Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title elinks security update
Informations
Name RHSA-2009:1471 First vendor Publication 2009-10-01
Vendor RedHat Last vendor Modification 2009-10-01
Severity (Vendor) Important Revision 01

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:C)
Cvss Base Score 7.8 Attack Range Network
Cvss Impact Score 6.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

An updated elinks package that fixes two security issues is now available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64

3. Description:

ELinks is a text-based Web browser. ELinks does not display any images, but it does support frames, tables, and most other HTML tags.

An off-by-one buffer overflow flaw was discovered in the way ELinks handled its internal cache of string representations for HTML special entities. A remote attacker could use this flaw to create a specially-crafted HTML file that would cause ELinks to crash or, possibly, execute arbitrary code when rendered. (CVE-2008-7224)

It was discovered that ELinks tried to load translation files using relative paths. A local attacker able to trick a victim into running ELinks in a folder containing specially-crafted translation files could use this flaw to confuse the victim via incorrect translations, or cause ELinks to crash and possibly execute arbitrary code via embedded formatting sequences in translated messages. (CVE-2007-2027)

All ELinks users are advised to upgrade to this updated package, which contains backported patches to resolve these issues.

4. Solution:

Before applying this update, make sure that all previously-released errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

235411 - CVE-2007-2027 elinks tries to load .po files from a non-absolute path 523258 - CVE-2008-7224 elinks: entity_cache static array buffer overflow (off-by-one)

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2009-1471.html

CAPEC : Common Attack Pattern Enumeration & Classification

Id Name
CAPEC-38 Leveraging/Manipulating Configuration File Search Paths
CAPEC-67 String Format Overflow in syslog()

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-134 Uncontrolled Format String (CWE/SANS Top 25)
50 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10126
 
Oval ID: oval:org.mitre.oval:def:10126
Title: Buffer overflow in entity_cache in ELinks before 0.11.4rc0 allows remote attackers to cause a denial of service (crash) via a crafted link.
Description: Buffer overflow in entity_cache in ELinks before 0.11.4rc0 allows remote attackers to cause a denial of service (crash) via a crafted link.
Family: unix Class: vulnerability
Reference(s): CVE-2008-7224
Version: 5
Platform(s): Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13402
 
Oval ID: oval:org.mitre.oval:def:13402
Title: USN-851-1 -- elinks vulnerabilities
Description: Teemu Salmela discovered that Elinks did not properly validate input when processing smb:// URLs. If a user were tricked into viewing a malicious website and had smbclient installed, a remote attacker could execute arbitrary code with the privileges of the user invoking the program. Jakub Wilk discovered a logic error in Elinks, leading to a buffer overflow. If a user were tricked into viewing a malicious website, a remote attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program
Family: unix Class: patch
Reference(s): USN-851-1
CVE-2006-5925
CVE-2008-7224
Version: 5
Platform(s): Ubuntu 6.06
Product(s): elinks
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13608
 
Oval ID: oval:org.mitre.oval:def:13608
Title: DSA-1902-1 elinks -- buffer overflow
Description: Jakub Wilk discovered an off-by-one buffer overflow in the charset handling of elinks, a feature-rich text-mode WWW browser, which might lead to the execution of arbitrary code if the user is tricked into opening a malformed HTML page. For the old stable distribution, this problem has been fixed in version 0.11.1-1.2etch2. The stable distribution and the unstable distribution already contain a patch for this problem. We recommend that you upgrade your elinks package.
Family: unix Class: patch
Reference(s): DSA-1902-1
CVE-2008-7224
Version: 5
Platform(s): Debian GNU/Linux 4.0
Product(s): elinks
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22914
 
Oval ID: oval:org.mitre.oval:def:22914
Title: ELSA-2009:1471: elinks security update (Important)
Description: Buffer overflow in entity_cache in ELinks before 0.11.4rc0 allows remote attackers to cause a denial of service (crash) via a crafted link.
Family: unix Class: patch
Reference(s): ELSA-2009:1471-01
CVE-2007-2027
CVE-2008-7224
Version: 13
Platform(s): Oracle Linux 5
Product(s): elinks
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:28926
 
Oval ID: oval:org.mitre.oval:def:28926
Title: RHSA-2009:1471 -- elinks security update (Important)
Description: An updated elinks package that fixes two security issues is now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. ELinks is a text-based Web browser. ELinks does not display any images, but it does support frames, tables, and most other HTML tags. An off-by-one buffer overflow flaw was discovered in the way ELinks handled its internal cache of string representations for HTML special entities. A remote attacker could use this flaw to create a specially-crafted HTML file that would cause ELinks to crash or, possibly, execute arbitrary code when rendered. (CVE-2008-7224)
Family: unix Class: patch
Reference(s): RHSA-2009:1471
CESA-2009:1471-CentOS 5
CVE-2007-2027
CVE-2008-7224
Version: 3
Platform(s): Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Product(s): elinks
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:7928
 
Oval ID: oval:org.mitre.oval:def:7928
Title: DSA-1902 elinks -- buffer overflow
Description: Jakub Wilk discovered an off-by-one buffer overflow in the charset handling of elinks, a feature-rich text-mode WWW browser, which might lead to the execution of arbitrary code if the user is tricked into opening a malformed HTML page.
Family: unix Class: patch
Reference(s): DSA-1902
CVE-2008-7224
Version: 3
Platform(s): Debian GNU/Linux 4.0
Product(s): elinks
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:9741
 
Oval ID: oval:org.mitre.oval:def:9741
Title: Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a "../po" directory, which can be leveraged to conduct format string attacks.
Description: Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a "../po" directory, which can be leveraged to conduct format string attacks.
Family: unix Class: vulnerability
Reference(s): CVE-2007-2027
Version: 5
Platform(s): Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 6

OpenVAS Exploits

Date Description
2011-08-09 Name : CentOS Update for elinks CESA-2009:1471 centos4 i386
File : nvt/gb_CESA-2009_1471_elinks_centos4_i386.nasl
2011-08-09 Name : CentOS Update for elinks CESA-2009:1471 centos5 i386
File : nvt/gb_CESA-2009_1471_elinks_centos5_i386.nasl
2009-10-27 Name : FreeBSD Ports: elinks
File : nvt/freebsd_elinks.nasl
2009-10-27 Name : Ubuntu USN-851-1 (elinks)
File : nvt/ubuntu_851_1.nasl
2009-10-13 Name : Debian Security Advisory DSA 1902-1 (elinks)
File : nvt/deb_1902_1.nasl
2009-10-13 Name : CentOS Security Advisory CESA-2009:1471 (elinks)
File : nvt/ovcesa2009_1471.nasl
2009-10-06 Name : RedHat Security Advisory RHSA-2009:1471
File : nvt/RHSA_2009_1471.nasl
2009-03-23 Name : Ubuntu Update for elinks vulnerability USN-457-1
File : nvt/gb_ubuntu_USN_457_1.nasl
2008-09-24 Name : Gentoo Security Advisory GLSA 200706-03 (elinks)
File : nvt/glsa_200706_03.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
41949 ELinks entity_cache Function Overflow

35668 ELinks add_filename_to_string() Path Subversion Format String Local Privilege...

Nessus® Vulnerability Scanner

Date Description
2014-11-26 Name : The remote OracleVM host is missing a security update.
File : oraclevm_OVMSA-2009-0030.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing a security update.
File : oraclelinux_ELSA-2009-1471.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing a security update.
File : sl_20091001_elinks_on_SL4_x.nasl - Type : ACT_GATHER_INFO
2010-02-24 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1902.nasl - Type : ACT_GATHER_INFO
2010-01-06 Name : The remote CentOS host is missing a security update.
File : centos_RHSA-2009-1471.nasl - Type : ACT_GATHER_INFO
2009-10-26 Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_2544f543c17811deb175001cc0377035.nasl - Type : ACT_GATHER_INFO
2009-10-22 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-851-1.nasl - Type : ACT_GATHER_INFO
2009-10-02 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2009-1471.nasl - Type : ACT_GATHER_INFO
2007-11-10 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-457-1.nasl - Type : ACT_GATHER_INFO
2007-06-07 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200706-03.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:52:55
  • Multiple Updates