-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
ESB-97.087 -- CERT Vendor-Initiated Bulletin VB-97.05
Vulnerability in Lynx Temporary Files
16 July 1997
The CERT Coordination Center has released the following advisory concerning
a vulnerability in the Lynx program. This vulnerability may allow a
malicious user with access to the same machine as other Lynx users to
overwrite files and interfere with file downloading and printing of the
other Lynx users.
The following security bulletin is provided as a service to AUSCERT's
members. As AUSCERT did not write this document, AUSCERT has had no
control over its content. As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.
Contact information for this bulletin is included in the Security Bulletin
below. If you have any questions or need further information, please
contact them directly.
Previous advisories and external security bulletins can be retrieved from:
If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
CERT* Vendor-Initiated Bulletin VB-97.05
July 15, 1997
Topic: Vulnerability in Lynx Temporary Files
Source: Jim Spath
To aid in the wide distribution of essential security information, the CERT
Coordination Center is forwarding the following information from Jim Spath,
who coordinated this bulletin with several members of the lynx-dev mailing
list. They urge you to act on this information as soon as possible.
information is included in the forwarded text below; please contact them if
you have any questions or need further information.
Questions about the bulletin only can be sent to Jim Spath
<email@example.com>; questions about Lynx can be sent to
=======================FORWARDED TEXT STARTS HERE============================
Lynx typically stores persistent temporary files in /tmp on Un*x
systems. The filenames Lynx chooses can be predicted, and another
user on the system may be able to exploit a race condition to replace
the temporary file with a symbolic link or with another file.
Installed versions of Lynx where a directory writeable by other users
(such as /tmp on a machine to which multiple users have access) is used
to store files during download are vulnerable. This vulnerability can
only be exploited by a user with access to an account on the machine
A malicious user with access to the same machine as other Lynx users
may be able to cause another user's Lynx process to overwrite another
file. It may also be possible to replace the contents of a downloaded
file with a file other than the one the user downloaded, or to cause
the user to print a file other than the one selected for printing.
A workaround for Lynx 2.7.1 is described in the "solutions" section
There are several ways to solve this problem.
A. The best solution to the problem is to apply the FOTEMODS patch
set and to ensure that /tmp/ on your system is a "sticky directory."
If you cannot apply this patch set, if your system does not support
sticky directories, or if you cannot make /tmp/ a sticky directory,
you must use one of the other solutions below.
B. The other solution to this problem is to change the setting
of TEMP_SPACE from the default ("/tmp/") to non-world-writeable
To do this with unpatched Lynx version 2.7.1:
1. Lynx can be rebuilt with the "#define TEMP_SPACE" in
lynx2-7-1/userdefs.h changed from "/tmp" to point to a
directory only writeable by the user executing Lynx.
2. The LYNX_TEMP_SPACE environment variable may be set before
shell startup files (.profile, .cshrc, or equivalent) or into
the system profile (/etc/profile or equivalent).
As an aid to allowing Lynx to find user-specific temp. directories,
Lynx 2.7.1 will replace "~" in the temp. space allocation with the
path to the user's home directory.
Individual users may also set the LYNX_TEMP_SPACE environment
variable to point to another place known to be unwriteable by other
users (for instance a subdirectory of the users' home directory, or a
mode 0700 directory of a "sticky" /tmp).
To do this with Lynx 2.7.1 with the FOTEMODS patch set applied:
You may use any of the methods listed for "vanilla" Lynx 2.7.1.
You may also use "$USER" in TEMP_SPACE (or $LYNX_TEMP_SPACE) to
specify user-specific temp. directories such as /tmp/$USER/.
The FOTEMODS patch set includes the changes described above as well
as other fixes and feature enhancements. It can be found at:
The FOTEMODS patches avoid any pre-existing filenames for new temporary
files, thus skipping any symbolic link which may have been created with
an upcoming temporary filename. These patches also allow the administrator
or user to define TEMP_SPACE (or the LYNX_TEMP_SPACE environment variable)
as "/tmp/$USER" (for example) for pre-existing directories that correspond
to accounts' usernames and have protections/ACLs set for access only by
the appropriate users.
This patch set also does chmod(600) for temporary files which Lynx
creates, but the account should be set up with an equivalent umask
before invoking Lynx.
C. One other solution (a source code patch) for this problem, by Klaus
Weide, can be found at:
However, this patch should be considered "alpha" quality code, and
its author is not supporting it at this time.
The next release of Lynx will eliminate this vulnerability. Interested
parties should subscribe to and read the LYNX-DEV mailing list
(send mail to firstname.lastname@example.org with "subscribe lynx-dev" as the
body) for information about this release.
V. Contact information
If you believe you have found a security problem with the current
version of Lynx, we urge you to forward it to the LYNX-DEV
mailing list at <email@example.com>.
The LYNX-DEV mailing list (with further information about this
vulnerability) is archived at:
Lynx security information is available at:
General information about Lynx is available at:
On-line help and documentation about Lynx is available using the
(h)elp command. More help is available in the source distribution.
Should your questions not be answered by these means, further
questions may be directed to <firstname.lastname@example.org>.
Please don't contact Lynx developers personally about Lynx-related
issues; please use either the mailing list or the "help" addresses
========================FORWARDED TEXT ENDS HERE=============================
If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (FIRST). See http://www.first.org/team-info/.
We strongly urge you to encrypt any sensitive information you send by email.
The CERT Coordination Center can support a shared DES key and PGP. Contact
the CERT staff for more information.
Location of CERT PGP key
CERT Contact Information
- - ------------------------
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
CERT publications, information about FIRST representatives, and other
security-related information are available from
CERT advisories and bulletins are also posted on the USENET newsgroup
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
In the subject line, type
* Registered U.S. Patent and Trademark Office.
The CERT Coordination Center is part of the Software Engineering
Institute (SEI). The SEI is sponsored by the U. S. Department of Defense.
This file: ftp://info.cert.org/pub/cert_bulletins/VB-97.05.lynx
- -----BEGIN PGP SIGNATURE-----
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----