Debian Bug report logs - #399188
CVE-2006-5925: ELinks "smb" Protocol File Upload/Download Vulnerability

version graph

Package: elinks; Maintainer for elinks is Moritz Muehlenhoff <jmm@debian.org>; Source for elinks is src:elinks.

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Sat, 18 Nov 2006 12:03:10 UTC

Severity: grave

Tags: patch, security

Fixed in version elinks/0.11.1-1.2

Done: Julien Cristau <julien.cristau@ens-lyon.org>

Bug is archived. No further changes may be made.

Forwarded to http://bugzilla.elinks.cz/show_bug.cgi?id=841

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Peter Gervai <grin@tolna.net>:
Bug#399188; Package elinks. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Peter Gervai <grin@tolna.net>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: submit@bugs.debian.org
Subject: CVE-2006-5925: ELinks "smb" Protocol File Upload/Download Vulnerability
Date: Sat, 18 Nov 2006 13:00:55 +0100
[Message part 1 (text/plain, inline)]
package: elinks
severity: grave
tags: security

A vulnerability has been found in elinks:
Links web browser 1.00pre12 and Elinks 0.9.2 with smbclient installed
allows remote attackers to execute arbitrary code via shell
metacharacters in an smb:// URI, as demonstrated by using PUT and GET
statements.

See http://secunia.com/advisories/22920

Please mention the CVE id in the changelog.

[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Peter Gervai <grin@tolna.net>:
Bug#399188; Package elinks. Full text and rfc822 format available.

Acknowledgement sent to Kalle Olavi Niemitalo <kon@iki.fi>:
Extra info received and forwarded to list. Copy sent to Peter Gervai <grin@tolna.net>. Full text and rfc822 format available.

Message #10 received at 399188@bugs.debian.org (full text, mbox):

From: Kalle Olavi Niemitalo <kon@iki.fi>
To: 399188@bugs.debian.org
Subject: Re: Bug#399188: CVE-2006-5925: ELinks "smb" Protocol File Upload/Download Vulnerability
Date: Sun, 19 Nov 2006 09:37:47 +0200
[Message part 1 (text/plain, inline)]
package elinks
forwarded 399188 http://bugzilla.elinks.cz/show_bug.cgi?id=841
quit

Stefan Fritsch <sf@sfritsch.de> writes:

> A vulnerability has been found in elinks:
> Links web browser 1.00pre12 and Elinks 0.9.2 with smbclient installed
> allows remote attackers to execute arbitrary code via shell
> metacharacters in an smb:// URI, as demonstrated by using PUT and GET
> statements.

I have fixed this upstream by forcing --disable-smb in configure.in.
So far, the change is only in Git and not in any released version.
[Message part 2 (application/pgp-signature, inline)]

Noted your statement that Bug has been forwarded to http://bugzilla.elinks.cz/show_bug.cgi?id=841. Request was from Kalle Olavi Niemitalo <kon@iki.fi> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Peter Gervai <grin@tolna.net>:
Bug#399188; Package elinks. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Copy sent to Peter Gervai <grin@tolna.net>. Full text and rfc822 format available.

Message #17 received at 399188@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: Peter Gervai <grin@tolna.net>, 399188@bugs.debian.org
Subject: Re: CVE-2006-5925: ELinks "smb" Protocol File Upload/Download Vulnerability
Date: Sun, 26 Nov 2006 21:25:28 +0100
Hello Peter

Have you noticed that you have a release-critical bug here? The
workaround using --disable-smb sounds easy. Do you plan to upload
a new version in the next time or need an NMU?

bye,

-christian-




Information forwarded to debian-bugs-dist@lists.debian.org, Peter Gervai <grin@tolna.net>:
Bug#399188; Package elinks. Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <julien.cristau@ens-lyon.org>:
Extra info received and forwarded to list. Copy sent to Peter Gervai <grin@tolna.net>. Full text and rfc822 format available.

Message #22 received at 399188@bugs.debian.org (full text, mbox):

From: Julien Cristau <julien.cristau@ens-lyon.org>
To: Stefan Fritsch <sf@sfritsch.de>
Cc: 399188@bugs.debian.org, control@bugs.debian.org
Subject: Re: CVE-2006-5925: ELinks "smb" Protocol File Upload/Download Vulnerability
Date: Mon, 27 Nov 2006 02:44:03 +0100
[Message part 1 (text/plain, inline)]
tags 399188 patch
kthxbye

On Sat, Nov 18, 2006 at 13:00:55 +0100, Stefan Fritsch wrote:

> A vulnerability has been found in elinks:
> Links web browser 1.00pre12 and Elinks 0.9.2 with smbclient installed
> allows remote attackers to execute arbitrary code via shell
> metacharacters in an smb:// URI, as demonstrated by using PUT and GET
> statements.
> 
Hi, the attached patch disables support for smb:// URI, and thus fixes
this bug.

Cheers,
Julien
[elinks-CVE-2006-5925.diff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Tags added: patch Request was from Julien Cristau <julien.cristau@ens-lyon.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Peter Gervai <grin@tolna.net>:
Bug#399188; Package elinks. Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <julien.cristau@ens-lyon.org>:
Extra info received and forwarded to list. Copy sent to Peter Gervai <grin@tolna.net>. Full text and rfc822 format available.

Message #29 received at 399188@bugs.debian.org (full text, mbox):

From: Julien Cristau <julien.cristau@ens-lyon.org>
To: team@security.debian.org
Cc: 399188@bugs.debian.org, 399187@bugs.debian.org
Subject: Re: CVE-2006-5925: ELinks "smb" Protocol File Upload/Download Vulnerability
Date: Mon, 27 Nov 2006 11:17:14 +0100
[Message part 1 (text/plain, inline)]
Hi,

do the security@ people have a DSA in preparation for links and/or
elinks for CVE-2006-5925, or should I prepare a patch for the stable
versions too?

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Peter Gervai <grin@tolna.net>:
Bug#399188; Package elinks. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Peter Gervai <grin@tolna.net>. Full text and rfc822 format available.

Message #34 received at 399188@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Julien Cristau <julien.cristau@ens-lyon.org>
Cc: team@security.debian.org, 399188@bugs.debian.org, 399187@bugs.debian.org
Subject: Re: CVE-2006-5925: ELinks "smb" Protocol File Upload/Download Vulnerability
Date: Mon, 27 Nov 2006 11:35:07 +0100
Julien Cristau wrote:
> Hi,
> 
> do the security@ people have a DSA in preparation for links and/or
> elinks for CVE-2006-5925, or should I prepare a patch for the stable
> versions too?

As far as I know, no.  Please prepare an update.

Regards,

	Joey

-- 
Given enough thrust pigs will fly, but it's not necessarily a good idea.

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Peter Gervai <grin@tolna.net>:
Bug#399188; Package elinks. Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <julien.cristau@ens-lyon.org>:
Extra info received and forwarded to list. Copy sent to Peter Gervai <grin@tolna.net>. Full text and rfc822 format available.

Message #39 received at 399188@bugs.debian.org (full text, mbox):

From: Julien Cristau <julien.cristau@ens-lyon.org>
To: Martin Schulze <joey@infodrom.org>
Cc: team@security.debian.org, 399188@bugs.debian.org, 399187@bugs.debian.org, adn@debian.org
Subject: Re: CVE-2006-5925: ELinks "smb" Protocol File Upload/Download Vulnerability
Date: Mon, 27 Nov 2006 12:09:56 +0100
[Message part 1 (text/plain, inline)]
On Mon, Nov 27, 2006 at 11:35:07 +0100, Martin Schulze wrote:

> Julien Cristau wrote:
> > Hi,
> > 
> > do the security@ people have a DSA in preparation for links and/or
> > elinks for CVE-2006-5925, or should I prepare a patch for the stable
> > versions too?
> 
> As far as I know, no.  Please prepare an update.
> 
I have source packages ready at:
http://www.liafa.jussieu.fr/~jcristau/debian/CVE-2006-5925/links_0.99+1.00pre12-1sarge1.dsc
http://www.liafa.jussieu.fr/~jcristau/debian/CVE-2006-5925/elinks_0.10.4-7.1.dsc

Please find the debdiffs attached to this mail.
Let me know if you want me to have them uploaded.

Cheers,
Julien
[links_0.99+1.00pre12-1sarge1.debdiff (text/plain, attachment)]
[elinks_0.10.4-7.1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Julien Cristau <julien.cristau@ens-lyon.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #44 received at 399188-close@bugs.debian.org (full text, mbox):

From: Julien Cristau <julien.cristau@ens-lyon.org>
To: 399188-close@bugs.debian.org
Subject: Bug#399188: fixed in elinks 0.11.1-1.2
Date: Mon, 27 Nov 2006 10:47:03 +0000
Source: elinks
Source-Version: 0.11.1-1.2

We believe that the bug you reported is fixed in the latest version of
elinks, which is due to be installed in the Debian FTP archive:

elinks-lite_0.11.1-1.2_i386.deb
  to pool/main/e/elinks/elinks-lite_0.11.1-1.2_i386.deb
elinks_0.11.1-1.2.diff.gz
  to pool/main/e/elinks/elinks_0.11.1-1.2.diff.gz
elinks_0.11.1-1.2.dsc
  to pool/main/e/elinks/elinks_0.11.1-1.2.dsc
elinks_0.11.1-1.2_i386.deb
  to pool/main/e/elinks/elinks_0.11.1-1.2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 399188@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julien Cristau <julien.cristau@ens-lyon.org> (supplier of updated elinks package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 27 Nov 2006 02:32:47 +0100
Source: elinks
Binary: elinks-lite elinks
Architecture: source i386
Version: 0.11.1-1.2
Distribution: unstable
Urgency: high
Maintainer: Peter Gervai <grin@tolna.net>
Changed-By: Julien Cristau <julien.cristau@ens-lyon.org>
Description: 
 elinks     - advanced text-mode WWW browser
 elinks-lite - advanced text-mode WWW browser (lite version)
Closes: 399188
Changes: 
 elinks (0.11.1-1.2) unstable; urgency=high
 .
   * Non-maintainer upload.
   * High-urgency upload for security bug fix.
   * Configure with --disable-smb to fix security issue (CVE-2006-5925),
     closes: #399188.
Files: 
 55e59433aebf3469aed0995c29a9b12f 862 web optional elinks_0.11.1-1.2.dsc
 0a3e90b75a65a9eeab39aad771315134 27673 web optional elinks_0.11.1-1.2.diff.gz
 303ffa87bd7473d014ccdf68fa2fb78e 1189662 web optional elinks_0.11.1-1.2_i386.deb
 a737f3e2a0e6f4b065f0433300002962 423560 web optional elinks-lite_0.11.1-1.2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFar5TOU3FkQ7XBOoRAoVPAJ96/EYom58+Tfcd4iLd5/QT/M37JACgv/Rq
8p5CO6pI7Yql2hDSq6CxJrM=
=Zex4
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Peter Gervai <grin@tolna.net>:
Bug#399188; Package elinks. Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <julien.cristau@ens-lyon.org>:
Extra info received and forwarded to list. Copy sent to Peter Gervai <grin@tolna.net>. Full text and rfc822 format available.

Message #49 received at 399188@bugs.debian.org (full text, mbox):

From: Julien Cristau <julien.cristau@ens-lyon.org>
To: 399188@bugs.debian.org
Subject: Re: Bug#399188: CVE-2006-5925: ELinks "smb" Protocol File Upload/Download Vulnerability
Date: Mon, 27 Nov 2006 13:07:10 +0100
[Message part 1 (text/plain, inline)]
On Mon, Nov 27, 2006 at 02:44:03 +0100, Julien Cristau wrote:

> Hi, the attached patch disables support for smb:// URI, and thus fixes
> this bug.
> 
An NMU has been uploaded today with the patch I attached to my previous
mail.

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Peter Gervai <grin@tolna.net>:
Bug#399188; Package elinks. Full text and rfc822 format available.

Acknowledgement sent to Mikko Rapeli <mikko.rapeli@iki.fi>:
Extra info received and forwarded to list. Copy sent to Peter Gervai <grin@tolna.net>. Full text and rfc822 format available.

Message #54 received at 399188@bugs.debian.org (full text, mbox):

From: Mikko Rapeli <mikko.rapeli@iki.fi>
To: Julien Cristau <julien.cristau@ens-lyon.org>
Cc: Martin Schulze <joey@infodrom.org>, team@security.debian.org, 399188@bugs.debian.org, 399187@bugs.debian.org, adn@debian.org
Subject: Re: CVE-2006-5925: ELinks "smb" Protocol File Upload/Download Vulnerability
Date: Tue, 28 Nov 2006 00:28:32 +0200
[Message part 1 (text/plain, inline)]
Hello,

On Mon, Nov 27, 2006 at 12:09:56PM +0100, Julien Cristau wrote:
> On Mon, Nov 27, 2006 at 11:35:07 +0100, Martin Schulze wrote:
> 
> > Julien Cristau wrote:
> > > Hi,
> > > 
> > > do the security@ people have a DSA in preparation for links and/or
> > > elinks for CVE-2006-5925, or should I prepare a patch for the stable
> > > versions too?
> > 
> > As far as I know, no.  Please prepare an update.
> > 
> I have source packages ready at:
> http://www.liafa.jussieu.fr/~jcristau/debian/CVE-2006-5925/links_0.99+1.00pre12-1sarge1.dsc
> http://www.liafa.jussieu.fr/~jcristau/debian/CVE-2006-5925/elinks_0.10.4-7.1.dsc

links2 is vulnerable too. The links patch needed a tweak for links2
but result is attached.

-Mikko
[links2_sarge_disable_smb_01.txt (text/plain, attachment)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 00:39:23 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 07:28:34 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.