Ubuntu has issued an advisory today (February 1): https://usn.ubuntu.com/usn/usn-3555-1/ Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Status comment: (none) => Patches available from Ubuntu
Assigning to the registered maintainer.
Version: 6 => CauldronAssignee: bugsquad => pterjanCC: (none) => marja11
Fedora has issued an advisory for this on February 8: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2XBJ7YSI7YUIFUICUS25Q5MT73QWGPFK/
w3m-0.5.3-13.git20180520.0.mga5 uploaded to 5/core/updates_testing w3m-0.5.3-13.git20180520.0.mga6 uploaded to 6/core/updates_testing w3m-0.5.3-13.git20180520.1.mga7 uploaded to cauldron/core/release
Advisory: ======================== Updated w3m package fixes security vulnerabilities: It was discovered that w3m incorrectly handled certain inputs. An attacker could possibly use this to cause a denial of service (CVE-2018-6196, CVE-2018-6197). It was discovered that w3m incorrectly handled temporary files. An attacker could possibly use this to overwrite arbitrary files (CVE-2018-6198). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6196 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6197 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6198 https://usn.ubuntu.com/3555-1/
Whiteboard: MGA6TOO => MGA5TOOAssignee: pterjan => qa-bugsVersion: Cauldron => 6CC: (none) => pterjan
MGA5-32 Xfce on Dell Latitude D600 No installation issues. At CLI: w3m www.google.be brought up the site, navigating with tab or mouse. For info of later users: everything you type is a command. To get to search for something, navigate to the Search box end press "Enter". That opens a text input line at the bottom of the window to enter your search terms. Enter to execute. Works OK.
CC: (none) => herman.viaeneWhiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
Mageia 6, x86_64 Before updating tried to find PoCs. Two of the CVEs appear to have reproducers but they involve creating binary files from published hexdumps and the use of w3m-tats which we do not appear to have. Or maybe it needs some special invocation. Updated w3m and pointed it at exoplanet.eu in a mate-terminal. Navigated around but was unable to display tables because w3m-js is needed or at least some kind of javascript extension. Tried the search facility on "APOD" and picked a site from the list returned. Clicking on the empty panel under the title brought up the image of the day. Web links all work fine and so does the back arrow. Used H to find out how to exit the browser (q or Q). Working OK.
CC: (none) => tarazed25Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK
Advisory committed to svn. Validating the update.
Keywords: (none) => advisory, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0312.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
*** Bug 27737 has been marked as a duplicate of this bug. ***
CC: (none) => zombie_ryushu