[debian-devel:11840] lynx-ja: URL Buffer Overflow

[Hiroshi KISE <fuyuneko@xxxxxxxxxxxx>]

まだJPのほうのBTSに送れないようなので、こっちに出します。

Package: lynx-ja
Version: 2.8.2-1.4
Severity: grave

Bug#59191 でも報告されている、

“Lynx Long URL Buffer Overflow Vulnerabilities”
http://www.securityfocus.com/bid/1012

ですが、lynx-jaでも問題あるかもしれません。

bashにて、プロキシの設定をし、
lynx http://AAAAAAAAAA(以下、2000個ほど繰り返し)
とすると、

−−−−−−−−−−−−−−−ここから−−−−−−−−−−−−−−−
A Fatal error has occurred in Lynx Ver. 2.8.2rel.1

Please notify your system administrator to confirm a bug, and
if confirmed, to notify the lynx-dev list.  Bug reports should
have concise descriptions of the command and/or URL which causes
the problem, the operating system name with version number, the
TCPIP implementation, and any other relevant information.

Do NOT mail the core file if one was generated.

Lynx now exiting with signal:  11

/usr/bin/lynx: line 126: 26663 中断しました            /usr/bin/lynx.bin $OPT
−−−−−−−−−−−−−−−ここまで−−−−−−−−−−−−−−−

といった感じで止まります。単純なSegmentation faultで止まってないから
大丈夫?

-- System Information
Debian Release: 2.2
Kernel Version: Linux 2.2.14

Versions of the packages lynx-ja depends on:
ii  debconf        0.2.80.13      Debian configuration management system
ii  libc6          2.1.3-6        GNU C Library: Shared libraries and Timezone
ii  slang1         1.3.9-1        The S-Lang programming library - runtime ver
ii  zlib1g         1.1.3-5        compression library - runtime
	^^^ (Provides virtual package libz1)
-- 
喜瀬“冬猫”浩＠南国沖縄