Re: LYNX-DEV security patches for lynx2.7.1 vulnerability wanted?

[Jim Spath (Webmaster Jim)]

On Tue, 15 Jul 1997, John Saroglou wrote:

> Greetings...
> Are there any patches that address the security issue as described in
> CERT* Vendor-Initiated Bulletin VB-97.05 dated July 15, 1997 (see below).
> I'm wondering if such patches have been applied to the present/next
> release of lynx distribution.  If so, where can I grab a copy from?
> Thanks in advance.

According to the bulletin, you can do this:

     1. Lynx can be rebuilt with the "#define TEMP_SPACE" in
        lynx2-7-1/userdefs.h changed from "/tmp" to point to a
        directory only writeable by the user executing Lynx.

     2. The LYNX_TEMP_SPACE environment variable may be set before
        shell startup files (.profile, .cshrc, or equivalent) or into
        the system profile (/etc/profile or equivalent).

     As an aid to allowing Lynx to find user-specific temp. directories,
     Lynx 2.7.1 will replace "~" in the temp. space allocation with the
     path to the user's home directory.

     Individual users may also set the LYNX_TEMP_SPACE environment
     variable to point to another place known to be unwriteable by other
     users (for instance a subdirectory of the users' home directory, or a
     mode 0700 directory of a "sticky" /tmp).

Please let us know is this is unclear.

------
<http://www.cs.indiana.edu/picons/db/users/us/md/lib/bcpl/jspath/face.xbm>
Marvin the Paranoid Android says:
My capacity for happiness you could fit in a matchbox...
(without taking the matches out first)

;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;