Bug 19811

Assigning to w3m maintainer

CC: (none) => marja11
Assignee: bugsquad => pterjan

I started looking at https://github.com/tats/w3m/commits/master but commits are a bit messy, I'll try to extract the patches.

CVE request for some additional fixes:
http://www.openwall.com/lists/oss-security/2016/11/22/2

If all of the fixes are at that github, you could just pull a git snapshot.

(In reply to David Walser from comment #3)
> CVE request for some additional fixes:
> http://www.openwall.com/lists/oss-security/2016/11/22/2

CVE-2016-962[1-9], CVE-2016-963[0-3]:
http://openwall.com/lists/oss-security/2016/11/24/1

Summary: w3m new security issues CVE-2016-942[2-9], CVE-2016-943[0-9], CVE-2016-944[0-3] => w3m new security issues CVE-2016-942[2-9], CVE-2016-943[0-9], CVE-2016-944[0-3], CVE-2016-962[1-9], CVE-2016-963[0-3]

CVE-2016-9621 is a duplicate of CVE-2016-9429:
http://openwall.com/lists/oss-security/2016/11/25/5

Summary: w3m new security issues CVE-2016-942[2-9], CVE-2016-943[0-9], CVE-2016-944[0-3], CVE-2016-962[1-9], CVE-2016-963[0-3] => w3m new security issues CVE-2016-942[2-9], CVE-2016-943[0-9], CVE-2016-944[0-3], CVE-2016-962[2-9], CVE-2016-963[0-3]

(In reply to David Walser from comment #4)
> (In reply to David Walser from comment #3)
> > CVE request for some additional fixes:
> > http://www.openwall.com/lists/oss-security/2016/11/22/2
> 
> CVE-2016-962[1-9], CVE-2016-963[0-3]:
> http://openwall.com/lists/oss-security/2016/11/24/1

LWN reference:
https://lwn.net/Vulnerabilities/709162/

openSUSE has issued an advisory for this today (December 14):
https://lists.opensuse.org/opensuse-updates/2016-12/msg00084.html

Fixed in cauldron

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)
CC: (none) => mageia

w3m-0.5.3-8.2.mga5 synced with Nicolas's update in Mageia 6.  Advisory later.

Assignee: pterjan => qa-bugs

Advisory:
========================

Updated w3m package fixes security vulnerabilities:

The w3m package has been updated to a newer git snapshot to fix several security
issues.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9422
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9423
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9424
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9425
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9426
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9427
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9428
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9429
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9430
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9431
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9432
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9433
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9434
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9435
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9436
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9437
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9438
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9439
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9440
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9441
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9442
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9443
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9622
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9623
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9624
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9625
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9626
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9627
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9628
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9629
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9630
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9631
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9632
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9633
http://www.openwall.com/lists/oss-security/2016/11/03/3
http://openwall.com/lists/oss-security/2016/11/24/1
http://openwall.com/lists/oss-security/2016/11/25/5
https://lists.opensuse.org/opensuse-updates/2016-12/msg00084.html

Mageia 5 :: x86_64

Installed without issues.
Invoked it in a terminal for a couple of sites.  Traversed the sites via the keyboard, arrow keys and the mouse.  Typed q to raise the "Do you want to exit?" query.

$ w3m http://exoplanet.eu/
$ w3m https://apod.nasa.gov/apod/astropix.html
The APOD site came up.  Today it featured a video but it presented a login dialogue for facebook so I skipped it.  Backed out and navigated to the 'archive'  link.  Hit return on that and selected yesterday's image.  The photo displayed perfectly on a right-click and went to fullscreen on Return.  The left-pointing chevron in the status bar at the bottom acts as Back.  Hitting u (aka peek) on a hyperlink displays the URL in the status bar for a few seconds.

This looks good to go.  Saying that without investigating the CVEs in any great depth athough I did try CVE-2016-9422 - https://github.com/tats/w3m/issues/8 after the fact.  The fault is unstable in the unpatched case, segfaults or stack smashes.  After the update the reproducer simply returned to the prompt.

$ echo '<table>0<td rowspan=0 colspan=30><img width=900000 src=0 height=0>' | w3m -T text/html -dump > /dev/null

For CVE-2016-9423 https://github.com/tats/w3m/issues/9

$ echo '0000000000000000000000000000000000000000000000000000000000000>000000000000000000<button type=>0<i></button><div>0' | w3m -T text/html -dump
0000000000000000000000000000000000000000000000000000000000000>
0000000000000000000
0

Tried a few others which all exited quietly.

CC: (none) => tarazed25

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0024.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED