SOURCES: lynx-CVE-2008-4690.patch (NEW) - save from http://cvs.fedora.redha...

glen glen at pld-linux.org
Mon Nov 10 20:18:58 CET 2008 

Author: glen                         Date: Mon Nov 10 19:18:58 2008 GMT
Module: SOURCES                       Tag: HEAD
---- Log message:
- save from http://cvs.fedora.redhat.com/viewvc/rpms/lynx/devel/lynx-CVE-2008-4690.patch?revision=1.1

---- Files affected:
SOURCES:
   lynx-CVE-2008-4690.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: SOURCES/lynx-CVE-2008-4690.patch
diff -u /dev/null SOURCES/lynx-CVE-2008-4690.patch:1.1
--- /dev/null	Mon Nov 10 20:18:59 2008
+++ SOURCES/lynx-CVE-2008-4690.patch	Mon Nov 10 20:18:53 2008
@@ -0,0 +1,36 @@
+--- lynx2-8-6/CHANGES.old	2008-11-06 15:29:26.000000000 +0100
++++ lynx2-8-6/CHANGES	2008-11-06 15:32:44.000000000 +0100
+@@ -1,5 +1,11 @@
+ Changes since Lynx 2.8 release
+ ===============================================================================
++2008-10-26 
++* modify patch for CVE-2005-2929 to prompt user before executing command via 
++  a lynxcgi link even in advanced mode, as the actual URL may not be shown but 
++  hidden behind an HTTP redirect 
++* set TRUSTED_LYNXCGI:none in lynx.cfg to disable all lynxcgi URLs by default 
++  [CVE-2008-4690] 
+ 
+ 2007-05-09 (2.8.6rel.5 fix from 2.8.7dev.5)
+ * correct loop-limit in print_crawl_to_fd(), which broke
+--- lynx2-8-6/src/LYCgi.c.old	2008-11-06 15:29:58.000000000 +0100
++++ lynx2-8-6/src/LYCgi.c	2008-11-06 15:30:53.000000000 +0100
+@@ -165,7 +165,7 @@ static BOOL can_exec_cgi(const char *lin
+     if (!exec_ok(HTLoadedDocumentURL(), linktext, CGI_PATH)) {
+ 	/* exec_ok gives out msg. */
+ 	result = FALSE;
+-    } else if (user_mode < ADVANCED_MODE) {
++    } else {
+ 	StrAllocCopy(command, linktext);
+ 	if (non_empty(linkargs)) {
+ 	    HTSprintf(&command, " %s", linkargs);
+--- lynx2-8-5.orig/lynx.cfg	2008-10-26 21:45:02.000000000 +0100
++++ lynx2-8-5/lynx.cfg	2008-10-26 21:45:38.000000000 +0100
+@@ -997,7 +997,7 @@ CHARACTER_SET:utf-8
+ # ====
+ # Do not define this.
+ #
+-#TRUSTED_LYNXCGI:none
++TRUSTED_LYNXCGI:none
+ 
+ 
+ .h2 LYNXCGI_ENVIRONMENT
================================================================

More information about the pld-cvs-commit mailing list