links browser flawed

You think you have found a bug? Let us know about it.
Post Reply
elcore
Posts: 40
Joined: 4. Jul 2014, 05:07
Location: EU

links browser flawed

Post by elcore »

Apparently links-2.12 browser is shipped by slackware-14.2 and has CVE which has only been fixed in slackware-current.
Recommend: Upgrade to links-2.14 (compiles fine here, I've checked)
DidierSpaier
Posts: 518
Joined: 20. Jun 2016, 20:15

Re: links browser flawed

Post by DidierSpaier »

Hello,

could you please provide the CVE number? This will help assess the severity.

Greetings,

Didier
elcore
Posts: 40
Joined: 4. Jul 2014, 05:07
Location: EU

Re: links browser flawed

Post by elcore »

There's not just one flaw, there's plenty. At least 4 different ones in changelog.
But the problem with finding assigned number is the program name, if you input that into crawler bot it just outputs everything which "links" ..
So there's millions CVE pages which have "links" and you must then manually look for the "links-browser" relevant ones. (It's manual labor)
Patched or not patched, I've compiled it locally for 14.1, works fine.
DidierSpaier
Posts: 518
Joined: 20. Jun 2016, 20:15

Re: links browser flawed

Post by DidierSpaier »

I was just able to found this in the Red Hat bug tracker.They tag its severity as medium and do not mention a CVE.

However I just found this CVE about 2.14 that mentions a possible DOS in version 2.14, and refer to this page. I won't hurry to upgrade.
elcore
Posts: 40
Joined: 4. Jul 2014, 05:07
Location: EU

Re: links browser flawed

Post by elcore »

Wed Nov 2 20:35:31 CET 2016 mikulas:

Limit keepalive of ciphers with 64-bit block size to mitigate
the SWEET32 attack

Wed Nov 2 19:14:33 CET 2016 mikulas:

Disable SSL compression to avoid the CRIME attack

Tue Aug 16 18:53:53 CEST 2016 mikulas:

Security bug fixed: Don't load or render the content of
"407 Proxy Authentication Required" reply when using https proxy.
This avoids the FalseCONNECT attack.

Also, don't allow 401 and 407 responses to set cookies.

Sun Mar 13 19:10:27 CET 2016 mikulas:

Do not lookup .onion addresses directly, as specified by rfc7686
So because there's a chance of DOS in new version, you're fine with the above things not being fixed in your package?

No offense, but I only trust in volkerdi, rworkman, and djemos judgement.
If they don't upgrade I figure the package is more or less safe to use, or they've simply forgotten about it.
Either way, while I might be a 3rd party packager, I'm no distributor so it's no problem of mine. Just saying.
User avatar
mimosa
Salix Warrior
Posts: 3311
Joined: 25. May 2010, 17:02
Contact:

Re: links browser flawed

Post by mimosa »

This is really an upstream problem. While a packager can apply small patches, it is really up to the application developers to fix things like this, and by the sound of it, they may not be doing that well. I can't judge the severity of these vulnerabilities, but if you are worried about it, there are plenty of other browsers.

It is also an "upstream" problem in the sense that this is a Slackware package, and I think you are probably right that you are in good hands there. You could always try writing to them about it.

Have you had a look to see what other distributions are doing? For instance, Arch?
elcore
Posts: 40
Joined: 4. Jul 2014, 05:07
Location: EU

Re: links browser flawed

Post by elcore »

mimosa wrote:This is really an upstream problem. While a packager can apply small patches, it is really up to the application developers to fix things like this
Not sure you've noticed, but the quoted thing is from changelog 2.13 and 2.14 so evidently the devs are fixing things.
And it's been packaged in -current, only thing I don't understand is whether or not the upgrade's omitted in -14.x on purpose or by mistake.
mimosa wrote:Have you had a look to see what other distributions are doing? For instance, Arch?
I'm really not interested in poetterware. Prefer BSD.
DidierSpaier
Posts: 518
Joined: 20. Jun 2016, 20:15

Re: links browser flawed

Post by DidierSpaier »

elcore wrote:And it's been packaged in -current, only thing I don't understand is whether or not the upgrade's omitted in -14.x on purpose or by mistake.
You may ask on LQ or send an email to Patrick. Only him knows, and maybe some Slackware team members.

EDIT Somehow I managed at first to mess up things writing this post, so it quoted mimosa instead of elcore, sorry. This is now corrected.
User avatar
ChuangTzu
Donor
Posts: 388
Joined: 19. May 2015, 23:34

Re: links browser flawed

Post by ChuangTzu »

DidierSpaier wrote:
elcore wrote:And it's been packaged in -current, only thing I don't understand is whether or not the upgrade's omitted in -14.x on purpose or by mistake.
You may ask on LQ or send an email to Patrick. Only him knows, and maybe some Slackware team members.

EDIT Somehow I managed at first to mess up things writing this post, so it quoted mimosa instead of elcore, sorry. This is now corrected.
agreed, if it is a Slackware package then post on LQ, preferably under the Security thread. Also, make sure you link to the CVE, and point out that it was updated in current but not 14.2.....
Image
Image
Post Reply