Fedora has issued an advisory on January 1: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NRRZMTLG3YT6U3PSGJOAMLDNLRF2EUOP/ Mageia 8 is also affected.
Status comment: (none) => Patches available from upstream and FedoraWhiteboard: (none) => MGA8TOO
Different people have committed this SRPM, so assigning this globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated package fixes a security vulnerability: There is an out-of-bounds write in checkType located in etc.c in w3m 0.5.3. It can be triggered by sending a crafted HTML file to the w3m binary. It allows an attacker to cause Denial of Service or possibly have unspecified other impact. (CVE-2022-38223) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38223 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NRRZMTLG3YT6U3PSGJOAMLDNLRF2EUOP/ ======================== Updated package in core/updates_testing: ======================== w3m-0.5.3-13.git20220429.1.mga8 from SRPM: w3m-0.5.3-13.git20220429.1.mga8.src.rpm
Version: Cauldron => 8CC: (none) => nicolas.salgueroStatus comment: Patches available from upstream and Fedora => (none)Whiteboard: MGA8TOO => (none)Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDCVE: (none) => CVE-2022-38223
Source RPM: w3m-0.5.3-13.git20180520.6.mga9.src.rpm => w3m-0.5.3-13.git20180520.4.mga8.src.rpm
This is a new one for me, so I searched for previous updates, finding Bug 22504. Deciding the best course of action was to install the present version first, learn how to navigate using some tips from Herman's experience in the previous bug, then go for the update. There were no installation issues. Using the command "w3m duckduckgo.com" brought up my search engine of choice, though it looked considerably different than it does in Firefox. I directed it to search for mageia.org, and a list of results popped up, including our Wikipedia page, Mageia 9 Release Notes, our main site, our blog, and a host of others. I was able to visit several of our sites, and all were, if not the same look as in Firefox, at least completely readable. As far as I can see, it looks OK. Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: (none) => MGA8-64-OK
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0006.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED