Bug 22132 - lynx new security issue CVE-2017-1000211
Summary: lynx new security issue CVE-2017-1000211
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-12-05 23:21 CET by David Walser
Modified: 2017-12-17 00:20 CET (History)
5 users (show)

See Also:
Source RPM: lynx-2.8.8-1.rel2.6.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-12-05 23:21:03 CET
openSUSE has issued an advisory on December 2:
https://lists.opensuse.org/opensuse-updates/2017-12/msg00007.html

The SUSE bug has a link to the upstream commit that fixed the issue:
https://bugzilla.suse.com/show_bug.cgi?id=1068885

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-12-05 23:21:09 CET

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Marja Van Waes 2017-12-06 12:51:41 CET
Assigning to all packagers collectively, since there is no registered maintainer for lynx

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 2 Nicolas Salguero 2017-12-08 09:34:39 CET
Suggested advisory:
========================

The updated package fix a security vulnerability:

Lynx before 2.8.9dev.16 is vulnerable to a use after free in the HTML parser resulting in memory disclosure, because HTML_put_string() can append a chunk onto itself. (CVE-2017-1000211)

References:
https://lists.opensuse.org/opensuse-updates/2017-12/msg00007.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000211
========================

Updated packages in 5/core/updates_testing:
========================
lynx-2.8.8-1.rel2.3.2.mga5

from SRPMS:
lynx-2.8.8-1.rel2.3.2.mga5.src.rpm

Updated packages in 6/core/updates_testing:
========================
lynx-2.8.8-1.rel2.6.1.mga6

from SRPMS:
lynx-2.8.8-1.rel2.6.1.mga6.src.rpm

Source RPM: lynx-2.8.8-1.rel2.8.mga7.src.rpm => lynx-2.8.8-1.rel2.6.mga6.src.rpm
Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Version: Cauldron => 6

Comment 3 Herman Viaene 2017-12-08 16:00:26 CET
MGA5-32 on Dell Latitude D600 Xfce
No installation issues.
Used lynx to view our own www.mageia.org, looks OK.

Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
CC: (none) => herman.viaene

Comment 4 Len Lawrence 2017-12-08 19:40:10 CET
Updated this on Mageia 5 :: x86_64

Pointed lynx at a few sites like Mageia Bugzilla, exoplanet.eu and APOD (https://apod.nasa.gov/apod/astropix.html).  "Clicking" on the introductory text launched an image viewer with today's picture.  Clicking in this case involved down-arrow to select the field then Return to "click".  / activates the text search option.  Responding with "shadow" highlighted that word wherever it occurred in the page.  Not sure how useful that is.

It works.

CC: (none) => tarazed25
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA5-64-OK

Comment 5 Len Lawrence 2017-12-09 17:27:34 CET
Installed on Mageia 6 :: x86_64

Terminal-based interface working smoothly.  Visited a few sites, traversed links, displayed images and PDFs and looked at files.  No problems except with Youtube videos - always "unavailable".

OK for 64 bits.
Len Lawrence 2017-12-09 17:27:51 CET

Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-64-OK

Lewis Smith 2017-12-16 09:15:02 CET

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2017-12-17 00:20:54 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0451.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.