lynx-dev Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice)

[brian j. pardy]

Michal Zalewski wrote:
> Bugs in lynx 2.8.x (including latest development versions):
> -----------------------------------------------------------
> 
> Trivial overflows in protocol handlers:
> 
> <a href="rlogin://(approx. 1454 times 'A')">...</a>,
> <a href="telnet://(approx. 1454 times 'A')">...</a> or
> <a href="tn3270://(approx. 1454 times 'A')">...</a>
> 
> Choose your favourite protocol. Beautiful SEGV at 0x41414141. Also,
> overflows in finger://, cso://, nntp:// and news:// handlers,
> unfortunately not-so-easily exploitable. 1454 bytes is more than perfect
> for common lynx 2.8.x under Linux. May vary under other platforms.
> 
> Not much to say. I reported similar overflow in mailto: protocol months
> ago. I have no idea why it hasn't been fixed.
> 
> Samples: http://dione.ids.pl/~lcamtuf/pliki/browsers.html.gz
> 
> Solution: ehh...

Since you obviously knew of the development versions enough to download 
and test them for this, my sincere thanks for NOT informing the lynx-dev
list of this at all.

address@hidden is mentioned PROMINENTLY in the lynx documentation.

It's only common courtesy to report these things to the developers before
a public list.

<sigh>

FWIW, from CHANGES (for 2.8.1rel.2, the most recent version):

1998-05-10 (2.8.1dev.10)
[...]
* fix for buffer-overrun in LYMail.c when processing a mailto:very-log-address
  URL - BL

-- 
"There is hopeful symbolism in the fact that flags do not wave in a
vacuum."
                -- Arthur C. Clarke