Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 918564 (CVE-2023-38252, CVE-2023-38253)

Summary: www-client/w3m: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: minor CC: nrk, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [upstream/ebuild]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-25 22:39:26 UTC 
CVE-2023-38252 (https://github.com/tats/w3m/issues/270):

An out-of-bounds read flaw was found in w3m, in the Strnew_size function in Str.c. This issue may allow an attacker to cause a denial of service through a crafted HTML file.

CVE-2023-38253 (https://github.com/tats/w3m/issues/271):

An out-of-bounds read flaw was found in w3m, in the growbuf_to_Str function in indep.c. This issue may allow an attacker to cause a denial of service through a crafted HTML file.

Fixes in https://github.com/tats/w3m/commit/25fb402cea405b263466c627f32513d186a38ade from https://github.com/tats/w3m/pull/273, seemingly not in any release.