Fedora has issued an advisory on April 24: https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183058.html They added a patch to fix it in this commit: http://pkgs.fedoraproject.org/cgit/rpms/w3m.git/commit/?id=c807425a1150661a44106006aa313d9c9aab5d61 Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated w3m package fixes security vulnerability: A vulnerability was found in w3m package. A maliciously crafted html file opened with specific command could cause the application to crash (rhbz#1324348). References: https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183058.html ======================== Updated packages in core/updates_testing: ======================== w3m-0.5.3-8.1.mga5 from w3m-0.5.3-8.1.mga5.src.rpm
Assigning to QA. See Comment 1.
CC: (none) => pterjanVersion: Cauldron => 5Assignee: pterjan => qa-bugsWhiteboard: MGA5TOO => (none)
Testing this on x86_64 Installed it before updating to check its capabilities. The fedora link in comment 1 implies that to view inline images w3m-img should be installed as well. In fact they display fine with just w3m so our build must already contain it.
CC: (none) => tarazed25
Installed the update. Used it as a text pager for a local ruby script. It acted very like less; space to page down and /text to move to the next occurrence of text. There is a large number of options and key combinations so it is probably best to keep the help list visible in another terminal. H displays the full list. Pointed the browser at a directory of local images, traversed directories and displayed images on demand (I or double-click). The download option is effectively a copy to pwd. It looked like xine is the default image viewer. $ w3m http://astronomynow.com brought up the title page of the magazine site with advertising images and others. Navigate with the arrow keys and use Ctrl-J to switch to a selected topic (hyperlink). Q to quit or q to quit with query. B goes back to where you were. @ allows you to type in a shell command. M brings up an external browser on the current directory - the default seems to be a file manager. This all looks OK.
Whiteboard: (none) => MGA5-64-OK
Tested this on i586 in virtualbox. Tried out a few more of the commands and options. A command such as :- $ cat some.html | w3m -T text/html can be used to render an HTML file in the terminal. Tried a few more of the simple options and commands and all worked fine. Passing this for 32-bits.
Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: MGA5-64-OK MGA5-32-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0154.html
Status: NEW => RESOLVEDResolution: (none) => FIXED