Debian Bug report logs - #296340
malformed html causes memory exhaustion DOS

version graph

Package: lynx; Maintainer for lynx is Atsuhito KOHDA <kohda@debian.org>; Source for lynx is src:lynx-cur.

Reported by: Joey Hess <joeyh@debian.org>

Date: Mon, 21 Feb 2005 21:18:01 UTC

Severity: important

Tags: fixed-upstream, security

Found in versions 2.8.5-2, lynx/2.8.5-2sarge1

Fixed in version 2.8.5-2sarge2.2

Done: Joey Hess <joeyh@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>:
Bug#296340; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
New Bug report received and forwarded. Copy sent to James Troup <james@nocrew.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: malformed html causes memory exhaustion DOS
Date: Mon, 21 Feb 2005 16:01:04 -0500
Package: lynx
Version: 2.8.5-2
Severity: normal
Tags: security

The following page, if viewed in lynx, causes it to run out of memory:
http://lcamtuf.coredump.cx/mangleme/gallery/lynx_die1.html

This is CAN-2004-1617:
 
 Lynx allows remote attackers to cause a denial of service (infinite loop) via a
 web page or HTML email that contains invalid HTML including (1) a TEXTAREA tag
 with a large COLS value and (2) a large tag name in an element that is not
 terminated, as demonstrated by mangleme.

Details: 
http://marc.theaimsgroup.com/?l=bugtraq&m=109811406620511&w=2
http://xforce.iss.net/xforce/xfdb/17804

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27-2-686-smp
Locale: LANG=, LC_CTYPE= (charmap=ANSI_X3.4-1968)

Versions of packages lynx depends on:
ii  libbz2-1.0                  1.0.2-5      high-quality block-sorting file co
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  libgnutls11                 1.0.16-13    GNU TLS library - runtime library
ii  libncursesw5                5.4-4        Shared libraries for terminal hand
ii  zlib1g                      1:1.2.2-4    compression library - runtime

-- no debconf information

-- 
see shy jo



Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>:
Bug#296340; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to dickey@his.com:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>. Full text and rfc822 format available.

Message #10 received at 296340@bugs.debian.org (full text, mbox):

From: Thomas Dickey <dickey@his.com>
To: 296340@bugs.debian.org
Subject: re: #296340 malformed html causes memory exhaustion DOS
Date: Sun, 11 Dec 2005 18:08:14 -0500
[Message part 1 (text/plain, inline)]
This was fixed in lynx 2.8.6dev.6

The cited webpage does not give the correct reason for the problem, btw.

-- 
Thomas E. Dickey <dickey@invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net
[signature.asc (application/pgp-signature, inline)]

Tags added: fixed-upstream Request was from Thomas Dickey <dickey@his.com> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, security@debian.org, James Troup <james@nocrew.org>:
Bug#296340; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to Alec Berryman <alec@thened.net>:
Extra info received and forwarded to list. Copy sent to security@debian.org, James Troup <james@nocrew.org>. Full text and rfc822 format available.

Message #17 received at 296340@bugs.debian.org (full text, mbox):

From: Alec Berryman <alec@thened.net>
To: Debian Bug Tracking System <296340@bugs.debian.org>
Subject: lynx: patch to fix CVE-2004-1617
Date: Fri, 12 May 2006 15:42:27 +0100
[Message part 1 (text/plain, inline)]
Package: lynx
Version: 2.8.5-2sarge1
Followup-For: Bug #296340

Attached is a patch from OpenBSD to fix CVE-2004-1617.  It has been
reformatted as a dpatch.  After applying the patch and rebuilding, pages
like http://lcamtuf.coredump.cx/mangleme/gallery/lynx_die1.html no
longer causes lynx to exhaust memory and crash.

Patch obtained from:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/004_lynx.patch

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/dash
Kernel: Linux 2.6.16-alec-laptop
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages lynx depends on:
ii  libbz2-1.0                  1.0.3-2      high-quality block-sorting file co
ii  libc6                       2.3.6-7      GNU C Library: Shared libraries
ii  libgnutls11                 1.0.16-14+b1 GNU TLS library - runtime library
ii  libncursesw5                5.5-2        Shared libraries for terminal hand
ii  zlib1g                      1:1.2.3-11   compression library - runtime

Versions of packages lynx recommends:
ii  mime-support                  3.36-1     MIME files 'mime.types' & 'mailcap

-- no debconf information
[04_CVE-2004-1617.dpatch (application/x-shellscript, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>:
Bug#296340; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>. Full text and rfc822 format available.

Message #22 received at 296340@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Alec Berryman <alec@thened.net>
Cc: Debian Bug Tracking System <296340@bugs.debian.org>
Subject: Re: Bug#296340: lynx: patch to fix CVE-2004-1617
Date: Sat, 13 May 2006 08:49:57 +0200
Alec Berryman wrote:
> Package: lynx
> Version: 2.8.5-2sarge1
> Followup-For: Bug #296340
> 
> Attached is a patch from OpenBSD to fix CVE-2004-1617.  It has been
> reformatted as a dpatch.  After applying the patch and rebuilding, pages
> like http://lcamtuf.coredump.cx/mangleme/gallery/lynx_die1.html no
> longer causes lynx to exhaust memory and crash.
> 
> Patch obtained from:
> ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/004_lynx.patch

Thanks a lot.  I can confirm that the patch works and looks good.
Will puth the three packages into the buildd network.

Regards,

	Joey

-- 
Linux - the choice of a GNU generation.

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>:
Bug#296340; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to Thomas Dickey <dickey@radix.net>:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>. Full text and rfc822 format available.

Message #27 received at 296340@bugs.debian.org (full text, mbox):

From: Thomas Dickey <dickey@radix.net>
To: Martin Schulze <joey@infodrom.org>, 296340@bugs.debian.org
Subject: Re: Bug#296340: lynx: patch to fix CVE-2004-1617
Date: Sat, 13 May 2006 09:57:34 -0400
[Message part 1 (text/plain, inline)]
On Sat, May 13, 2006 at 09:20:08AM +0200, Martin Schulze wrote:
> Alec Berryman wrote:
> > Package: lynx
> > Version: 2.8.5-2sarge1
> > Followup-For: Bug #296340
> > 
> > Attached is a patch from OpenBSD to fix CVE-2004-1617.  It has been

hmm - no.  It's not from OpenBSD.

> > reformatted as a dpatch.  After applying the patch and rebuilding, pages
> > like http://lcamtuf.coredump.cx/mangleme/gallery/lynx_die1.html no
> > longer causes lynx to exhaust memory and crash.
> > 
> > Patch obtained from:
> > ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/004_lynx.patch
> 
> Thanks a lot.  I can confirm that the patch works and looks good.
> Will puth the three packages into the buildd network.

That's a piece of my patch for lynx 2.8.6dev.8, which one can see here:

http://lynx.isc.org/current/index.html

Here's the proper cite for it:

2004-11-07 (2.8.6dev.8)
* limit TEXTAREA columns to the screen width, and rows to 3 times the screen
  height (report by FLWM) -TD

-- 
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>:
Bug#296340; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>. Full text and rfc822 format available.

Message #32 received at 296340@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Thomas Dickey <dickey@radix.net>
Cc: 296340@bugs.debian.org
Subject: Re: Bug#296340: lynx: patch to fix CVE-2004-1617
Date: Sat, 13 May 2006 16:14:27 +0200
Thomas Dickey wrote:
> > > reformatted as a dpatch.  After applying the patch and rebuilding, pages
> > > like http://lcamtuf.coredump.cx/mangleme/gallery/lynx_die1.html no
> > > longer causes lynx to exhaust memory and crash.
> > > 
> > > Patch obtained from:
> > > ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/004_lynx.patch
> > 
> > Thanks a lot.  I can confirm that the patch works and looks good.
> > Will puth the three packages into the buildd network.
> 
> That's a piece of my patch for lynx 2.8.6dev.8, which one can see here:

Oh.  I see.  I'm sorry for the wrong credits.

Regards,

	Joey

-- 
Linux - the choice of a GNU generation.

Please always Cc to me when replying to me on the lists.



Message sent on to Joey Hess <joeyh@debian.org>:
Bug#296340. Full text and rfc822 format available.

Message #35 received at 296340-submitter@bugs.debian.org (full text, mbox):

From: Thomas Dickey <dickey@his.com>
To: 296340-submitter@bugs.debian.org
Subject: re: #296340 malformed html causes memory exhaustion DOS
Date: Mon, 29 May 2006 20:15:58 -0400
[Message part 1 (text/plain, inline)]
still no.

The credits on the advisory are inaccurate.  Quoting from Zalewski's
original mail:
>
>  * lynx_die1.html
>
>    Lynx loops forever trying to render broken HTML.

and your advisory states:

          Michal  Zalewski  discovered  that  lynx,  the  popular  text-mode WWW
          Browser,  is  not  able  to grok invalid HTML including a TEXTAREA tag
          with a large COLS value and a large tag name in an element that is not
          terminated,  and  loops  forever trying to render the broken HTML. The
          same code is present in lynx-ssl.

Lynx was unaffected by the _broken_ html.  It did not guard against the large
COLS value.  Zalewski did no analysis, but wrote something that sounded nice(*).
So most of your description is inaccurate (everything after the first line).

regards

(*) hmm - not "nice", but typical for BugTraq

-- 
Thomas E. Dickey <dickey@invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net
[signature.asc (application/pgp-signature, inline)]

Severity set to `serious' from `normal' Request was from Alec Berryman <alec@thened.net> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>:
Bug#296340; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to Alec Berryman <alec@thened.net>:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>. Full text and rfc822 format available.

Message #42 received at 296340@bugs.debian.org (full text, mbox):

From: Alec Berryman <alec@thened.net>
To: 296340@bugs.debian.org
Subject: lynx: severity raise rational
Date: Thu, 17 Aug 2006 11:35:43 -0400
[Message part 1 (text/plain, inline)]
My rational wasn't included with the severity increase (used bts but
didn't escape the comment):

If this was serious enough to issue a DSA for woody/sarge, it will
again be serious enough to issue a DSA for etch; this vulnerability
should be taken care of before the release.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>:
Bug#296340; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>. Full text and rfc822 format available.

Message #47 received at 296340@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Alec Berryman <alec@thened.net>, 296340@bugs.debian.org
Subject: Re: Bug#296340: lynx: severity raise rational
Date: Thu, 17 Aug 2006 12:58:49 -0700
severity 296340 important
thanks

On Thu, Aug 17, 2006 at 11:35:43AM -0400, Alec Berryman wrote:
> My rational wasn't included with the severity increase (used bts but
> didn't escape the comment):

> If this was serious enough to issue a DSA for woody/sarge, it will
> again be serious enough to issue a DSA for etch; this vulnerability
> should be taken care of before the release.

I don't find this to be a very compelling rationale for making this a
release-critical issue.  In particular, the maintainer should *not* be
expected to take any further action here, since the latest DSA is supposed
to propagate automatically to testing and unstable from proposed-updates. 
And "serious enough" here was still only a DoS, which shouldn't block a
package from inclusion is stable AFAICS.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/



Severity set to `important' from `serious' Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 2.8.5-2sarge2.2, send any further explanations to Joey Hess <joeyh@debian.org> Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 07:49:43 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 02:39:55 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.