Bug 29342 - lynx new security issue CVE-2021-38165
Summary: lynx new security issue CVE-2021-38165
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2021-08-07 20:41 CEST by David Walser
Modified: 2021-09-13 02:06 CEST (History)
4 users (show)

See Also:
Source RPM: lynx-2.8.9-0.rel1.1.mga9.src.rpm
CVE: CVE-2021-38165
Status comment:


Attachments

Description David Walser 2021-08-07 20:41:30 CEST
A CVE has been issued for a security issue in lynx discussed in this thread:
https://www.openwall.com/lists/oss-security/2021/08/07/9

Mageia 8 is also affected.
David Walser 2021-08-07 20:41:40 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2021-08-08 19:26:52 CEST
This homeless SRPM has been committed by different people, so assigning this bug globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2021-08-08 19:37:35 CEST
From reading the rest of the thread, it appears to be fixed in 2.9.0dev.9.

Status comment: (none) => Fixed upstream in 2.9.0dev.9

Comment 3 David Walser 2021-08-10 15:57:06 CEST
Debian has issued an advisory for this today (August 10):
https://www.debian.org/security/2021/dsa-4953
Comment 4 Nicolas Salguero 2021-08-30 15:11:55 CEST
Suggested advisory:
========================

The updated package fixes a security vulnerability:

Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which allows remote attackers to discover cleartext credentials because they may appear in SNI data. (CVE-2021-38165)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38165
https://www.openwall.com/lists/oss-security/2021/08/07/9
https://www.debian.org/security/2021/dsa-4953
========================

Updated packages in core/updates_testing:
========================
lynx-2.8.9-0.dev17.4.1.mga8

from SRPM:
lynx-2.8.9-0.dev17.4.1.mga8.src.rpm

CC: (none) => nicolas.salguero
Status comment: Fixed upstream in 2.9.0dev.9 => (none)
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA8TOO => (none)
CVE: (none) => CVE-2021-38165
Version: Cauldron => 8
Status: NEW => ASSIGNED

Comment 5 David Walser 2021-09-08 22:49:19 CEST
Fedora has issued an advisory for this today (September 8):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VKNK7GQBJBUBMJVNKVC7RTCYWUYMFJQW/

Severity: normal => major

Comment 6 Len Lawrence 2021-09-10 22:07:06 CEST
mga8, x64

CVE-2021-38165
No idea how to go about testing this but invented a URL to expose the fault.
$ lynx https://<user>:<password>@mageia.org
Looking up mageia.org
Making HTTPS connection to mageia.org
SSL callback:self signed certificate, preverify_ok=0, ssl_okay=0
SSL callback:self signed certificate, preverify_ok=1, ssl_okay=1
lynx: Can't access startfile https://<user>:<password>@mageia.org/

User credentials in clear text.

After update:
Ran the dummy command.  No sign of the user password in the terminal.  "URL is not absolute".
User screen appeared showing  "Home of the Mageia project (p1 of 2)".  Much of the page was in Afrikaans (presumably the first one in the language list).  Read the Mageia Blog, logged in and logged out then quit.
$ lynx https://exoplanet.eu/
That hung.
$ https://apod.nasa.gov/apod/astropix.html
The APOD page came up immediately.  Followed a link in the text to another page, browsed that then back to the main page.  Activated the Archive link and displayed an earlier APOD page.

Invoked Help and then Keystroke commands.  Tried a few on the help document then M to return to the main screen.  Used d on the main picture to download it and rename it.  That seemed to succeed but could not find it in Downloads.  Exited and found the download in the current directory.

The basic operations all work so this can go.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 7 Thomas Andrews 2021-09-13 02:06:09 CEST
Validating Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update


Note You need to log in before you can comment on or make changes to this bug.