Bug 18263

Summary: w3m new DoS security issue
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: pterjan, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/685009/
Whiteboard: has_procedure advisory MGA5-64-OK MGA5-32-OK
Source RPM: w3m-0.5.3-8.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-04-25 19:48:15 CEST 
Fedora has issued an advisory on April 24:
https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183058.html

They added a patch to fix it in this commit:
http://pkgs.fedoraproject.org/cgit/rpms/w3m.git/commit/?id=c807425a1150661a44106006aa313d9c9aab5d61

Mageia 5 is also affected.
David Walser 2016-04-25 19:48:22 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2016-04-25 20:14:43 CEST 
Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated w3m package fixes security vulnerability:

A vulnerability was found in w3m package. A maliciously crafted html file
opened with specific command could cause the application to crash
(rhbz#1324348).

References:
https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183058.html
========================

Updated packages in core/updates_testing:
========================
w3m-0.5.3-8.1.mga5

from w3m-0.5.3-8.1.mga5.src.rpm
Comment 2 David Walser 2016-04-25 20:15:13 CEST 
Assigning to QA.  See Comment 1.

CC: (none) => pterjan
Version: Cauldron => 5
Assignee: pterjan => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 3 Len Lawrence 2016-04-26 01:02:30 CEST 
Testing this on x86_64
Installed it before updating to check its capabilities.  The fedora link in comment 1 implies that to view inline images w3m-img should be installed as well.  In fact they display fine with just w3m so our build must already contain it.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2016-04-26 01:46:15 CEST 
Installed the update.
Used it as a text pager for a local ruby script.  It acted very like less; space to page down and /text to move to the next occurrence of text.
There is a large number of options and key combinations so it is probably best to keep the help list visible in another terminal.  H displays the full list.

Pointed the browser at a directory of local images, traversed directories and displayed images on demand (I or double-click).  The download option is effectively a copy to pwd.  It looked like xine is the default image viewer.

$ w3m http://astronomynow.com
brought up the title page of the magazine site with advertising images and others.  Navigate with the arrow keys and use Ctrl-J to switch to a selected topic (hyperlink).  Q to quit or q to quit with query.  B goes back to where you were.  @ allows you to type in a shell command.  M brings up an external browser on the current directory - the default seems to be a file manager.

This all looks OK.
Len Lawrence 2016-04-26 01:46:36 CEST

Whiteboard: (none) => MGA5-64-OK

Comment 5 Len Lawrence 2016-04-26 11:38:26 CEST 
Tested this on i586 in virtualbox.

Tried out a few more of the commands and options. 
A command such as :-
$ cat some.html | w3m -T text/html
can be used to render an HTML file in the terminal.
Tried a few more of the simple options and commands and all worked fine.

Passing this for 32-bits.
Len Lawrence 2016-04-26 11:38:50 CEST

Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK

Comment 6 claire robinson 2016-04-26 16:23:16 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 claire robinson 2016-04-26 17:03:42 CEST 
Advisory uploaded.

Whiteboard: MGA5-64-OK MGA5-32-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK

Comment 8 Mageia Robot 2016-04-26 20:03:28 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0154.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED