Bug 31365 - w3m new security issue CVE-2022-38223
Summary: w3m new security issue CVE-2022-38223
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-01-03 20:59 CET by David Walser
Modified: 2023-01-13 18:38 CET (History)
4 users (show)

See Also:
Source RPM: w3m-0.5.3-13.git20180520.4.mga8.src.rpm
CVE: CVE-2022-38223
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-01-03 20:59:30 CET 
Fedora has issued an advisory on January 1:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NRRZMTLG3YT6U3PSGJOAMLDNLRF2EUOP/

Mageia 8 is also affected.
David Walser 2023-01-03 20:59:48 CET

Status comment: (none) => Patches available from upstream and Fedora
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-01-03 21:49:10 CET 
Different people have committed this SRPM, so assigning this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2023-01-05 14:51:57 CET 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

There is an out-of-bounds write in checkType located in etc.c in w3m 0.5.3. It can be triggered by sending a crafted HTML file to the w3m binary. It allows an attacker to cause Denial of Service or possibly have unspecified other impact. (CVE-2022-38223)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38223
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NRRZMTLG3YT6U3PSGJOAMLDNLRF2EUOP/
========================

Updated package in core/updates_testing:
========================
w3m-0.5.3-13.git20220429.1.mga8

from SRPM:
w3m-0.5.3-13.git20220429.1.mga8.src.rpm

Version: Cauldron => 8
CC: (none) => nicolas.salguero
Status comment: Patches available from upstream and Fedora => (none)
Whiteboard: MGA8TOO => (none)
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
CVE: (none) => CVE-2022-38223

Nicolas Salguero 2023-01-05 14:52:14 CET

Source RPM: w3m-0.5.3-13.git20180520.6.mga9.src.rpm => w3m-0.5.3-13.git20180520.4.mga8.src.rpm

Comment 3 Thomas Andrews 2023-01-10 15:04:22 CET 
This is a new one for me, so I searched for previous updates, finding Bug 22504. Deciding the best course of action was to install the present version first, learn how to navigate using some tips from Herman's experience in the previous bug, then go for the update.

There were no installation issues. Using the command "w3m duckduckgo.com" brought up my search engine of choice, though it looked considerably different than it does in Firefox. I directed it to search for mageia.org, and a list of results popped up, including our Wikipedia page, Mageia 9 Release Notes, our main site, our blog, and a host of others. I was able to visit several of our sites, and all were, if not the same look as in Firefox, at least completely readable. 

As far as I can see, it looks OK. Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2023-01-11 04:34:02 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2023-01-13 18:38:43 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0006.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.