-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The vendor has been notified, but since this is a low risk I am
releasing early.

                                Vapid Labs
                            Larry W. Cashdollar
                                Bug Report

Summary: lynx has a format string vulnerability in LYUtils.c line 7995 due
         to a bad call to syslog(), where the format argument is omitted.

Risk: Low

Version: Lynx compiled from FreeBSD ports collection. Also tested in
2.8.5dev.5.gz

[larrycharod ~ $] lynx --version
Lynx Version 2.8.4rel.1 (17 Jul 2001)
Built on freebsd4.4 Dec 25 2001 23:04:31

Details:

line 7995 in LYUtils.c reads:
syslog (LOG_INFO|LOG_LOCAL5, buf);

The reason this is low priority is the bug can only big triggered if
sysloging URL's is enabled.
(./configure --enable-syslog)

Demonstration:

The following url triggers the bug:

[larrycharod ~ $] lynx vapid.dhs.org/bleh:80">http://lwc%d%d:hsVd632kvapid.dhs.org/bleh:80

Results in the following logged to syslog.

Dec 25 23:11:00 vapid lynx[5160]: vapid.dhs.org/bleh:80">http://lwc-1077939384134744128:******vapid.dhs.org/bleh:80

Fix:

line 7995:
- -syslog (LOG_INFO|LOG_LOCAL5, buf);
+syslog (LOG_INFO|LOG_LOCAL5,"%s", buf);

Larry W. Cashdollar
http://vapid.dhs.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8Kzs/1hSQ6Gxh/KoRAv4GAJ94o0Wka9HEn8wEV+5m0LyEBR/4MACfaxF5
PoSH/Baqt/48b1m/SyFwmY4=
=hSZh
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]