Your message dated Mon, 27 Nov 2006 08:47:04 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#396964: fixed in lynx 2.8.5-2sarge2.2 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Package: lynx-cur Version: 2.8.7dev1-1 Severity: grave Tags: security Justification: user security hole Lynx attempts to use the .mime.types and .mailcap files located in the current directory: $ strace lynx -dump 2>&1 | grep '^open("[^/]' open(".mailcap", O_RDONLY) = -1 ENOENT (No such file or directory) open(".mime.types", O_RDONLY) = -1 ENOENT (No such file or directory) $ This allows an attacker to cause lynx to execute arbitrary shell code when a user runs lynx while visiting a directory with attacker-provided contents. -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (500, 'testing') Architecture: i386 (x86_64) Shell: /bin/sh linked to /bin/dash Kernel: Linux 2.6.18 Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8) Versions of packages lynx-cur depends on: ii debconf [debconf-2.0] 1.5.8 Debian configuration management sy ii libc6 2.3.6.ds1-4 GNU C Library: Shared libraries ii libgnutls13 1.4.4-1 the GNU TLS library - runtime libr ii libncursesw5 5.5-5 Shared libraries for terminal hand ii zlib1g 1:1.2.3-13 compression library - runtime Versions of packages lynx-cur recommends: ii mime-support 3.37-1 MIME files 'mime.types' & 'mailcap -- debconf information: * lynx-cur/defaulturl: http://www.google.pl/ lynx-cur/etc_lynx.cfg:
--- End Message ---
--- Begin Message ---Source: lynx Source-Version: 2.8.5-2sarge2.2 We believe that the bug you reported is fixed in the latest version of lynx, which is due to be installed in the Debian FTP archive: lynx_2.8.5-2sarge2.2.diff.gz to pool/main/l/lynx/lynx_2.8.5-2sarge2.2.diff.gz lynx_2.8.5-2sarge2.2.dsc to pool/main/l/lynx/lynx_2.8.5-2sarge2.2.dsc lynx_2.8.5-2sarge2.2_i386.deb to pool/main/l/lynx/lynx_2.8.5-2sarge2.2_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas Barth <[EMAIL PROTECTED]> (supplier of updated lynx package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Mon, 27 Nov 2006 07:43:17 +0100 Source: lynx Binary: lynx Architecture: source i386 Version: 2.8.5-2sarge2.2 Distribution: unstable Urgency: low Maintainer: James Troup <[EMAIL PROTECTED]> Changed-By: Andreas Barth <[EMAIL PROTECTED]> Description: lynx - Text-mode WWW Browser Closes: 396964 Changes: lynx (2.8.5-2sarge2.2) unstable; urgency=low . * Non-maintainer upload. * Read user configuration from home directory, not current working directory. Closes: #396964 Thanks to Tom Parker for the patch. Files: 8e29b107936e7c665307555f758c33d3 616 web optional lynx_2.8.5-2sarge2.2.dsc 8faaf1bdfa1f40122a680e277b19d6f8 18375 web optional lynx_2.8.5-2sarge2.2.diff.gz 9065b8b8ef04961537aa3fe56b8a393d 1859352 web optional lynx_2.8.5-2sarge2.2_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFFaqMrmdOZoew2oYURArWWAJsHUDW60sYQhojnxIY2M8GlBIn5zACfWRwH nqjt5N8X2d0oBETjhasR6Oc= =kM8Z -----END PGP SIGNATURE-----
--- End Message ---
