Bug 22132

Summary: lynx new security issue CVE-2017-1000211
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, marja11, nicolas.salguero, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-64-OK
Source RPM: lynx-2.8.8-1.rel2.6.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-12-05 23:21:03 CET 
openSUSE has issued an advisory on December 2:
https://lists.opensuse.org/opensuse-updates/2017-12/msg00007.html

The SUSE bug has a link to the upstream commit that fixed the issue:
https://bugzilla.suse.com/show_bug.cgi?id=1068885

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-12-05 23:21:09 CET

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Marja Van Waes 2017-12-06 12:51:41 CET 
Assigning to all packagers collectively, since there is no registered maintainer for lynx

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 2 Nicolas Salguero 2017-12-08 09:34:39 CET 
Suggested advisory:
========================

The updated package fix a security vulnerability:

Lynx before 2.8.9dev.16 is vulnerable to a use after free in the HTML parser resulting in memory disclosure, because HTML_put_string() can append a chunk onto itself. (CVE-2017-1000211)

References:
https://lists.opensuse.org/opensuse-updates/2017-12/msg00007.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000211
========================

Updated packages in 5/core/updates_testing:
========================
lynx-2.8.8-1.rel2.3.2.mga5

from SRPMS:
lynx-2.8.8-1.rel2.3.2.mga5.src.rpm

Updated packages in 6/core/updates_testing:
========================
lynx-2.8.8-1.rel2.6.1.mga6

from SRPMS:
lynx-2.8.8-1.rel2.6.1.mga6.src.rpm

Source RPM: lynx-2.8.8-1.rel2.8.mga7.src.rpm => lynx-2.8.8-1.rel2.6.mga6.src.rpm
Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Version: Cauldron => 6

Comment 3 Herman Viaene 2017-12-08 16:00:26 CET 
MGA5-32 on Dell Latitude D600 Xfce
No installation issues.
Used lynx to view our own www.mageia.org, looks OK.

Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
CC: (none) => herman.viaene

Comment 4 Len Lawrence 2017-12-08 19:40:10 CET 
Updated this on Mageia 5 :: x86_64

Pointed lynx at a few sites like Mageia Bugzilla, exoplanet.eu and APOD (https://apod.nasa.gov/apod/astropix.html).  "Clicking" on the introductory text launched an image viewer with today's picture.  Clicking in this case involved down-arrow to select the field then Return to "click".  / activates the text search option.  Responding with "shadow" highlighted that word wherever it occurred in the page.  Not sure how useful that is.

It works.

CC: (none) => tarazed25
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA5-64-OK

Comment 5 Len Lawrence 2017-12-09 17:27:34 CET 
Installed on Mageia 6 :: x86_64

Terminal-based interface working smoothly.  Visited a few sites, traversed links, displayed images and PDFs and looked at files.  No problems except with Youtube videos - always "unavailable".

OK for 64 bits.
Len Lawrence 2017-12-09 17:27:51 CET

Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-64-OK

Lewis Smith 2017-12-16 09:15:02 CET

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2017-12-17 00:20:54 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0451.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED