Debian Bug report logs - #396949
lynx: uses .mime.types and .mailcap from the current directory (arbitrary shell code execution)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Piotr Engelking" <inkerman42@gmail.com>

To: "Debian BTS" <submit@bugs.debian.org>

Subject: lynx: uses .mime.types and .mailcap from the current directory (arbitrary shell code execution)

Date: Fri, 3 Nov 2006 21:34:53 +0100

Package: lynx-cur
Version: 2.8.7dev1-1
Severity: grave
Tags: security
Justification: user security hole

Lynx attempts to use the .mime.types and .mailcap files located in the
current directory:

$ strace lynx -dump 2>&1 | grep '^open("[^/]'
open(".mailcap", O_RDONLY)              = -1 ENOENT (No such file or directory)
open(".mime.types", O_RDONLY)           = -1 ENOENT (No such file or directory)
$

This allows an attacker to cause lynx to execute arbitrary shell code when a
user runs lynx while visiting a directory with attacker-provided contents.


-- System Information:
Debian Release: testing/unstable
 APT prefers testing
 APT policy: (500, 'testing')
Architecture: i386 (x86_64)
Shell:  /bin/sh linked to /bin/dash
Kernel: Linux 2.6.18
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)

Versions of packages lynx-cur depends on:
ii  debconf [debconf-2.0]        1.5.8       Debian configuration management sy
ii  libc6                        2.3.6.ds1-4 GNU C Library: Shared libraries
ii  libgnutls13                  1.4.4-1     the GNU TLS library - runtime libr
ii  libncursesw5                 5.5-5       Shared libraries for terminal hand
ii  zlib1g                       1:1.2.3-13  compression library - runtime

Versions of packages lynx-cur recommends:
ii  mime-support                  3.37-1     MIME files 'mime.types' & 'mailcap

-- debconf information:
* lynx-cur/defaulturl: http://www.google.pl/
 lynx-cur/etc_lynx.cfg:

Message #12 received at 396949@bugs.debian.org (full text, mbox, reply):

From: Ted Percival <ted@midg3t.net>

To: 396949@bugs.debian.org

Cc: "Piotr Engelking" <inkerman42@gmail.com>, control@bugs.debian.org

Subject: Patch for Debian #396964 - lynx security

Date: Sun, 05 Nov 2006 21:42:43 +1000

[Message part 1 (text/plain, inline)]

tags 396964 patch
stop

Here's a possible patch to stop lynx opening .mailcap and .mime.types
files in its current directory.

-- 
tp

[lynx-396964.patch (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, attachment)]

Message #15 received at 396949-submitter@bugs.debian.org (full text, mbox, reply):

From: Thomas Dickey <dickey@his.com>

To: 396949-submitter@bugs.debian.org

Subject: re: #396949 (lynx)

Date: Mon, 06 Nov 2006 18:44:34 -0500

[Message part 1 (text/plain, inline)]

>This allows an attacker to cause lynx to execute arbitrary shell code when a
>user runs lynx while visiting a directory with attacker-provided contents.

That's inaccurate:  the mime files are read at startup, not "while visiting a
directory".  Reading it from the user's starting directory is as pointed out,
not good, but not in the same realm as indicated in the report.

-- 
Thomas E. Dickey <dickey@invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 396949-close@bugs.debian.org (full text, mbox, reply):

From: Atsuhito KOHDA <kohda@debian.org>

To: 396949-close@bugs.debian.org

Subject: Bug#396949: fixed in lynx-cur 2.8.7dev2-1

Date: Mon, 06 Nov 2006 22:02:13 -0800

Source: lynx-cur
Source-Version: 2.8.7dev2-1

We believe that the bug you reported is fixed in the latest version of
lynx-cur, which is due to be installed in the Debian FTP archive:

lynx-cur-wrapper_2.8.7dev2-1_all.deb
  to pool/main/l/lynx-cur/lynx-cur-wrapper_2.8.7dev2-1_all.deb
lynx-cur_2.8.7dev2-1.diff.gz
  to pool/main/l/lynx-cur/lynx-cur_2.8.7dev2-1.diff.gz
lynx-cur_2.8.7dev2-1.dsc
  to pool/main/l/lynx-cur/lynx-cur_2.8.7dev2-1.dsc
lynx-cur_2.8.7dev2-1_i386.deb
  to pool/main/l/lynx-cur/lynx-cur_2.8.7dev2-1_i386.deb
lynx-cur_2.8.7dev2.orig.tar.gz
  to pool/main/l/lynx-cur/lynx-cur_2.8.7dev2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 396949@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Atsuhito KOHDA <kohda@debian.org> (supplier of updated lynx-cur package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue,  7 Nov 2006 14:11:36 +0900
Source: lynx-cur
Binary: lynx-cur-wrapper lynx-cur
Architecture: source i386 all
Version: 2.8.7dev2-1
Distribution: unstable
Urgency: low
Maintainer: Atsuhito KOHDA <kohda@debian.org>
Changed-By: Atsuhito KOHDA <kohda@debian.org>
Description: 
 lynx-cur   - Text-mode WWW Browser with NLS support (development version)
 lynx-cur-wrapper - Wrapper for lynx-cur
Closes: 396949
Changes: 
 lynx-cur (2.8.7dev2-1) unstable; urgency=low
 .
   * New Upstream Release.
    - modify logic for reading PERSONAL_EXTENSION_MAP and PERSONAL_MAILCAP to
      ensure that they are files that are controlled only by the user.  The
      default values for these allow lynx to read configuration information
      from the user's current directory at lynx's startup (Closes: #396949)
   * Modified makefile.in slightly in order not scare people.
Files: 
 362f3e2c70b6f21be9fb3bb5aa4dd4b7 672 web extra lynx-cur_2.8.7dev2-1.dsc
 e6aa5e07ce84ff56557bfcda48661274 3188009 web extra lynx-cur_2.8.7dev2.orig.tar.gz
 5dd2acfba248121d16b5ba481aa78025 24674 web extra lynx-cur_2.8.7dev2-1.diff.gz
 4f65fdc4c7ff1f4ff905aecbbcf22135 14550 web extra lynx-cur-wrapper_2.8.7dev2-1_all.deb
 addffe213669b44b3ab31f6ce9e3065b 1964948 web extra lynx-cur_2.8.7dev2-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFUB7n1IXdL1v6kOwRAngUAJsGxU+XDSMb/ZEHtIxb6kPUrTIdRwCeJy8D
CkQrLtvhL0OqPp4K1zgQYVw=
=fTFe
-----END PGP SIGNATURE-----

Message #25 received at 396949@bugs.debian.org (full text, mbox, reply):

From: "Piotr Engelking" <inkerman42@gmail.com>

To: 396949@bugs.debian.org

Cc: "Thomas Dickey" <dickey@his.com>

Subject: Re: Bug#396949: #396949 (lynx)

Date: Tue, 7 Nov 2006 09:04:34 +0100

reopen 396949
thanks

Version 2.8.7dev2 attempts to fix the bug by checking if the user owns
the .mime.types and .mailcap files before opening them. The assumption
that user trusts the files he owns, is, however, flawed. Consider, for
an example:

* files downloaded by the user
* files unpacked by the user from an archive
* files on a filesystem mounted by the user

Message #32 received at 396949@bugs.debian.org (full text, mbox, reply):

From: Thomas Dickey <dickey@his.com>

To: Piotr Engelking <inkerman42@gmail.com>

Cc: 396949@bugs.debian.org

Subject: Re: Bug#396949: #396949 (lynx)

Date: Tue, 7 Nov 2006 05:59:16 -0500 (EST)

On Tue, 7 Nov 2006, Piotr Engelking wrote:

> reopen 396949
> thanks
>
> Version 2.8.7dev2 attempts to fix the bug by checking if the user owns
> the .mime.types and .mailcap files before opening them. The assumption
> that user trusts the files he owns, is, however, flawed. Consider, for
> an example:
>
> * files downloaded by the user
> * files unpacked by the user from an archive
> * files on a filesystem mounted by the user

...none of which would be executed by the user unknowingly (and could 
equally be confused with his home directory), and furthermore, the comment 
does not address my point that the files are read once at startup

-- 
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net

Message #37 received at 396949@bugs.debian.org (full text, mbox, reply):

From: Thomas Dickey <dickey@his.com>

To: 396949@bugs.debian.org

Cc: kohda@debian.org

Subject: Re: Bug#396949: #396949 (lynx)

Date: Tue, 7 Nov 2006 06:23:26 -0500 (EST)

The secondary issue of files which the user trusts, but may not want to be 
executed can be addressed by changing the customized lynx.cfg to use 
"~/.mailcap" and "~/.mime.types", etc., to ensure that the default 
configuration uses files from the user's home directory.

The response that I just read will still not be addressed, since it's 
still possible to make a case where the user downloads into his home 
directory.  But the given examples were absurd, so perhaps we can 
disregard them.

-- 
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net

Message #42 received at 396949@bugs.debian.org (full text, mbox, reply):

From: "Steinar H. Gunderson" <sgunderson@bigfoot.com>

To: Atsuhito KOHDA <kohda@debian.org>

Cc: 396949@bugs.debian.org

Subject: Re: Bug#396949: fixed in lynx-cur 2.8.7dev2-1

Date: Tue, 14 Nov 2006 00:47:52 +0100

On Mon, Nov 06, 2006 at 10:02:13PM -0800, Atsuhito KOHDA wrote:
>    * New Upstream Release.
>     - modify logic for reading PERSONAL_EXTENSION_MAP and PERSONAL_MAILCAP to
>       ensure that they are files that are controlled only by the user.  The
>       default values for these allow lynx to read configuration information
>       from the user's current directory at lynx's startup (Closes: #396949)

Unfortunately, the patch is flawed; the logic is basically:

  1. Stat the file.
  2. If not owned by the user, abort.
  3. Read the file.

There's nothing that says the status can't change between 1 and 3, so we have
a race condition; IOW, the bug is still there, only slightly harder to
exploit.

Actually, the upstream CHANGES file also claims this release checks
that the paths for PERSONAL_EXTENSION_MAP and PERSONAL_MAILCAP are absolute,
but this appears to be a typo; from the diff it is clear that what's checked
are the _global_ type and extension maps.

/* Steinar */
-- 
Homepage: http://www.sesse.net/

Message #47 received at 396949@bugs.debian.org (full text, mbox, reply):

From: Thomas Dickey <dickey@radix.net>

To: "Steinar H. Gunderson" <sgunderson@bigfoot.com>, 396949@bugs.debian.org

Subject: Re: Bug#396949: fixed in lynx-cur 2.8.7dev2-1

Date: Wed, 15 Nov 2006 06:47:32 -0500

[Message part 1 (text/plain, inline)]

On Tue, Nov 14, 2006 at 01:20:13AM +0100, Steinar H. Gunderson wrote:
> On Mon, Nov 06, 2006 at 10:02:13PM -0800, Atsuhito KOHDA wrote:
> >    * New Upstream Release.
> >     - modify logic for reading PERSONAL_EXTENSION_MAP and PERSONAL_MAILCAP to
> >       ensure that they are files that are controlled only by the user.  The
> >       default values for these allow lynx to read configuration information
> >       from the user's current directory at lynx's startup (Closes: #396949)
> 
> Unfortunately, the patch is flawed; the logic is basically:
> 
>   1. Stat the file.
>   2. If not owned by the user, abort.
>   3. Read the file.

It's somewhat more than that.  The point of adding the check was to ensure
that files in the user's home directory (the ultimate goal, for dev.3/dev.4)
are not world-writable.
 
> There's nothing that says the status can't change between 1 and 3, so we have
> a race condition; IOW, the bug is still there, only slightly harder to
> exploit.

dev.4 is current (from yesterday).  Let's focus on the current code, not
the first step that I took.
 
> Actually, the upstream CHANGES file also claims this release checks
> that the paths for PERSONAL_EXTENSION_MAP and PERSONAL_MAILCAP are absolute,
> but this appears to be a typo; from the diff it is clear that what's checked
> are the _global_ type and extension maps.

yes - that's a cut/paste error that I fixed in the dev.3 patch.

bye

-- 
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net

[Message part 2 (application/pgp-signature, inline)]

Message #52 received at 396949-close@bugs.debian.org (full text, mbox, reply):

From: Atsuhito KOHDA <kohda@debian.org>

To: 396949-close@bugs.debian.org

Subject: Bug#396949: fixed in lynx-cur 2.8.7dev4-1

Date: Wed, 15 Nov 2006 17:02:17 -0800

Source: lynx-cur
Source-Version: 2.8.7dev4-1

We believe that the bug you reported is fixed in the latest version of
lynx-cur, which is due to be installed in the Debian FTP archive:

lynx-cur-wrapper_2.8.7dev4-1_all.deb
  to pool/main/l/lynx-cur/lynx-cur-wrapper_2.8.7dev4-1_all.deb
lynx-cur_2.8.7dev4-1.diff.gz
  to pool/main/l/lynx-cur/lynx-cur_2.8.7dev4-1.diff.gz
lynx-cur_2.8.7dev4-1.dsc
  to pool/main/l/lynx-cur/lynx-cur_2.8.7dev4-1.dsc
lynx-cur_2.8.7dev4-1_i386.deb
  to pool/main/l/lynx-cur/lynx-cur_2.8.7dev4-1_i386.deb
lynx-cur_2.8.7dev4.orig.tar.gz
  to pool/main/l/lynx-cur/lynx-cur_2.8.7dev4.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 396949@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Atsuhito KOHDA <kohda@debian.org> (supplier of updated lynx-cur package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 16 Nov 2006 08:39:02 +0900
Source: lynx-cur
Binary: lynx-cur-wrapper lynx-cur
Architecture: source i386 all
Version: 2.8.7dev4-1
Distribution: unstable
Urgency: low
Maintainer: Atsuhito KOHDA <kohda@debian.org>
Changed-By: Atsuhito KOHDA <kohda@debian.org>
Description: 
 lynx-cur   - Text-mode WWW Browser with NLS support (development version)
 lynx-cur-wrapper - Wrapper for lynx-cur
Closes: 396949
Changes: 
 lynx-cur (2.8.7dev4-1) unstable; urgency=low
 .
   * New Upstream Release.  This version fixed the following (Closes: #396949)
   * Updated patch-1, patch-2 for this version.
Files: 
 157422ca711486bab12dbfe9758fdfcf 672 web extra lynx-cur_2.8.7dev4-1.dsc
 e4c401080b3bd11522f613b01603152f 3189238 web extra lynx-cur_2.8.7dev4.orig.tar.gz
 fd95f23fee683a9773d78949b812b9ee 24718 web extra lynx-cur_2.8.7dev4-1.diff.gz
 66baf1eca4d478db28770967e870b6f2 14574 web extra lynx-cur-wrapper_2.8.7dev4-1_all.deb
 794733c7591e0eff82a0036c9a1ea096 1965836 web extra lynx-cur_2.8.7dev4-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFW7Z81IXdL1v6kOwRAj4TAJ4yoV9xXW4Gb8hRSONG5ISCUw2S+wCfdSef
2jk5Io8xcjgBffflQRg12Zg=
=ptQ8
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.