Debian Bug report logs - #668227
links2: security bugs in links

version graph

Package: links2; Maintainer for links2 is Axel Beckert <abe@debian.org>; Source for links2 is src:links2 (PTS, buildd, popcon).

Reported by: Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>

Date: Mon, 9 Apr 2012 22:09:02 UTC

Severity: grave

Tags: fixed-upstream, security, squeeze

Found in version links2/2.3~pre1-1

Fixed in versions links2/2.6-1, links2/2.3~pre1-1+squeeze1

Done: Axel Beckert <abe@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, mikulas@artax.karlin.mff.cuni.cz, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Axel Beckert <abe@debian.org>:
Bug#668227; Package links2. (Mon, 09 Apr 2012 22:09:04 GMT) (full text, mbox, link).

Acknowledgement sent to Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>:
New Bug report received and forwarded. Copy sent to mikulas@artax.karlin.mff.cuni.cz, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Axel Beckert <abe@debian.org>. (Mon, 09 Apr 2012 22:09:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: links2: security bugs in links
Date: Tue, 10 Apr 2012 00:04:50 +0200
[Message part 1 (text/plain, inline)]
Package: links2
Version: 2.3~pre1-1
Severity: grave
Tags: security
Justification: user security hole

I discovered some out of memory accesses in links2 graphics mode that could be
potentially used to run exploits. I fixed them in links-2.6. For Debian
Squeeze, I am sending this patch that backports the fixes to links-2.3pre1.
Apply the patch and distribute patched packages links and links2 through
security.debian.org.



-- System Information:
Debian Release: 6.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.3.0 (SMP w/8 CPU cores; PREEMPT)
Locale: LANG=cs_CZ, LC_CTYPE=cs_CZ (charmap=ISO-8859-2)
Shell: /bin/sh linked to /bin/dash

Versions of packages links2 depends on:
ii  libc6                  2.11.3-2          Embedded GNU C Library: Shared lib
ii  libdirectfb-1.2-9      1.2.10.0-4        direct frame buffer graphics - sha
ii  libgpm2                1.20.4-3.3        General Purpose Mouse - shared lib
ii  libjpeg62              6b1-1             The Independent JPEG Group's JPEG 
ii  libpng12-0             1.2.44-1+squeeze4 PNG library - runtime
ii  libssl0.9.8            0.9.8o-4squeeze7  SSL shared libraries
ii  libsvga1               1:1.4.3-29        console SVGA display libraries
ii  libtiff4               3.9.6             Empty libtiff4 package
ii  libx11-6               2:1.3.3-4         X11 client-side library
ii  zlib1g                 1:1.2.3.4.dfsg-3  compression library - runtime

links2 recommends no packages.

links2 suggests no packages.

-- no debconf information

[links-2.3.patch (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#668227; Package links2. (Mon, 09 Apr 2012 23:09:06 GMT) (full text, mbox, link).

Acknowledgement sent to Axel Beckert <abe@debian.org>:
Extra info received and forwarded to list. (Mon, 09 Apr 2012 23:09:06 GMT) (full text, mbox, link).

Message #10 received at 668227@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org>
To: Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>, 668227@bugs.debian.org
Subject: Re: Bug#668227: links2: security bugs in links
Date: Tue, 10 Apr 2012 01:07:12 +0200
Hi Mikulas,

Mikulas Patocka wrote:
> I discovered some out of memory accesses in links2 graphics mode that could be
> potentially used to run exploits. I fixed them in links-2.6.

Thanks for the information. I'll prepare an upload of 2.6 to Unstable.

> For Debian Squeeze, I am sending this patch that backports the fixes
> to links-2.3pre1. Apply the patch and distribute patched packages
> links and links2 through security.debian.org.

Thanks for the ready to use patch for Debian Stable. Much appreciated!

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE
  `-    |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5

Added tag(s) squeeze and fixed-upstream. Request was from Axel Beckert <abe@debian.org> to control@bugs.debian.org. (Mon, 09 Apr 2012 23:09:08 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Axel Beckert <abe@debian.org> to control@bugs.debian.org. (Wed, 18 Apr 2012 23:15:07 GMT) (full text, mbox, link).

Reply sent to Axel Beckert <abe@debian.org>:
You have taken responsibility. (Sat, 21 Apr 2012 08:54:54 GMT) (full text, mbox, link).

Notification sent to Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>:
Bug acknowledged by developer. (Sat, 21 Apr 2012 08:54:57 GMT) (full text, mbox, link).

Message #19 received at 668227-close@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org>
To: 668227-close@bugs.debian.org
Subject: Bug#668227: fixed in links2 2.6-1
Date: Sat, 21 Apr 2012 08:51:44 +0000
Source: links2
Source-Version: 2.6-1

We believe that the bug you reported is fixed in the latest version of
links2, which is due to be installed in the Debian FTP archive:

links2_2.6-1.debian.tar.gz
  to main/l/links2/links2_2.6-1.debian.tar.gz
links2_2.6-1.dsc
  to main/l/links2/links2_2.6-1.dsc
links2_2.6-1_amd64.deb
  to main/l/links2/links2_2.6-1_amd64.deb
links2_2.6.orig.tar.bz2
  to main/l/links2/links2_2.6.orig.tar.bz2
links_2.6-1_amd64.deb
  to main/l/links2/links_2.6-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 668227@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Axel Beckert <abe@debian.org> (supplier of updated links2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 21 Apr 2012 09:47:46 +0200
Source: links2
Binary: links2 links
Architecture: source amd64
Version: 2.6-1
Distribution: unstable
Urgency: medium
Maintainer: Axel Beckert <abe@debian.org>
Changed-By: Axel Beckert <abe@debian.org>
Description: 
 links      - Web browser running in text mode
 links2     - Web browser running in both graphics and text mode
Closes: 654807 668227
Changes: 
 links2 (2.6-1) unstable; urgency=medium
 .
   * New upstream release
     + Fixes several possibly remotely exploitable security issues (Closes:
       #668227; set urgency=medium due to security bug fixes)
     + Refresh the following patches:
       - links2-instead-of-links.diff
       - x-terminal-emulator-instead-of-xterm.diff
       - fix-typos-in-manpage.diff
       - improve-message-of-dash-g-602227.diff
       - verify-ssl-certs-510417.diff
     + Imported new ipv6.diff from patch upstream.
     + Removed BUGS and TODO from debian/docs, they no more exists in upstream
       tarball. Added AUTHORS instead.
   * Enable hardened build flags (Closes: #654807) Thanks Moritz
     Muehlenhoff!
   * Enable bzip2 and lzma support by adding according build dependencies
   * Replaced build-dependendy on libgpmg1-dev by libgpm-dev
   * Replaced incomplete linux-only architecture list in build-dependency
     with "linux-any"
   * Broadened architecture constraints for the libsvga1-dev build-dependency
     since svgalib has been ported to non-x86 architectures as well as to
     kfreebsd.
   * Updated lintian overrides for spelling error false positives in
     translations.
   * Bumped Standards-Version to 3.9.3 (no changes)
Checksums-Sha1: 
 cc7ae6c0547bafbb6172d92797fe8e217b85cc15 1456 links2_2.6-1.dsc
 228bd726c176ea44d35fa12cafd97aa83214d9dc 3866614 links2_2.6.orig.tar.bz2
 3dc93e376f2ccf27e159933a6cd3210e5b25f6fb 22580 links2_2.6-1.debian.tar.gz
 f07ed5816ca63c70a64a9883894939c82417e05c 2006998 links2_2.6-1_amd64.deb
 7301e0b676ba553757987523454428d96812c916 508182 links_2.6-1_amd64.deb
Checksums-Sha256: 
 25b7f805728cf655d8eb6d74187085de9ebc3e1790385b1ba369b7b6a9e5857b 1456 links2_2.6-1.dsc
 df9149f5f50d0b7742f6b3972b0fc0e9ff091ad4ef27153a3362a9ac1033835b 3866614 links2_2.6.orig.tar.bz2
 df85da0fe814fa8d848225cf403a4dd726ea0d269ab7466bc3b7c60c3a208f8b 22580 links2_2.6-1.debian.tar.gz
 e4272291d9de2c8a5276f308405f12e0f482acc50526ba17e12ed4b3ee9d3193 2006998 links2_2.6-1_amd64.deb
 6bb7e880d6200b61928c87a3a57631af086e21db3822cf67c51f1d68c82c1a2b 508182 links_2.6-1_amd64.deb
Files: 
 3ac5f230bb864141b05d768e3806d41f 1456 web optional links2_2.6-1.dsc
 9129e7e3b5c554458b9666689248e0c7 3866614 web optional links2_2.6.orig.tar.bz2
 048031cb64373ea47a3dd6dcbc3fe21d 22580 web optional links2_2.6-1.debian.tar.gz
 a78c60057e0aeab4d7814ee04864c165 2006998 web optional links2_2.6-1_amd64.deb
 d343f0f8f819f7fc71d6b032a1ca7b02 508182 web optional links_2.6-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk+SbBUACgkQwJ4diZWTDt7SrACfU9b94UPOUJxkSMXvIqUIFhOG
4GQAnRFStTQyGqCnlV50jyiRh4PssTNk
=rcVm
-----END PGP SIGNATURE-----

Reply sent to Axel Beckert <abe@debian.org>:
You have taken responsibility. (Tue, 29 May 2012 21:21:12 GMT) (full text, mbox, link).

Notification sent to Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>:
Bug acknowledged by developer. (Tue, 29 May 2012 21:21:12 GMT) (full text, mbox, link).

Message #24 received at 668227-close@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org>
To: 668227-close@bugs.debian.org
Subject: Bug#668227: fixed in links2 2.3~pre1-1+squeeze1
Date: Tue, 29 May 2012 21:17:11 +0000
Source: links2
Source-Version: 2.3~pre1-1+squeeze1

We believe that the bug you reported is fixed in the latest version of
links2, which is due to be installed in the Debian FTP archive:

links2_2.3~pre1-1+squeeze1.debian.tar.gz
  to main/l/links2/links2_2.3~pre1-1+squeeze1.debian.tar.gz
links2_2.3~pre1-1+squeeze1.dsc
  to main/l/links2/links2_2.3~pre1-1+squeeze1.dsc
links2_2.3~pre1-1+squeeze1_amd64.deb
  to main/l/links2/links2_2.3~pre1-1+squeeze1_amd64.deb
links_2.3~pre1-1+squeeze1_amd64.deb
  to main/l/links2/links_2.3~pre1-1+squeeze1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 668227@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Axel Beckert <abe@debian.org> (supplier of updated links2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 24 Apr 2012 17:57:12 +0200
Source: links2
Binary: links2 links
Architecture: source amd64
Version: 2.3~pre1-1+squeeze1
Distribution: stable-proposed-updates
Urgency: low
Maintainer: Gürkan Sengün <gurkan@phys.ethz.ch>
Changed-By: Axel Beckert <abe@debian.org>
Description: 
 links      - Web browser running in text mode
 links2     - Web browser running in both graphics and text mode
Closes: 668227
Changes: 
 links2 (2.3~pre1-1+squeeze1) stable-proposed-updates; urgency=low
 .
   * Fix several security issues reported by upstream (Closes: #668227)
Checksums-Sha1: 
 ab754886c84cf5335851cc2385a75855432048c2 1379 links2_2.3~pre1-1+squeeze1.dsc
 aa3c101eb4718dda2cef594bc721de785b4ae12c 39084 links2_2.3~pre1-1+squeeze1.debian.tar.gz
 c18ddd513c4ecf2d5194065e5f24c6dcb4603fd4 2058212 links2_2.3~pre1-1+squeeze1_amd64.deb
 0874344b8663a99a6f1a379e3d46ee2a633ddb9b 548410 links_2.3~pre1-1+squeeze1_amd64.deb
Checksums-Sha256: 
 091636b1407ebc7732e47fabaa04bb8b23318df4d02c197b749dc8275dd78df6 1379 links2_2.3~pre1-1+squeeze1.dsc
 6a4ce2509a383e7d52fb7274a27fce8a7bcaaf0d63fc23ce12386606d887a4e7 39084 links2_2.3~pre1-1+squeeze1.debian.tar.gz
 20e42e0c8176f4124280b110f158aea7d9d2807853ca55c55d86427a1926ab1a 2058212 links2_2.3~pre1-1+squeeze1_amd64.deb
 63e376089e42d0f6f51052fba48e7421a199e8e971eef8133bd94846a2488896 548410 links_2.3~pre1-1+squeeze1_amd64.deb
Files: 
 0ab75942ae90185372b8e716e18d214b 1379 web optional links2_2.3~pre1-1+squeeze1.dsc
 4edd6308d4ec31b48c4a10d416ff46dc 39084 web optional links2_2.3~pre1-1+squeeze1.debian.tar.gz
 b6544dd48f59ff4134ef1ba2662ddb49 2058212 web optional links2_2.3~pre1-1+squeeze1_amd64.deb
 39759edaa7bbd6cf72b2fcbbc5edfa97 548410 web optional links_2.3~pre1-1+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk/DcpkACgkQwJ4diZWTDt7iowCdEFphmDjPmfSH7YxHBiqreru2
kV0An17RHXJ23VOIIHo9EOP6LlchuKN9
=5cGX
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 28 Oct 2012 07:27:38 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Jan 13 10:36:10 2018; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.