Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice)

[posterkid () PSNW COM (brian j. pardy)]

Michal Zalewski wrote:
> Bugs in lynx 2.8.x (including latest development versions):
> -----------------------------------------------------------
>
> Trivial overflows in protocol handlers:
>
> <a href="rlogin://(approx. 1454 times 'A')">...</a>,
> <a href="telnet://(approx. 1454 times 'A')">...</a> or
> <a href="tn3270://(approx. 1454 times 'A')">...</a>
>
> Choose your favourite protocol. Beautiful SEGV at 0x41414141. Also,
> overflows in finger://, cso://, nntp:// and news:// handlers,
> unfortunately not-so-easily exploitable. 1454 bytes is more than perfect
> for common lynx 2.8.x under Linux. May vary under other platforms.
>
> Not much to say. I reported similar overflow in mailto: protocol months
> ago. I have no idea why it hasn't been fixed.
>
> Samples: http://dione.ids.pl/~lcamtuf/pliki/browsers.html.gz
>
> Solution: ehh...

Since you obviously knew of the development versions enough to download
and test them for this, my sincere thanks for NOT informing the lynx-dev
list of this at all.

lynx-dev () sig net is mentioned PROMINENTLY in the lynx documentation.

It's only common courtesy to report these things to the developers before
a public list.

<sigh>

FWIW, from CHANGES (for 2.8.1rel.2, the most recent version):

1998-05-10 (2.8.1dev.10)
[...]
* fix for buffer-overrun in LYMail.c when processing a mailto:very-log-address
  URL - BL

--
"There is hopeful symbolism in the fact that flags do not wave in a
vacuum."
                -- Arthur C. Clarke