . This key can be obtained from: ftp://ftp.caldera.com/pub/pgp-keys/ Or on an OpenLinux CDROM under: /OpenLinux/pgp-keys/ $Id: SA-1997.12,v 1.1 1997/08/06 20:13:54 ron Exp ron $ -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBM+jbVOn+9R4958LpAQF9LAP/SoISu5hZOvaRrDHr6jMCTg8ghe44LKkc 1BO2sRl4gnowvri7e5emntp1dbTCcZJB64LJDChcbyV1F98J2+WK4j79il53VBj8 28lKcAJToEmTklh9Og5BH1GdW9wDMFzQyJcGJqfv7uuh+RgB85c3pYUY9+zhD+Zz 1EpwHnG4oHU= =+9uO -----END PGP SIGNATURE-----