Heap overflow when parsing malformed URLs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lynx-cur (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: lynx-cur
Lynx is vulnerable to a heap overflow when parsing malformed URLs. When Lynx attempts to URL decode hostnames using the convert_to_idna() function in WWW/Library/
The attached reproducer causes a crash on my 32-bit Lucid system. It's not entirely reliable due to the fact that stack layout determines whether enough characters are overflowed to trigger glibc's heap checking. I've also attached a fix for the issue, which I've tested and confirmed it resolves the vulnerability.
CVE References
visibility: | private → public |
tags: | added: patch |
Changed in lynx-cur (Ubuntu): | |
status: | New → Triaged |
It seems to be a clear problem, but I'm unable to reproduce the crash.