Hello community, here is the log from the commit of package lynx checked in at Mon Nov 3 12:26:44 CET 2008. -------- --- lynx/lynx.changes 2007-07-04 20:09:05.000000000 +0200 +++ /mounts/work_src_done/STABLE/lynx/lynx.changes 2008-10-29 16:07:26.482027000 +0100 @@ -1,0 +2,6 @@ +Wed Oct 29 16:07:20 CET 2008 - kssingvo@suse.de + +- fix for lynxcgi command execution CVE-2008-4690 (bnc#439149) +- not affected: .mailcap and .mime.types files read, CVE-2006-7234 + +------------------------------------------------------------------- calling whatdependson for head-i586 New: ---- lynx-2.8.6-CVE_2008_4690.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lynx.spec ++++++ --- /var/tmp/diff_new_pack.D18963/_old 2008-11-03 12:25:39.000000000 +0100 +++ /var/tmp/diff_new_pack.D18963/_new 2008-11-03 12:25:39.000000000 +0100 @@ -1,31 +1,40 @@ # # spec file for package lynx (Version 2.8.6) # -# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. -# This file and all modifications and additions to the pristine -# package are under the same license as the package itself. +# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + # Please submit bugfixes or comments via http://bugs.opensuse.org/ # # norootforbuild + Name: lynx BuildRequires: ncurses-devel openssl-devel postfix License: GPL v2 or later Group: Productivity/Networking/Web/Browsers Provides: lynxssl web_browser Obsoletes: lynxssl -Prereq: /bin/cp +PreReq: /bin/cp Requires: xli -Autoreqprov: on +AutoReqProv: on Version: 2.8.6 -Release: 24 -URL: http://lynx.isc.org +Release: 143 +Url: http://lynx.isc.org Summary: A Text-Based WWW Browser Source: http://lynx.isc.org/lynx2.8.6/lynx2.8.6.tar.bz2 # Source1: po.tar.bz2 Patch0: ftp://lynx.isc.org/lynx2.8.6/patches/2.8.6rel.5.patch.gz +Patch1: lynx-2.8.6-CVE_2008_4690.patch Patch100: lynx-2.8.5.dif Patch101: lynx-2.8.5-charset.patch Patch102: lynx-2.8.6-ipv6.patch @@ -168,6 +177,7 @@ %prep %setup -n lynx2-8-6 %patch0 -p1 +%patch1 -p1 %patch100 -p1 %patch101 -p0 %patch102 -p1 @@ -222,16 +232,19 @@ %doc lynx_help samples scripts %changelog -* Wed Jul 04 2007 - kssingvo@suse.de +* Wed Oct 29 2008 kssingvo@suse.de +- fix for lynxcgi command execution CVE-2008-4690 (bnc#439149) +- not affected: .mailcap and .mime.types files read, CVE-2006-7234 +* Wed Jul 04 2007 kssingvo@suse.de - added official patch from lynx.isc.org: * correct loop-limit in print_crawl_to_fd(), which broke "lynx -crawl -dump" from 2.8.6dev.9 changes -* Tue Apr 03 2007 - kssingvo@suse.de +* Tue Apr 03 2007 kssingvo@suse.de - upgrade to final version of 2.8.6 - removed patch with final changes -* Thu Mar 29 2007 - dmueller@suse.de +* Thu Mar 29 2007 dmueller@suse.de - add ncurses-devel BuildRequires -* Mon Nov 20 2006 - kssingvo@suse.de +* Mon Nov 20 2006 kssingvo@suse.de - added patch to have the 2.8.6 final version patches: * limit files set via PERSONAL_EXTENSION_MAP and PERSONAL_MAILCAP to be found relative to the user's home directory. @@ -240,26 +253,26 @@ * modify logic for reading PERSONAL_EXTENSION_MAP and PERSONAL_MAILCAP to ensure that they are files that are controlled only by the user. -* Tue Oct 31 2006 - kssingvo@suse.de +* Tue Oct 31 2006 kssingvo@suse.de - disabled color support for non-color lynx, enabled color support for lynx-color - added helpful directories to pkg documentation: samples, scripts -* Mon Oct 16 2006 - ssommer@suse.de +* Mon Oct 16 2006 ssommer@suse.de - updated to 2.8.6rel.2: Highligths: * broaden the conditions on which to reload the color-style info * documentation fixes -* Wed Oct 04 2006 - ssommer@suse.de +* Wed Oct 04 2006 ssommer@suse.de - updated to 2.8.6pre.5: Highlights: * buildsystem fixes * updated files from ftp.unicode.org -* Tue Sep 19 2006 - ssommer@suse.de +* Tue Sep 19 2006 ssommer@suse.de - updated to 2.8.6pre.4: Highlights: * add script samples/oldlynx, which gives the non-color-style scheme using an executable built for color-style * add DEFAULT_COLORS item to lynx.cfg to allow disabling the default colors feature at runtime, allowing better matching of old color scheme via a script -* Mon Sep 18 2006 - ssommer@suse.de +* Mon Sep 18 2006 ssommer@suse.de - updated to 2.8.6pre.3: Highlights from the Changelog: * add NESTED_TABLES setting to lynx.cfg to allow site override of the built-in default @@ -286,119 +299,119 @@ - removed obsolete patches and updated the remaining patches - config files are stored in sysconfdir not in libdir - added /etc/lynx.lss config file -* Wed May 17 2006 - schwab@suse.de +* Wed May 17 2006 schwab@suse.de - Don't strip binaries. -* Wed Jan 25 2006 - mls@suse.de +* Wed Jan 25 2006 mls@suse.de - converted neededforbuild to BuildRequires -* Wed Jan 11 2006 - kssingvo@suse.de +* Wed Jan 11 2006 kssingvo@suse.de - added three official patches - disabled (own) security patches, which are included now -* Mon Nov 14 2005 - kssingvo@suse.de +* Mon Nov 14 2005 kssingvo@suse.de - added fix for potential cgi_links hole (bugzilla#133645) -* Thu Oct 27 2005 - kssingvo@suse.de +* Thu Oct 27 2005 kssingvo@suse.de - 2nd fix for nntpserver buffer overflow (bugzilla#121926) -* Thu Oct 20 2005 - kssingvo@suse.de +* Thu Oct 20 2005 kssingvo@suse.de - fix for nntpserver buffer overflow CAN-2005-3120 (bugzilla#121926) -* Fri Oct 08 2004 - ke@suse.de +* Fri Oct 08 2004 ke@suse.de - Apply lynx-2.8.5-charset.patch: Set LOCALE_CHARSET:TRUE for detecting UTF-8 automatically [# 46898]. -* Thu Aug 12 2004 - kssingvo@suse.de +* Thu Aug 12 2004 kssingvo@suse.de - added official 2.8.5rel.2 patch -* Fri Jul 16 2004 - kssingvo@suse.de +* Fri Jul 16 2004 kssingvo@suse.de - linking against libncursesw to get umlauts in UTF-8 working (bugzilla#43086) -* Fri Mar 26 2004 - mmj@suse.de +* Fri Mar 26 2004 mmj@suse.de - Add postfix to # neededforbuild -* Thu Mar 04 2004 - kssingvo@suse.de +* Thu Mar 04 2004 kssingvo@suse.de - update to 2.8.5 - adapted local patches and enhancements -* Fri Jan 09 2004 - adrian@suse.de +* Fri Jan 09 2004 adrian@suse.de - use %%find_lang -* Tue Sep 02 2003 - kssingvo@suse.de +* Tue Sep 02 2003 kssingvo@suse.de - strange things in certain locale fix (bugzilla#29772) -* Thu May 15 2003 - coolo@suse.de +* Thu May 15 2003 coolo@suse.de - use BuildRoot -* Tue Feb 18 2003 - kssingvo@suse.de +* Tue Feb 18 2003 kssingvo@suse.de - fixed (hopefully) problem with IPv6 addresses (bugzilla #20744) -* Wed Dec 11 2002 - kssingvo@suse.de +* Wed Dec 11 2002 kssingvo@suse.de - added offical patches a-d -* Fri Sep 27 2002 - uli@suse.de +* Fri Sep 27 2002 uli@suse.de - ignore both unset and empty *_proxy variables (bug #20262) -* Thu Aug 22 2002 - uli@suse.de +* Thu Aug 22 2002 uli@suse.de - moved config file from /usr/lib to /etc (bug #18179) -* Sun Jun 09 2002 - olh@suse.de +* Sun Jun 09 2002 olh@suse.de - use suse_update_config for ppc64 -* Mon May 27 2002 - uli@suse.de +* Mon May 27 2002 uli@suse.de - assume local .php* files to be text/html (bug #15907) -* Mon Mar 18 2002 - uli@suse.de +* Mon Mar 18 2002 uli@suse.de - backed out the aforementioned fix as it breaks important sites (e.g. freshmeat, slashdot; fixes bug #15065) -* Tue Feb 19 2002 - uli@suse.de +* Tue Feb 19 2002 uli@suse.de - disabled default compressed handlers (fixes bug #13304) -* Mon Sep 17 2001 - uli@suse.de +* Mon Sep 17 2001 uli@suse.de - enabled use of default colors (was disabled all the time, but it seems the disabling didn't work before 2.8.4) -* Thu Aug 16 2001 - uli@suse.de +* Thu Aug 16 2001 uli@suse.de - update -> 2.8.4 rel. 1 - enabled IPv6 (Bug #8655) -* Fri Jul 27 2001 - ke@suse.de +* Fri Jul 27 2001 ke@suse.de - update message files from http://www.iro.umontreal.ca/contrib/po/maint/lynx/ ; packed as po.tar.bz2. Fix [#8662]. -* Wed Jun 27 2001 - uli@suse.de +* Wed Jun 27 2001 uli@suse.de - update -> 2.8.3 final - enabled NLS -* Tue May 08 2001 - mfabian@suse.de +* Tue May 08 2001 mfabian@suse.de - bzip2 sources -* Thu Jan 04 2001 - uli@suse.de +* Thu Jan 04 2001 uli@suse.de - changed lynxssl -> lynx in some paths -* Tue Dec 19 2000 - lmuelle@suse.de +* Tue Dec 19 2000 lmuelle@suse.de - remove unnecessary Provides: lynx2 -* Mon Dec 18 2000 - uli@suse.de +* Mon Dec 18 2000 uli@suse.de - "lynxssl" becomes "lynx" (non-SSL version will be dropped) -* Mon Nov 27 2000 - uli@suse.de +* Mon Nov 27 2000 uli@suse.de - fixed neededforbuild - uses passive FTP by default (req. by Andi Kleen) -* Wed Sep 27 2000 - uli@suse.de +* Wed Sep 27 2000 uli@suse.de - new package with SSL support -* Fri Aug 18 2000 - uli@suse.de +* Fri Aug 18 2000 uli@suse.de - fixed location of help file in lynx.cfg -* Fri Jun 02 2000 - kukuk@suse.de +* Fri Jun 02 2000 kukuk@suse.de - Use doc macro -* Wed Mar 01 2000 - schwab@suse.de +* Wed Mar 01 2000 schwab@suse.de - Add group tag. - /usr/man -> /usr/share/man -* Mon Sep 20 1999 - ro@suse.de +* Mon Sep 20 1999 ro@suse.de - added Provides web_browser -* Wed Sep 15 1999 - uli@suse.de +* Wed Sep 15 1999 uli@suse.de - update -> 2.8.3dev9 - scrapped Makefile.Linux - added RPM_OPT_FLAGS to CFLAGS -* Mon Sep 13 1999 - bs@suse.de +* Mon Sep 13 1999 bs@suse.de - ran old prepare_spec on spec file to switch to new prepare_spec. -* Mon Jul 27 1998 - florian@suse.de +* Tue Jul 28 1998 florian@suse.de - add /usr/bin/lynx-color again, as there is no global configuration possibility -* Thu Jul 16 1998 - florian@suse.de +* Thu Jul 16 1998 florian@suse.de - update to version 2.8 - no need to have an extra ncurses-color anymore as the ncurses-version has now also color support: "lynx -color" -* Wed Mar 04 1998 - florian@suse.de +* Wed Mar 04 1998 florian@suse.de - update to version 2.7.2 -* Fri Oct 17 1997 - ro@suse.de +* Fri Oct 17 1997 ro@suse.de - ready for autobuild -* Tue Jul 29 1997 - florian@suse.de +* Tue Jul 29 1997 florian@suse.de - add security-fix for lynx 2.7.1 - also include a "lynx-color" that is build with slang instead of ncurses future lynx-ncurses will also have color-support, but a separate lynx-color should be ok right now -* Mon Jun 02 1997 - florian@suse.de +* Mon Jun 02 1997 florian@suse.de - update to version 2-7-1 -* Sun Apr 13 1997 - florian@suse.de +* Mon Apr 14 1997 florian@suse.de - update to new version 2.7 -* Thu Jan 02 1997 - florian@suse.de +* Thu Jan 02 1997 florian@suse.de - Update auf Version 2-6. - Beim Aufruf des eingebauten Hilfesystems werden lokale Dateien aufgerufen und nicht die Internet-Version benuetzt. -* Thu Jan 02 1997 - florian@suse.de +* Thu Jan 02 1997 florian@suse.de - Update auf neue Version 2-6. /usr/etc/mailcap sollte nun in aaa_base sein. ++++++ lynx-2.8.6-CVE_2008_4690.patch ++++++ --- lynx2-8-5.orig/src/LYCgi.c 2008-10-26 10:40:43.000000000 +0100 +++ lynx2-8-5/src/LYCgi.c 2008-10-26 10:42:46.000000000 +0100 @@ -156,7 +156,7 @@ static BOOL can_exec_cgi(const char *lin if (!exec_ok(HTLoadedDocumentURL(), linktext, CGI_PATH)) { /* exec_ok gives out msg. */ result = FALSE; - } else if (user_mode < ADVANCED_MODE) { + } else { StrAllocCopy(command, linktext); if (non_empty(linkargs)) { HTSprintf(&command, " %s", linkargs); ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org
participants (1)
-
root@Hilbert.suse.de