Michal Zalewski wrote: > Bugs in lynx 2.8.x (including latest development versions): > ----------------------------------------------------------- > > Trivial overflows in protocol handlers: > > <a href="rlogin://(approx. 1454 times 'A')">...</a>, > <a href="telnet://(approx. 1454 times 'A')">...</a> or > <a href="tn3270://(approx. 1454 times 'A')">...</a> > > Choose your favourite protocol. Beautiful SEGV at 0x41414141. Also, > overflows in finger://, cso://, nntp:// and news:// handlers, > unfortunately not-so-easily exploitable. 1454 bytes is more than perfect > for common lynx 2.8.x under Linux. May vary under other platforms. > > Not much to say. I reported similar overflow in mailto: protocol months > ago. I have no idea why it hasn't been fixed. > > Samples: http://dione.ids.pl/~lcamtuf/pliki/browsers.html.gz > > Solution: ehh... Since you obviously knew of the development versions enough to download and test them for this, my sincere thanks for NOT informing the lynx-dev list of this at all. lynx-devat_private is mentioned PROMINENTLY in the lynx documentation. It's only common courtesy to report these things to the developers before a public list. <sigh> FWIW, from CHANGES (for 2.8.1rel.2, the most recent version): 1998-05-10 (2.8.1dev.10) [...] * fix for buffer-overrun in LYMail.c when processing a mailto:very-log-address URL - BL -- "There is hopeful symbolism in the fact that flags do not wave in a vacuum." -- Arthur C. Clarke
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:21:26 PDT