Debian Bug report logs - #399187
CVE-2006-5925: Links "smb" Protocol File Upload/Download Vulnerability

version graph

Package: links; Maintainer for links is Axel Beckert <abe@debian.org>; Source for links is src:links2.

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Sat, 18 Nov 2006 12:03:06 UTC

Severity: grave

Tags: patch, security

Fixed in version links/0.99+1.00pre12-1.1

Done: Julien Cristau <julien.cristau@ens-lyon.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Peter Gervai <grin@tolna.net>:
Bug#399187; Package links. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Peter Gervai <grin@tolna.net>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: submit@bugs.debian.org
Subject: CVE-2006-5925: Links "smb" Protocol File Upload/Download Vulnerability
Date: Sat, 18 Nov 2006 12:59:57 +0100
[Message part 1 (text/plain, inline)]
package: links
severity: grave
tags: security

A vulnerability has been found in links:
Links web browser 1.00pre12 and Elinks 0.9.2 with smbclient installed
allows remote attackers to execute arbitrary code via shell
metacharacters in an smb:// URI, as demonstrated by using PUT and GET
statements.

See http://secunia.com/advisories/22905

Please mention the CVE id in the changelog.

[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Peter Gervai <grin@tolna.net>:
Bug#399187; Package links. Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <julien.cristau@ens-lyon.org>:
Extra info received and forwarded to list. Copy sent to Peter Gervai <grin@tolna.net>. Full text and rfc822 format available.

Message #10 received at 399187@bugs.debian.org (full text, mbox):

From: Julien Cristau <julien.cristau@ens-lyon.org>
To: Stefan Fritsch <sf@sfritsch.de>
Cc: 399187@bugs.debian.org, control@bugs.debian.org
Subject: Re: CVE-2006-5925: Links "smb" Protocol File Upload/Download Vulnerability
Date: Mon, 27 Nov 2006 02:25:32 +0100
[Message part 1 (text/plain, inline)]
tags 399187 patch
kthxbye

On Sat, Nov 18, 2006 at 12:59:57 +0100, Stefan Fritsch wrote:

> A vulnerability has been found in links:
> Links web browser 1.00pre12 and Elinks 0.9.2 with smbclient installed
> allows remote attackers to execute arbitrary code via shell
> metacharacters in an smb:// URI, as demonstrated by using PUT and GET
> statements.
> 
Hi, the attached patch disables smb support in links and thus fixes this
issue.

Cheers,
Julien
[links-CVE-2006-5925.diff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Tags added: patch Request was from Julien Cristau <julien.cristau@ens-lyon.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Peter Gervai <grin@tolna.net>:
Bug#399187; Package links. Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <julien.cristau@ens-lyon.org>:
Extra info received and forwarded to list. Copy sent to Peter Gervai <grin@tolna.net>. Full text and rfc822 format available.

Message #17 received at 399187@bugs.debian.org (full text, mbox):

From: Julien Cristau <julien.cristau@ens-lyon.org>
To: team@security.debian.org
Cc: 399188@bugs.debian.org, 399187@bugs.debian.org
Subject: Re: CVE-2006-5925: ELinks "smb" Protocol File Upload/Download Vulnerability
Date: Mon, 27 Nov 2006 11:17:14 +0100
[Message part 1 (text/plain, inline)]
Hi,

do the security@ people have a DSA in preparation for links and/or
elinks for CVE-2006-5925, or should I prepare a patch for the stable
versions too?

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Peter Gervai <grin@tolna.net>:
Bug#399187; Package links. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Peter Gervai <grin@tolna.net>. Full text and rfc822 format available.

Message #22 received at 399187@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Julien Cristau <julien.cristau@ens-lyon.org>
Cc: team@security.debian.org, 399188@bugs.debian.org, 399187@bugs.debian.org
Subject: Re: CVE-2006-5925: ELinks "smb" Protocol File Upload/Download Vulnerability
Date: Mon, 27 Nov 2006 11:35:07 +0100
Julien Cristau wrote:
> Hi,
> 
> do the security@ people have a DSA in preparation for links and/or
> elinks for CVE-2006-5925, or should I prepare a patch for the stable
> versions too?

As far as I know, no.  Please prepare an update.

Regards,

	Joey

-- 
Given enough thrust pigs will fly, but it's not necessarily a good idea.

Please always Cc to me when replying to me on the lists.



Reply sent to Julien Cristau <julien.cristau@ens-lyon.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #27 received at 399187-close@bugs.debian.org (full text, mbox):

From: Julien Cristau <julien.cristau@ens-lyon.org>
To: 399187-close@bugs.debian.org
Subject: Bug#399187: fixed in links 0.99+1.00pre12-1.1
Date: Mon, 27 Nov 2006 10:47:05 +0000
Source: links
Source-Version: 0.99+1.00pre12-1.1

We believe that the bug you reported is fixed in the latest version of
links, which is due to be installed in the Debian FTP archive:

links-ssl_0.99+1.00pre12-1.1_all.deb
  to pool/main/l/links/links-ssl_0.99+1.00pre12-1.1_all.deb
links_0.99+1.00pre12-1.1.diff.gz
  to pool/main/l/links/links_0.99+1.00pre12-1.1.diff.gz
links_0.99+1.00pre12-1.1.dsc
  to pool/main/l/links/links_0.99+1.00pre12-1.1.dsc
links_0.99+1.00pre12-1.1_i386.deb
  to pool/main/l/links/links_0.99+1.00pre12-1.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 399187@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julien Cristau <julien.cristau@ens-lyon.org> (supplier of updated links package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 27 Nov 2006 02:03:42 +0100
Source: links
Binary: links-ssl links
Architecture: source i386 all
Version: 0.99+1.00pre12-1.1
Distribution: unstable
Urgency: high
Maintainer: Peter Gervai <grin@tolna.net>
Changed-By: Julien Cristau <julien.cristau@ens-lyon.org>
Description: 
 links      - Character mode WWW browser
 links-ssl  - Dummy package for transition to elinks
Closes: 399187
Changes: 
 links (0.99+1.00pre12-1.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * High-urgency for security bug fix.
   * Build without smb support to fix security issue (CVE-2006-5925),
     closes: #399187.
Files: 
 74482d69fb9989046bc8be23a3daf4e2 620 web extra links_0.99+1.00pre12-1.1.dsc
 32fa0a2fab0c54b14d0a519a7f8d90e2 8708 web extra links_0.99+1.00pre12-1.1.diff.gz
 9ad476ce7ec069e3667617d0516c6beb 5366 oldlibs extra links-ssl_0.99+1.00pre12-1.1_all.deb
 6e5712b82beaaaba19cc5ae28c082f80 377316 web extra links_0.99+1.00pre12-1.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFarpmOU3FkQ7XBOoRAlt7AKCZfIGmAaUsD4nxVCo79d7dqWtOEACfUqmf
02hm9LVoVFGZsaXro3k/Rjk=
=eN0Q
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Peter Gervai <grin@tolna.net>:
Bug#399187; Package links. Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <julien.cristau@ens-lyon.org>:
Extra info received and forwarded to list. Copy sent to Peter Gervai <grin@tolna.net>. Full text and rfc822 format available.

Message #32 received at 399187@bugs.debian.org (full text, mbox):

From: Julien Cristau <julien.cristau@ens-lyon.org>
To: Martin Schulze <joey@infodrom.org>
Cc: team@security.debian.org, 399188@bugs.debian.org, 399187@bugs.debian.org, adn@debian.org
Subject: Re: CVE-2006-5925: ELinks "smb" Protocol File Upload/Download Vulnerability
Date: Mon, 27 Nov 2006 12:09:56 +0100
[Message part 1 (text/plain, inline)]
On Mon, Nov 27, 2006 at 11:35:07 +0100, Martin Schulze wrote:

> Julien Cristau wrote:
> > Hi,
> > 
> > do the security@ people have a DSA in preparation for links and/or
> > elinks for CVE-2006-5925, or should I prepare a patch for the stable
> > versions too?
> 
> As far as I know, no.  Please prepare an update.
> 
I have source packages ready at:
http://www.liafa.jussieu.fr/~jcristau/debian/CVE-2006-5925/links_0.99+1.00pre12-1sarge1.dsc
http://www.liafa.jussieu.fr/~jcristau/debian/CVE-2006-5925/elinks_0.10.4-7.1.dsc

Please find the debdiffs attached to this mail.
Let me know if you want me to have them uploaded.

Cheers,
Julien
[links_0.99+1.00pre12-1sarge1.debdiff (text/plain, attachment)]
[elinks_0.10.4-7.1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Peter Gervai <grin@tolna.net>:
Bug#399187; Package links. Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <julien.cristau@ens-lyon.org>:
Extra info received and forwarded to list. Copy sent to Peter Gervai <grin@tolna.net>. Full text and rfc822 format available.

Message #37 received at 399187@bugs.debian.org (full text, mbox):

From: Julien Cristau <julien.cristau@ens-lyon.org>
To: 399187@bugs.debian.org
Subject: Re: Bug#399187: CVE-2006-5925: Links "smb" Protocol File Upload/Download Vulnerability
Date: Mon, 27 Nov 2006 13:06:23 +0100
[Message part 1 (text/plain, inline)]
On Mon, Nov 27, 2006 at 02:25:32 +0100, Julien Cristau wrote:

> Hi, the attached patch disables smb support in links and thus fixes this
> issue.
> 
An NMU has been uploaded today with the patch I attached to my previous
mail.

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Peter Gervai <grin@tolna.net>:
Bug#399187; Package links. Full text and rfc822 format available.

Acknowledgement sent to Mikko Rapeli <mikko.rapeli@iki.fi>:
Extra info received and forwarded to list. Copy sent to Peter Gervai <grin@tolna.net>. Full text and rfc822 format available.

Message #42 received at 399187@bugs.debian.org (full text, mbox):

From: Mikko Rapeli <mikko.rapeli@iki.fi>
To: Julien Cristau <julien.cristau@ens-lyon.org>
Cc: Martin Schulze <joey@infodrom.org>, team@security.debian.org, 399188@bugs.debian.org, 399187@bugs.debian.org, adn@debian.org
Subject: Re: CVE-2006-5925: ELinks "smb" Protocol File Upload/Download Vulnerability
Date: Tue, 28 Nov 2006 00:28:32 +0200
[Message part 1 (text/plain, inline)]
Hello,

On Mon, Nov 27, 2006 at 12:09:56PM +0100, Julien Cristau wrote:
> On Mon, Nov 27, 2006 at 11:35:07 +0100, Martin Schulze wrote:
> 
> > Julien Cristau wrote:
> > > Hi,
> > > 
> > > do the security@ people have a DSA in preparation for links and/or
> > > elinks for CVE-2006-5925, or should I prepare a patch for the stable
> > > versions too?
> > 
> > As far as I know, no.  Please prepare an update.
> > 
> I have source packages ready at:
> http://www.liafa.jussieu.fr/~jcristau/debian/CVE-2006-5925/links_0.99+1.00pre12-1sarge1.dsc
> http://www.liafa.jussieu.fr/~jcristau/debian/CVE-2006-5925/elinks_0.10.4-7.1.dsc

links2 is vulnerable too. The links patch needed a tweak for links2
but result is attached.

-Mikko
[links2_sarge_disable_smb_01.txt (text/plain, attachment)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 00:07:36 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 02:15:49 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.