links browser flawed

You think you have found a bug? Let us know about it.

links browser flawed

Postby elcore » 30. Oct 2017, 20:11

Apparently links-2.12 browser is shipped by slackware-14.2 and has CVE which has only been fixed in slackware-current.
Recommend: Upgrade to links-2.14 (compiles fine here, I've checked)
elcore
 
Posts: 35
Joined: 4. Jul 2014, 05:07
Location: EU

Re: links browser flawed

Postby DidierSpaier » 30. Oct 2017, 22:37

Hello,

could you please provide the CVE number? This will help assess the severity.

Greetings,

Didier
DidierSpaier
 
Posts: 201
Joined: 20. Jun 2016, 20:15

Re: links browser flawed

Postby elcore » 31. Oct 2017, 06:53

There's not just one flaw, there's plenty. At least 4 different ones in changelog.
But the problem with finding assigned number is the program name, if you input that into crawler bot it just outputs everything which "links" ..
So there's millions CVE pages which have "links" and you must then manually look for the "links-browser" relevant ones. (It's manual labor)
Patched or not patched, I've compiled it locally for 14.1, works fine.
elcore
 
Posts: 35
Joined: 4. Jul 2014, 05:07
Location: EU

Re: links browser flawed

Postby DidierSpaier » 31. Oct 2017, 11:28

I was just able to found this in the Red Hat bug tracker.They tag its severity as medium and do not mention a CVE.

However I just found this CVE about 2.14 that mentions a possible DOS in version 2.14, and refer to this page. I won't hurry to upgrade.
DidierSpaier
 
Posts: 201
Joined: 20. Jun 2016, 20:15

Re: links browser flawed

Postby elcore » 1. Nov 2017, 05:01

Wed Nov 2 20:35:31 CET 2016 mikulas:

Limit keepalive of ciphers with 64-bit block size to mitigate
the SWEET32 attack

Wed Nov 2 19:14:33 CET 2016 mikulas:

Disable SSL compression to avoid the CRIME attack

Tue Aug 16 18:53:53 CEST 2016 mikulas:

Security bug fixed: Don't load or render the content of
"407 Proxy Authentication Required" reply when using https proxy.
This avoids the FalseCONNECT attack.

Also, don't allow 401 and 407 responses to set cookies.

Sun Mar 13 19:10:27 CET 2016 mikulas:

Do not lookup .onion addresses directly, as specified by rfc7686


So because there's a chance of DOS in new version, you're fine with the above things not being fixed in your package?

No offense, but I only trust in volkerdi, rworkman, and djemos judgement.
If they don't upgrade I figure the package is more or less safe to use, or they've simply forgotten about it.
Either way, while I might be a 3rd party packager, I'm no distributor so it's no problem of mine. Just saying.
elcore
 
Posts: 35
Joined: 4. Jul 2014, 05:07
Location: EU

Re: links browser flawed

Postby mimosa » 1. Nov 2017, 08:22

This is really an upstream problem. While a packager can apply small patches, it is really up to the application developers to fix things like this, and by the sound of it, they may not be doing that well. I can't judge the severity of these vulnerabilities, but if you are worried about it, there are plenty of other browsers.

It is also an "upstream" problem in the sense that this is a Slackware package, and I think you are probably right that you are in good hands there. You could always try writing to them about it.

Have you had a look to see what other distributions are doing? For instance, Arch?
User avatar
mimosa
Salix Warrior
 
Posts: 2862
Joined: 25. May 2010, 17:02

Re: links browser flawed

Postby elcore » 1. Nov 2017, 09:59

mimosa wrote:This is really an upstream problem. While a packager can apply small patches, it is really up to the application developers to fix things like this

Not sure you've noticed, but the quoted thing is from changelog 2.13 and 2.14 so evidently the devs are fixing things.
And it's been packaged in -current, only thing I don't understand is whether or not the upgrade's omitted in -14.x on purpose or by mistake.

mimosa wrote:Have you had a look to see what other distributions are doing? For instance, Arch?

I'm really not interested in poetterware. Prefer BSD.
elcore
 
Posts: 35
Joined: 4. Jul 2014, 05:07
Location: EU

Re: links browser flawed

Postby DidierSpaier » 1. Nov 2017, 10:39

elcore wrote:And it's been packaged in -current, only thing I don't understand is whether or not the upgrade's omitted in -14.x on purpose or by mistake.
You may ask on LQ or send an email to Patrick. Only him knows, and maybe some Slackware team members.

EDIT Somehow I managed at first to mess up things writing this post, so it quoted mimosa instead of elcore, sorry. This is now corrected.
DidierSpaier
 
Posts: 201
Joined: 20. Jun 2016, 20:15

Re: links browser flawed

Postby ChuangTzu » 3. Nov 2017, 20:29

DidierSpaier wrote:
elcore wrote:And it's been packaged in -current, only thing I don't understand is whether or not the upgrade's omitted in -14.x on purpose or by mistake.
You may ask on LQ or send an email to Patrick. Only him knows, and maybe some Slackware team members.

EDIT Somehow I managed at first to mess up things writing this post, so it quoted mimosa instead of elcore, sorry. This is now corrected.


agreed, if it is a Slackware package then post on LQ, preferably under the Security thread. Also, make sure you link to the CVE, and point out that it was updated in current but not 14.2.....
User avatar
ChuangTzu
Donor
 
Posts: 256
Joined: 19. May 2015, 23:34


Return to Bugs

cron