Your message dated Sun, 03 Aug 2008 03:02:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#492744: fixed in links2 2.1pre37-1.1
has caused the Debian Bug report #492744,
regarding CVE-2008-3329: Unspecified vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
492744: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492744
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: links
Severity: important
Tags: security, patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for links.
CVE-2008-3329[0]:
| Unspecified vulnerability in Links before 2.1, when "only proxies" is
| enabled, has unknown impact and attack vectors related to providing
| "URLs to external programs."
Below you'll find a part of the diff between the current debian version
and the new upstream version. The first part is what I believe the patch
for this issue, the second part I am not sure about and thought I'd include
it in the report.
Since I am not sure how exploitable this issue is, I've set the severity
to "important" now, feel free to adjust it.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3329
http://security-tracker.debian.net/tracker/CVE-2008-3329
diff -ur new/links2-2.1pre37/session.c upstream/links-2.1/session.c
--- new/links2-2.1pre37/session.c 2008-06-21 16:12:07.000000000 +0000
+++ upstream/links-2.1/session.c 2008-06-29 16:47:21.000000000 +0000
@@ -2317,6 +2317,7 @@
if (a->accept_http && !strcasecmp(proto, "http")) ret = 1;
if (a->accept_ftp && !strcasecmp(proto, "ftp")) ret = 1;
mem_free(proto);
+ if (proxies.only_proxies) ret = 0;
return ret;
}
diff -ur new/links2-2.1pre37/url.c upstream/links-2.1/url.c
--- new/links2-2.1pre37/url.c 2007-12-26 04:00:49.000000000 +0000
+++ upstream/links-2.1/url.c 2008-06-29 16:47:21.000000000 +0000
@@ -16,7 +16,7 @@
int allow_post;
int bypasses_socks;
} protocols[]= {
- {"file", 0, file_func, NULL, 1, 1, 0, 0, 0},
+ {"file", 0, file_func, NULL, 1, 1, 0, 0, 1},
{"https", 443, https_func, NULL, 0, 1, 1, 1, 0},
{"http", 80, http_func, NULL, 0, 1, 1, 1, 0},
{"proxy", 3128, proxy_func, NULL, 0, 1, 1, 1, 0},
--- End Message ---
--- Begin Message ---
Source: links2
Source-Version: 2.1pre37-1.1
We believe that the bug you reported is fixed in the latest version of
links2, which is due to be installed in the Debian FTP archive:
links2_2.1pre37-1.1.diff.gz
to pool/main/l/links2/links2_2.1pre37-1.1.diff.gz
links2_2.1pre37-1.1.dsc
to pool/main/l/links2/links2_2.1pre37-1.1.dsc
links2_2.1pre37-1.1_i386.deb
to pool/main/l/links2/links2_2.1pre37-1.1_i386.deb
links_2.1pre37-1.1_i386.deb
to pool/main/l/links2/links_2.1pre37-1.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steffen Joeris <[EMAIL PROTECTED]> (supplier of updated links2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 02 Aug 2008 03:33:53 +0000
Source: links2
Binary: links2 links
Architecture: source i386
Version: 2.1pre37-1.1
Distribution: unstable
Urgency: high
Maintainer: Gürkan Sengün <[EMAIL PROTECTED]>
Changed-By: Steffen Joeris <[EMAIL PROTECTED]>
Description:
links - Web browser running in text mode
links2 - Web browser running in both graphics and text mode
Closes: 492744
Changes:
links2 (2.1pre37-1.1) unstable; urgency=high
.
* Non-maintainer upload by the security team
* Make sure links cannot bypass the proxy, if it is configurered only
to use it in order to avoid leaking of sensitive information to
external programs, fix in session.c (Closes: #492744)
Fixes: CVE-2008-3329
Checksums-Sha1:
58f400cc7d49b14fde04b271f100565ba2f955cd 1283 links2_2.1pre37-1.1.dsc
dfd7c1db5243b313fe9e85eb4dac9f594778b7b4 31595 links2_2.1pre37-1.1.diff.gz
5de86cb5a1aded008e92cd7c318b6cb51bc9ce2d 1976042 links2_2.1pre37-1.1_i386.deb
73407f1c66f5ddb903400b5dbc9a80649167f992 491056 links_2.1pre37-1.1_i386.deb
Checksums-Sha256:
1cf8498685541e14410775ba88020a86885455cc87ebfd116242576c1e527f8b 1283
links2_2.1pre37-1.1.dsc
77a4c077871146994504d9ef231a82db6e8856e7686c8b2b54a61ce399553dbb 31595
links2_2.1pre37-1.1.diff.gz
6a1adc0be39502d2016fbfe5de4dc437d46be27702dfa947748df03645b4a6d5 1976042
links2_2.1pre37-1.1_i386.deb
53d2594534387bee9b11d0b443c0a4d44b8bd7e4485331da83157c01d0f58419 491056
links_2.1pre37-1.1_i386.deb
Files:
0ab9ee7871d1c484dfb822b6649866d3 1283 web optional links2_2.1pre37-1.1.dsc
387be028ea8abba54aa7cfc7b74c785c 31595 web optional links2_2.1pre37-1.1.diff.gz
3a0d7a5053a86403f70724875020b03f 1976042 web optional
links2_2.1pre37-1.1_i386.deb
5cb027ae7fa3f637cb50b8832e9d1a3e 491056 web optional
links_2.1pre37-1.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkiVHekACgkQ62zWxYk/rQdhQQCcD1ha7VVpvd7Nbsr7WacZfUI/
cwwAnjP6FdNEHAped/y9Ihpk6Gli0GRm
=FLvv
-----END PGP SIGNATURE-----
--- End Message ---
