| Summary: | w3m new security issues CVE-2018-6196, CVE-2018-6197, CVE-2018-6198 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | davidwhodgins, herman.viaene, marja11, pterjan, sysadmin-bugs, tarazed25, zombie_ryushu |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5TOO MGA5-32-OK MGA6-64-OK | ||
| Source RPM: | w3m-0.5.3-12.git20161120.1.mga6.src.rpm | CVE: | |
| Status comment: | Patches available from Ubuntu | ||
|
Description
David Walser
2018-02-01 21:27:22 CET
David Walser
2018-02-01 21:27:33 CET
Whiteboard:
(none) =>
MGA6TOO
David Walser
2018-02-02 18:33:54 CET
Status comment:
(none) =>
Patches available from Ubuntu Assigning to the registered maintainer. Version:
6 =>
Cauldron Fedora has issued an advisory for this on February 8: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2XBJ7YSI7YUIFUICUS25Q5MT73QWGPFK/ w3m-0.5.3-13.git20180520.0.mga5 uploaded to 5/core/updates_testing w3m-0.5.3-13.git20180520.0.mga6 uploaded to 6/core/updates_testing w3m-0.5.3-13.git20180520.1.mga7 uploaded to cauldron/core/release Advisory: ======================== Updated w3m package fixes security vulnerabilities: It was discovered that w3m incorrectly handled certain inputs. An attacker could possibly use this to cause a denial of service (CVE-2018-6196, CVE-2018-6197). It was discovered that w3m incorrectly handled temporary files. An attacker could possibly use this to overwrite arbitrary files (CVE-2018-6198). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6196 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6197 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6198 https://usn.ubuntu.com/3555-1/ Whiteboard:
MGA6TOO =>
MGA5TOO MGA5-32 Xfce on Dell Latitude D600 No installation issues. At CLI: w3m www.google.be brought up the site, navigating with tab or mouse. For info of later users: everything you type is a command. To get to search for something, navigate to the Search box end press "Enter". That opens a text input line at the bottom of the window to enter your search terms. Enter to execute. Works OK. CC:
(none) =>
herman.viaene Mageia 6, x86_64 Before updating tried to find PoCs. Two of the CVEs appear to have reproducers but they involve creating binary files from published hexdumps and the use of w3m-tats which we do not appear to have. Or maybe it needs some special invocation. Updated w3m and pointed it at exoplanet.eu in a mate-terminal. Navigated around but was unable to display tables because w3m-js is needed or at least some kind of javascript extension. Tried the search facility on "APOD" and picked a site from the list returned. Clicking on the empty panel under the title brought up the image of the day. Web links all work fine and so does the back arrow. Used H to find out how to exit the browser (q or Q). Working OK. CC:
(none) =>
tarazed25 Advisory committed to svn. Validating the update. Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0312.html Resolution:
(none) =>
FIXED |