Bug#399187: CVE-2006-5925: ELinks smb Protocol File Upload/Download Vulnerability

2006-11-27 Thread Julien Cristau 
Hi,

do the security@ people have a DSA in preparation for links and/or
elinks for CVE-2006-5925, or should I prepare a patch for the stable
versions too?

Cheers,
Julien


signature.asc
Description: Digital signature

Bug#399187: CVE-2006-5925: ELinks smb Protocol File Upload/Download Vulnerability

2006-11-27 Thread Martin Schulze 
Julien Cristau wrote:
 Hi,
 
 do the security@ people have a DSA in preparation for links and/or
 elinks for CVE-2006-5925, or should I prepare a patch for the stable
 versions too?

As far as I know, no.  Please prepare an update.

Regards,

Joey

-- 
Given enough thrust pigs will fly, but it's not necessarily a good idea.

Please always Cc to me when replying to me on the lists.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#399187: CVE-2006-5925: ELinks smb Protocol File Upload/Download Vulnerability

2006-11-27 Thread Mikko Rapeli 
Hello,

On Mon, Nov 27, 2006 at 12:09:56PM +0100, Julien Cristau wrote:
 On Mon, Nov 27, 2006 at 11:35:07 +0100, Martin Schulze wrote:
 
  Julien Cristau wrote:
   Hi,
   
   do the security@ people have a DSA in preparation for links and/or
   elinks for CVE-2006-5925, or should I prepare a patch for the stable
   versions too?
  
  As far as I know, no.  Please prepare an update.
  
 I have source packages ready at:
 http://www.liafa.jussieu.fr/~jcristau/debian/CVE-2006-5925/links_0.99+1.00pre12-1sarge1.dsc
 http://www.liafa.jussieu.fr/~jcristau/debian/CVE-2006-5925/elinks_0.10.4-7.1.dsc

links2 is vulnerable too. The links patch needed a tweak for links2
but result is attached.

-Mikko
diff -u links2-2.1pre16/config.sub links2-2.1pre16/config.sub
--- links2-2.1pre16/config.sub
+++ links2-2.1pre16/config.sub
@@ -1,9 +1,9 @@
 #! /bin/sh
 # Configuration validation subroutine script.
 #   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc.
+#   2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
 
-timestamp='2004-11-30'
+timestamp='2005-04-22'
 
 # This file is (in principle) common to ALL GNU software.
 # The presence of a machine in this file suggests that SOME GNU software
@@ -70,7 +70,7 @@
 version=\
 GNU config.sub ($timestamp)
 
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 
2002, 2003, 2004
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 
2002, 2003, 2004, 2005
 Free Software Foundation, Inc.
 
 This is free software; see the source for copying conditions.  There is NO
@@ -231,13 +231,14 @@
| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | 
alpha64pca5[67] \
| am33_2.0 \
| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr \
+   | bfin \
| c4x | clipper \
| d10v | d30v | dlx | dsp16xx \
| fr30 | frv \
| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
| i370 | i860 | i960 | ia64 \
| ip2k | iq2000 \
-   | m32r | m32rle | m68000 | m68k | m88k | mcore \
+   | m32r | m32rle | m68000 | m68k | m88k | maxq | mcore \
| mips | mipsbe | mipseb | mipsel | mipsle \
| mips16 \
| mips64 | mips64el \
@@ -262,7 +263,8 @@
| pyramid \
| sh | sh[1234] | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | 
sh3ele \
| sh64 | sh64le \
-   | sparc | sparc64 | sparc86x | sparclet | sparclite | sparcv8 | sparcv9 
| sparcv9b \
+   | sparc | sparc64 | sparc64b | sparc86x | sparclet | sparclite \
+   | sparcv8 | sparcv9 | sparcv9b \
| strongarm \
| tahoe | thumb | tic4x | tic80 | tron \
| v850 | v850e \
@@ -298,7 +300,7 @@
| alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
| arm-*  | armbe-* | armle-* | armeb-* | armv*-* \
| avr-* \
-   | bs2000-* \
+   | bfin-* | bs2000-* \
| c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \
| clipper-* | craynv-* | cydra-* \
| d10v-* | d30v-* | dlx-* \
@@ -310,7 +312,7 @@
| ip2k-* | iq2000-* \
| m32r-* | m32rle-* \
| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
-   | m88110-* | m88k-* | mcore-* \
+   | m88110-* | m88k-* | maxq-* | mcore-* \
| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
| mips16-* \
| mips64-* | mips64el-* \
@@ -336,7 +338,8 @@
| romp-* | rs6000-* \
| sh-* | sh[1234]-* | sh[23]e-* | sh[34]eb-* | shbe-* \
| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
-   | sparc-* | sparc64-* | sparc86x-* | sparclet-* | sparclite-* \
+   | sparc-* | sparc64-* | sparc64b-* | sparc86x-* | sparclet-* \
+   | sparclite-* \
| sparcv8-* | sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \
| tahoe-* | thumb-* \
| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
diff -u links2-2.1pre16/debian/changelog links2-2.1pre16/debian/changelog
--- links2-2.1pre16/debian/changelog
+++ links2-2.1pre16/debian/changelog
@@ -1,3 +1,9 @@
+links2 (2.1pre16-1.0.0.mcf01) unstable; urgency=low
+
+  * try to disable smb
+
+ -- Mikko Rapeli [EMAIL PROTECTED]  Tue, 28 Nov 2006 00:11:10 +0200
+
 links2 (2.1pre16-1) unstable; urgency=low
 
   * New upstream version. (Closes: #267686)
diff -u links2-2.1pre16/config.guess links2-2.1pre16/config.guess
--- links2-2.1pre16/config.guess
+++ links2-2.1pre16/config.guess
@@ -1,9 +1,9 @@
 #! /bin/sh
 # Attempt to guess a canonical system name.
 #   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc.
+#   2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
 
-timestamp='2004-11-12'
+timestamp='2005-04-22'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General