Bug 600176 (CVE-2016-9422, CVE-2016-9423, CVE-2016-9424, CVE-2016-9425, CVE-2016-9426, CVE-2016-9427, CVE-2016-9428, CVE-2016-9429, CVE-2016-9430, CVE-2016-9431, CVE-2016-9432, CVE-2016-9433, CVE-2016-9434, CVE-2016-9435, CVE-2016-9436, CVE-2016-9437, CVE-2016-9438, CVE-2016-9439, CVE-2016-9440, CVE-2016-9441, CVE-2016-9442, CVE-2016-9443)

Summary:	<www-client/w3m-0.5.3-r9: Multiple vulnerabilities (CVE-2016-{9422,9423,9424,9425,9426,9428,9429,9430,9431,9432,9433,9434,9437,9438,9439,9440,9441,9442,9443})
Product:	Gentoo Security	Reporter:	Thomas Deutschmann (RETIRED) <whissi>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	cjk
Priority:	Normal	Flags:	kensington: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://seclists.org/oss-sec/2016/q4/452
Whiteboard:	A2 [glsa cve cleanup]
Package list:	=www-client/w3m-0.5.3-r9	Runtime testing required:	---

Description Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-18 15:02:44 UTC

From $URL:

CVE-2016-9422 - https://github.com/tats/w3m/issues/8 stack smashed
  see analysis in https://github.com/tats/w3m/pull/19

CVE-2016-9423 - https://github.com/tats/w3m/issues/9 some buffer overflow

Note that both issues/9 and issues/10 are fixed by
9f0bdcfdf061db3520bd1f112bdc5e83acdec4be; however, they are different
vulnerabilities.


CVE-2016-9424 - https://github.com/tats/w3m/issues/12 heap write

CVE-2016-9425 - https://github.com/tats/w3m/issues/21 heap write

Note that both issues/21 and issues/26 are fixed by
4e464819dd360ffd3d58fa2a89216fe413cfcc74; however, they are different
vulnerabilities.


> https://github.com/tats/w3m/issues/25 heap corruption
>   itself should be only OOM. But it was affected by
>     https://github.com/ivmai/bdwgc/issues/135
>   which become heap corruption

Use CVE-2016-9426 for the issues/25 vulnerability in w3m. Use
CVE-2016-9427 for the issues/135 vulnerability in libgc (aka bdwgc or
boehmgc).


CVE-2016-9428 - https://github.com/tats/w3m/issues/26 heap write

CVE-2016-9429 - https://github.com/tats/w3m/issues/29 global-buffer-overflow write

CVE-2016-9430 - https://github.com/tats/w3m/issues/7 null deref

CVE-2016-9431 - https://github.com/tats/w3m/issues/10 stack overflow

CVE-2016-9432 - https://github.com/tats/w3m/issues/13 bcopy negative size

CVE-2016-9433 - https://github.com/tats/w3m/issues/14 array index out of bound read

CVE-2016-9434 - https://github.com/tats/w3m/issues/15 null deref


> https://github.com/tats/w3m/issues/16 use uninit value

Use CVE-2016-9435 for the problem fixed by the new conditional
PUSH_ENV(HTML_DL) call in file.c in
https://github.com/tats/w3m/commit/33509cc81ec5f2ba44eb6fd98bd5c1b5873e46bd

Use CVE-2016-9436 for the problem fixed by the new "tagname[0] = '\0'"
line in parsetagx.c in
https://github.com/tats/w3m/commit/33509cc81ec5f2ba44eb6fd98bd5c1b5873e46bd


CVE-2016-9437 - https://github.com/tats/w3m/issues/17 write to rodata

CVE-2016-9438 - https://github.com/tats/w3m/issues/18 null deref

CVE-2016-9439 - https://github.com/tats/w3m/issues/20 stack overflow

CVE-2016-9440 - https://github.com/tats/w3m/issues/22 near-null deref

CVE-2016-9441 - https://github.com/tats/w3m/issues/24 near-null deref

CVE-2016-9442 - https://github.com/tats/w3m/commit/d43527cfa0dbb3ccefec4a6f7b32c1434739aa29 potential heap buffer corruption
  I classify this as "moderate" because the allocator do preserve more space
  than required size due to bucketing. And w3m's allocator is boehmgc, it
  seems not easy replaceable. So the heap won't be corrupted in practice

CVE-2016-9443 - https://github.com/tats/w3m/issues/28 null deref

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-18 15:04:54 UTC

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 2 Agostino Sarubbo gentoo-dev

2016-11-18 16:59:34 UTC

For completeness:

the package mentioned in the bugreport is the debian's fork of w3m, available at https://github.com/tats/w3m.

Our www-client/w3m refers to https://sourceforge.net/projects/w3m/files/w3m/w3m-0.5.3/ which is dead upstream.

I'm not sure at all that all vulnerabilities and all patches applies to the original w3m.

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-18 20:28:06 UTC

See the confirmed bug 576514. Looks like the Gentoo maintainer is aware of the changed upstream.

Comment 4 Yixun Lan archtester

2016-12-03 05:51:05 UTC

pushed/fixed at www-client/w3m-0.5.3-r9, thansk

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8980adf0be95c6fa394f71a2b7ff63b475c87aa5

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2016-12-04 00:00:09 UTC

@ Arches,

please test and mark stable: =www-client/w3m-0.5.3-r9

Comment 6 Tobias Klausmann (RETIRED) gentoo-dev

2016-12-05 15:49:07 UTC

Stable on alpha.

Comment 7 Agostino Sarubbo gentoo-dev

2016-12-05 19:11:55 UTC

While make the glsa please consider to add the following CVEs:
http://marc.info/?l=oss-security&m=147995099420114&w=2

Comment 8 Agostino Sarubbo gentoo-dev

2016-12-06 11:51:26 UTC

amd64 stable

Comment 9 Agostino Sarubbo gentoo-dev

2016-12-06 11:54:16 UTC

x86 stable

Comment 10 Agostino Sarubbo gentoo-dev

2016-12-19 14:40:20 UTC

sparc stable

Comment 11 Agostino Sarubbo gentoo-dev

2016-12-19 15:16:43 UTC

ia64 stable

Comment 12 Agostino Sarubbo gentoo-dev

2016-12-20 09:49:42 UTC

ppc stable

Comment 13 Agostino Sarubbo gentoo-dev

2016-12-22 09:38:08 UTC

ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 14 GLSAMaker/CVETool Bot gentoo-dev

2017-01-01 13:01:41 UTC

CVE-2016-9443 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9443):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  w3m allows remote attackers to cause a denial of service (segmentation fault
  and crash) via a crafted HTML page.

CVE-2016-9442 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9442):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  w3m allows remote attackers to cause memory corruption in certain conditions
  via a crafted HTML page.

CVE-2016-9441 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9441):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  w3m allows remote attackers to cause a denial of service (segmentation fault
  and crash) via a crafted HTML page.

CVE-2016-9440 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9440):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  w3m allows remote attackers to cause a denial of service (segmentation fault
  and crash) via a crafted HTML page.

CVE-2016-9439 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9439):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  Infinite recursion vulnerability in w3m allows remote attackers to cause a
  denial of service via a crafted HTML page.

CVE-2016-9438 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9438):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  w3m allows remote attackers to cause a denial of service (segmentation fault
  and crash) via a crafted HTML page.

CVE-2016-9437 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9437):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  w3m allows remote attackers to cause a denial of service (segmentation fault
  and crash) and possibly memory corruption via a crafted HTML page.

CVE-2016-9434 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9434):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  w3m allows remote attackers to cause a denial of service (segmentation fault
  and crash) via a crafted HTML page.

CVE-2016-9433 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9433):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  w3m allows remote attackers to cause a denial of service (out-of-bounds
  array access) via a crafted HTML page.

CVE-2016-9432 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9432):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  w3m allows remote attackers to cause a denial of service (memory corruption,
  segmentation fault, and crash) via a crafted HTML page.

CVE-2016-9431 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9431):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  Infinite recursion vulnerability in w3m allows remote attackers to cause a
  denial of service via a crafted HTML page.

CVE-2016-9430 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9430):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  w3m allows remote attackers to cause a denial of service (segmentation fault
  and crash) via a crafted HTML page.

CVE-2016-9429 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9429):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  Buffer overflow in the formUpdateBuffer function in w3m allows remote
  attackers to cause a denial of service (crash) and possibly execute
  arbitrary code via a crafted HTML page.

CVE-2016-9428 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9428):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  Heap-based buffer overflow in the addMultirowsForm function in w3m allows
  remote attackers to cause a denial of service (crash) and possibly execute
  arbitrary code via a crafted HTML page.

CVE-2016-9426 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9426):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  Integer overflow vulnerability in the renderTable function in w3m allows
  remote attackers to cause a denial of service (OOM) and possibly execute
  arbitrary code due to bdwgc's bug (CVE-2016-9427) via a crafted HTML page.

CVE-2016-9425 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9425):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  Heap-based buffer overflow in the addMultirowsForm function in w3m allows
  remote attackers to cause a denial of service (crash) and possibly execute
  arbitrary code via a crafted HTML page.

CVE-2016-9424 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9424):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  w3m doesn't properly validate the value of tag attribute, which allows
  remote attackers to cause a denial of service (heap buffer overflow crash)
  and possibly execute arbitrary code via a crafted HTML page.

CVE-2016-9423 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9423):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  Heap-based buffer overflow in w3m allows remote attackers to cause a denial
  of service (crash) and possibly execute arbitrary code via a crafted HTML
  page.

CVE-2016-9422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9422):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  The feed_table_tag function in w3m doesn't properly validate the value of
  table span, which allows remote attackers to cause a denial of service
  (stack and/or heap buffer overflow) and possibly execute arbitrary code via
  a crafted HTML page.

Comment 15 GLSAMaker/CVETool Bot gentoo-dev

2017-01-01 16:18:24 UTC

This issue was resolved and addressed in
 GLSA 201701-08 at https://security.gentoo.org/glsa/201701-08
by GLSA coordinator Thomas Deutschmann (whissi).

Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-01 16:20:18 UTC

Re-opening for cleanup.

@ Maintainer(s): Please drop <www-client/w3m-0.5.3-r9

Comment 17 Yixun Lan archtester

2017-01-02 07:46:40 UTC

all old vulnerable versions are dropped.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e93356f2a082efc77909d75820aba87dacd20e0b