COMMAND

    lynx

SYSTEMS AFFECTED

    munices

PROBLEM

    Michal Zalewski found following.  Over six months ago, he reported
    nasty and easily exploitable overflows in lynx while parsing  some
    URLs - like cso://AAAA... etc.  He had given some examples, and it
    was  fixed,  but  then,  month  later,  Michal realized that other
    protocols,  not  mentioned  in  previous  post  are still buggy in
    exactly  the  same  way.   Another  post  resulted in patched lynx
    release.  And what now, guess?...

    Similar problems are present for example when lynx is using  proxy
    server  (often  sysadm  puts  proxy  server  settings  in   global
    lynx.cfg) - even in recent 2.8.3dev2x releases - http://AAA...  or
    ftp://AAA...   requests  with  over  2  kb  of junk after protocol
    indentifier (instead of valid  hostname) - 0x41414141 SEGV  - old,
    good,  exploitable  overflow  while  preparing  request  for proxy
    server.   AND  MORE  FOLLOWS  -  for  example  some overflows when
    viewing  'Information  about  current  document'  and  so  on, all
    related to extremely long URLs.

SOLUTION

    Hopefully, we  will see  another patch  soon.   For FreeBSD remove
    the  lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current  ports, if
    you you have installed them.

    Upgrade to lynx or lynx-current after the correction date.   After
    the initial release  of this advisory,  the Lynx development  team
    conducted an  audit of  the source  code, and  have corrected  the
    known vulnerabilities in lynx as well as increasing the robustness
    of  the  string-handling  code.   As  of  lynx-2.8.3pre.5, FreeBSD
    consider it safe enough to use again.

    Note that there may  be undiscovered vulnerabilities remaining  in
    the  code,  as  with  all  software  -  but  should  any   further
    vulnerabilities  be  discovered  a  new  advisory  will be issued.
    At this  time the  lynx-ssl/ja-lynx/ja-lynx-current ports  are not
    yet  updated  to  a  safe  version  of lynx: this advisory will be
    reissued again once they are.

        1) Upgrade your entire  ports collection and rebuild  the lynx
           or lynx-current port.
        2) Reinstall  a lynx  new package  dated after  the correction
           date, obtained from:
               ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/lynx-2.8.3.1.tgz
               ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/lynx-2.8.3.1.tgz
               ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/lynx-2.8.3.1.tgz
               ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/lynx-2.8.3.1.tgz
               ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/www/lynx-2.8.3.1.tgz

           Note that the lynx-current port is not automatically  built
           as a package.
        3) download a new port skeleton for the lynx/lynx-current port
           from:
               http://www.freebsd.org/ports/

           and use it to rebuild the port.

    In  the  meantime,  there  are  two  other  text-mode WWW browsers
    available in FreeBSD ports: www/w3m (also available in www/w3m-ssl
    for    an    SSL-enabled    version,    and    japanese/w3m    for
    Japanese-localization) and www/links.