[Frugalware-security] [ FSA-57 ] elinks

voroskoi noreply at frugalware.org
Fri Nov 24 00:39:27 CET 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frugalware Security Advisory                           FSA-57

Date: 2006-11-24
Package: elinks
Vulnerable versions: <= 0.11.1-5
Unaffected versions: >= 0.11.1-6siwenna1
Related bugreport: http://bugs.frugalware.org/task/1468
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5925

Description
===========

Teemu Salmela has discovered a vulnerability in ELinks, which can be exploited by malicious people to expose sensitive information and manipulate data.
The vulnerability is caused due to an error in the validation of &quot;smb://&quot; URLs when ELinks runs smbclient commands. This can be exploited to download and overwrite local files or upload local files to a SMB share by injecting smbclient commands in the &quot;smb://&quot; URL.
Successful exploitation allows exposure of sensitive information or manipulation of data, but requires that the user visits a malicious &quot;smb://&quot; URL or gets redirected to such an URL by a malicious URL, and that the user has the smbclient program installed.

Updated Packages
================

Check if you have elinks installed:

	# pacman -Q elinks

If found, then you should upgrade to the latest version:

	# pacman -Sy elinks

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: See http://ftp.frugalware.org/pub/README.GPG for info

iD8DBQFFZjEvZ7NElSD1VhkRAvTRAJ9tESMqKcYkdk1L+ysi3XhKsU5TagCeNNZU
Byb0rKzQW/VW8ocDPMEMDJw=
=MDDU
-----END PGP SIGNATURE-----


More information about the Frugalware-security mailing list