19714 – lynx new security issue CVE-2016-9179

Bug 19714 - lynx new security issue CVE-2016-9179

Summary: lynx new security issue CVE-2016-9179

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	https://lwn.net/Vulnerabilities/714582/
Whiteboard:	mga5-32-ok advisory MGA5-64-OK
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2016-11-04 15:23 CET by David Walser
Modified:	2017-02-20 14:00 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	lynx-2.8.8-1.rel2.5.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-11-04 15:23:41 CET

A CVE has been assigned for a security issue in lynx:
http://openwall.com/lists/oss-security/2016/11/04/1

No fix is available yet, but the upstream author said that he would work on it.

Mageia 5 is also affected.

David Walser 2016-11-04 15:23:47 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2016-11-04 23:46:35 CET

Already assigning to all packagers collectively. (There is no registered maintainer for this package.)

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Lécureuil 2016-11-16 17:56:10 CET

how to test this ?

CC: (none) => mageia

Comment 3 Nicolas Lécureuil 2016-11-16 17:58:20 CET

ok fixed in : http://lynx.invisible-island.net/current/CHANGES.html#index-v2.8.9dev.10

Comment 4 Nicolas Lécureuil 2016-11-16 18:00:18 CET

but i don't find where the code is hosted

Comment 5 David Walser 2017-02-15 01:14:21 CET

Fedora has issued an advisory for this today (February 14):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FUXKJDF62YGEI7SVFFUYQ56QCKESXF3W/

Hopefully we can find a patch for this so we don't have to get back on the development release train.

David Walser 2017-02-15 19:27:27 CET

URL: (none) => https://lwn.net/Vulnerabilities/714582/

Comment 6 Nicolas Salguero 2017-02-17 11:31:17 CET

Suggested advisory:
========================

The updated package fix a security vulnerability:

Lynx doesn't parse the authority component of the URL correctly when the host name part ends with '?', and could instead be tricked into connecting to a different host. (CVE-2016-9179)

References:
http://openwall.com/lists/oss-security/2016/11/04/1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9179
========================

Updated packages in core/updates_testing:
========================
lynx-2.8.8-1.rel2.3.1.mga5

from SRPMS:
lynx-2.8.8-1.rel2.3.1.mga5.src.rpm

Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Version: Cauldron => 5
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 7 Brian Rockwell 2017-02-18 17:16:16 CET

32-bit version

Installed lynx and was able to browse around the Mageia website.  Seems to work from a base perspective

CC: (none) => brtians1
Whiteboard: (none) => mga5-32-ok

Dave Hodgins 2017-02-19 21:58:22 CET

CC: (none) => davidwhodgins
Whiteboard: mga5-32-ok => mga5-32-ok advisory

Comment 8 Dave Hodgins 2017-02-20 06:47:10 CET

Trying http://www.google.ca?localhost both before and after the update fails, so
not sure how to recreate the bug.

Normal web browsing is working, so validating the update.

Keywords: (none) => validated_update
Whiteboard: mga5-32-ok advisory => mga5-32-ok advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2017-02-20 14:00:59 CET

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0052.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.