From 73668a790d2cb3ccb75e2af4cfebbaf4ea137483 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ji=C5=99=C3=AD=20Moskov=C4=8D=C3=A1k?=
 <jmoskovc@fedoraproject.org>
Date: Fri, 7 Nov 2008 13:50:50 +0000
Subject: [PATCH] Fixed CVE-2008-4690 - remote arbitrary command execution via
 a crafted     lynxcgi: URL

---
 lynx-CVE-2008-4690.patch | 36 ++++++++++++++++++++++++++++++++++++
 lynx.spec                |  8 +++++++-
 2 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 lynx-CVE-2008-4690.patch

diff --git a/lynx-CVE-2008-4690.patch b/lynx-CVE-2008-4690.patch
new file mode 100644
index 0000000..5f8e375
--- /dev/null
+++ b/lynx-CVE-2008-4690.patch
@@ -0,0 +1,36 @@
+--- lynx2-8-6/CHANGES.old	2008-11-06 15:29:26.000000000 +0100
++++ lynx2-8-6/CHANGES	2008-11-06 15:32:44.000000000 +0100
+@@ -1,5 +1,11 @@
+ Changes since Lynx 2.8 release
+ ===============================================================================
++2008-10-26 
++* modify patch for CVE-2005-2929 to prompt user before executing command via 
++  a lynxcgi link even in advanced mode, as the actual URL may not be shown but 
++  hidden behind an HTTP redirect 
++* set TRUSTED_LYNXCGI:none in lynx.cfg to disable all lynxcgi URLs by default 
++  [CVE-2008-4690] 
+ 
+ 2007-05-09 (2.8.6rel.5 fix from 2.8.7dev.5)
+ * correct loop-limit in print_crawl_to_fd(), which broke
+--- lynx2-8-6/src/LYCgi.c.old	2008-11-06 15:29:58.000000000 +0100
++++ lynx2-8-6/src/LYCgi.c	2008-11-06 15:30:53.000000000 +0100
+@@ -165,7 +165,7 @@ static BOOL can_exec_cgi(const char *lin
+     if (!exec_ok(HTLoadedDocumentURL(), linktext, CGI_PATH)) {
+ 	/* exec_ok gives out msg. */
+ 	result = FALSE;
+-    } else if (user_mode < ADVANCED_MODE) {
++    } else {
+ 	StrAllocCopy(command, linktext);
+ 	if (non_empty(linkargs)) {
+ 	    HTSprintf(&command, " %s", linkargs);
+--- lynx2-8-5.orig/lynx.cfg	2008-10-26 21:45:02.000000000 +0100
++++ lynx2-8-5/lynx.cfg	2008-10-26 21:45:38.000000000 +0100
+@@ -997,7 +997,7 @@ CHARACTER_SET:utf-8
+ # ====
+ # Do not define this.
+ #
+-#TRUSTED_LYNXCGI:none
++TRUSTED_LYNXCGI:none
+ 
+ 
+ .h2 LYNXCGI_ENVIRONMENT
diff --git a/lynx.spec b/lynx.spec
index cfb818f..52c285a 100644
--- a/lynx.spec
+++ b/lynx.spec
@@ -1,7 +1,7 @@
 Summary: A text-based Web browser
 Name: lynx
 Version: 2.8.6
-Release: 17%{?dist}
+Release: 18%{?dist}
 License: GPLv2
 Group: Applications/Internet
 Source: http://lynx.isc.org/current/lynx%{version}.tar.bz2
@@ -13,6 +13,7 @@ Patch3: lynx-2.8.6-backgrcolor.patch
 Patch4: lynx-2.8.6-fmt_string.patch
 Patch5: lynx-build-fixes.patch
 Patch6: lynx-more-build-fixes.patch
+Patch7: lynx-CVE-2008-4690.patch
 Requires: indexhtml
 Provides: webclient
 Provides: text-www-browser
@@ -35,6 +36,7 @@ exits quickly and swiftly displays webpages.
 %patch4 -p1 -b .fmt_string
 %patch5 -p1 -b .build-fixes
 %patch6 -p1 -b .more-build-fixes
+%patch7 -p1 -b .CVE-2008-4690
 perl -pi -e "s,^HELPFILE:.*,HELPFILE:file://localhost/usr/share/doc/lynx-%{version}/lynx_help/lynx_help_main.html,g" lynx.cfg
 perl -pi -e "s,^DEFAULT_INDEX_FILE:.*,DEFAULT_INDEX_FILE:http://www.google.com/,g" lynx.cfg
 perl -pi -e 's,^#LOCALE_CHARSET:.*,LOCALE_CHARSET:TRUE,' lynx.cfg
@@ -106,6 +108,10 @@ rm -rf $RPM_BUILD_ROOT
 %config(noreplace,missingok) %{_sysconfdir}/lynx-site.cfg
 
 %changelog
+* Fri Nov  7 2008 Jiri Moskovcak <jmoskovc@redhat.com> - 2.8.6-18
+- Fixed CVE-2008-4690 lynx: remote arbitrary command execution.
+  via a crafted lynxcgi: URL (thoger)
+
 * Thu Aug  7 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 2.8.6-17
 - fix license tag