CVEs have been assigned for several security issues in w3m: http://www.openwall.com/lists/oss-security/2016/11/03/3 The first message in that thread notes: "These issues are all fixed in 0.5.3-31 released at Oct 15, 2016." That's referring to the Debian release of the package, as it is only maintained downstream there; upstream is dead. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Assigning to w3m maintainer
CC: (none) => marja11Assignee: bugsquad => pterjan
URL: (none) => https://lwn.net/Vulnerabilities/707040/
I started looking at https://github.com/tats/w3m/commits/master but commits are a bit messy, I'll try to extract the patches.
CVE request for some additional fixes: http://www.openwall.com/lists/oss-security/2016/11/22/2 If all of the fixes are at that github, you could just pull a git snapshot.
(In reply to David Walser from comment #3) > CVE request for some additional fixes: > http://www.openwall.com/lists/oss-security/2016/11/22/2 CVE-2016-962[1-9], CVE-2016-963[0-3]: http://openwall.com/lists/oss-security/2016/11/24/1
Summary: w3m new security issues CVE-2016-942[2-9], CVE-2016-943[0-9], CVE-2016-944[0-3] => w3m new security issues CVE-2016-942[2-9], CVE-2016-943[0-9], CVE-2016-944[0-3], CVE-2016-962[1-9], CVE-2016-963[0-3]
CVE-2016-9621 is a duplicate of CVE-2016-9429: http://openwall.com/lists/oss-security/2016/11/25/5
Summary: w3m new security issues CVE-2016-942[2-9], CVE-2016-943[0-9], CVE-2016-944[0-3], CVE-2016-962[1-9], CVE-2016-963[0-3] => w3m new security issues CVE-2016-942[2-9], CVE-2016-943[0-9], CVE-2016-944[0-3], CVE-2016-962[2-9], CVE-2016-963[0-3]
(In reply to David Walser from comment #4) > (In reply to David Walser from comment #3) > > CVE request for some additional fixes: > > http://www.openwall.com/lists/oss-security/2016/11/22/2 > > CVE-2016-962[1-9], CVE-2016-963[0-3]: > http://openwall.com/lists/oss-security/2016/11/24/1 LWN reference: https://lwn.net/Vulnerabilities/709162/ openSUSE has issued an advisory for this today (December 14): https://lists.opensuse.org/opensuse-updates/2016-12/msg00084.html
Fixed in cauldron
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)CC: (none) => mageia
CVE: (none) => CVE-2016-942[2-9], CVE-2016-943[0-9], CVE-2016-944[0-3], CVE-2016-962[2-9], CVE-2016-963[0-3]
w3m-0.5.3-8.2.mga5 synced with Nicolas's update in Mageia 6. Advisory later.
Assignee: pterjan => qa-bugs
Advisory: ======================== Updated w3m package fixes security vulnerabilities: The w3m package has been updated to a newer git snapshot to fix several security issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9422 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9423 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9424 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9425 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9426 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9427 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9428 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9429 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9430 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9431 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9432 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9433 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9434 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9435 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9436 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9437 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9438 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9439 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9440 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9441 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9442 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9443 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9622 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9623 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9624 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9625 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9626 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9627 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9628 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9629 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9630 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9631 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9632 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9633 http://www.openwall.com/lists/oss-security/2016/11/03/3 http://openwall.com/lists/oss-security/2016/11/24/1 http://openwall.com/lists/oss-security/2016/11/25/5 https://lists.opensuse.org/opensuse-updates/2016-12/msg00084.html
Keywords: (none) => advisoryCC: (none) => davidwhodgins
Mageia 5 :: x86_64 Installed without issues. Invoked it in a terminal for a couple of sites. Traversed the sites via the keyboard, arrow keys and the mouse. Typed q to raise the "Do you want to exit?" query. $ w3m http://exoplanet.eu/ $ w3m https://apod.nasa.gov/apod/astropix.html The APOD site came up. Today it featured a video but it presented a login dialogue for facebook so I skipped it. Backed out and navigated to the 'archive' link. Hit return on that and selected yesterday's image. The photo displayed perfectly on a right-click and went to fullscreen on Return. The left-pointing chevron in the status bar at the bottom acts as Back. Hitting u (aka peek) on a hyperlink displays the URL in the status bar for a few seconds. This looks good to go. Saying that without investigating the CVEs in any great depth athough I did try CVE-2016-9422 - https://github.com/tats/w3m/issues/8 after the fact. The fault is unstable in the unpatched case, segfaults or stack smashes. After the update the reproducer simply returned to the prompt. $ echo '<table>0<td rowspan=0 colspan=30><img width=900000 src=0 height=0>' | w3m -T text/html -dump > /dev/null For CVE-2016-9423 https://github.com/tats/w3m/issues/9 $ echo '0000000000000000000000000000000000000000000000000000000000000>000000000000000000<button type=>0<i></button><div>0' | w3m -T text/html -dump 0000000000000000000000000000000000000000000000000000000000000> 0000000000000000000 0 Tried a few others which all exited quietly.
CC: (none) => tarazed25
Whiteboard: (none) => MGA5-64-OK
Keywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0024.html
Status: NEW => RESOLVEDResolution: (none) => FIXED