Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 600176 (CVE-2016-9422, CVE-2016-9423, CVE-2016-9424, CVE-2016-9425, CVE-2016-9426, CVE-2016-9427, CVE-2016-9428, CVE-2016-9429, CVE-2016-9430, CVE-2016-9431, CVE-2016-9432, CVE-2016-9433, CVE-2016-9434, CVE-2016-9435, CVE-2016-9436, CVE-2016-9437, CVE-2016-9438, CVE-2016-9439, CVE-2016-9440, CVE-2016-9441, CVE-2016-9442, CVE-2016-9443) - <www-client/w3m-0.5.3-r9: Multiple vulnerabilities (CVE-2016-{9422,9423,9424,9425,9426,9428,9429,9430,9431,9432,9433,9434,9437,9438,9439,9440,9441,9442,9443})
Summary: <www-client/w3m-0.5.3-r9: Multiple vulnerabilities (CVE-2016-{9422,9423,9424,...
Status: RESOLVED FIXED
Alias: CVE-2016-9422, CVE-2016-9423, CVE-2016-9424, CVE-2016-9425, CVE-2016-9426, CVE-2016-9427, CVE-2016-9428, CVE-2016-9429, CVE-2016-9430, CVE-2016-9431, CVE-2016-9432, CVE-2016-9433, CVE-2016-9434, CVE-2016-9435, CVE-2016-9436, CVE-2016-9437, CVE-2016-9438, CVE-2016-9439, CVE-2016-9440, CVE-2016-9441, CVE-2016-9442, CVE-2016-9443
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2016/q4/452
Whiteboard: A2 [glsa cve cleanup]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-11-18 15:02 UTC by Thomas Deutschmann
Modified: 2017-01-02 08:07 UTC (History)
1 user (show)

See Also:
Package list:
=www-client/w3m-0.5.3-r9
Runtime testing required: ---
kensington: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2016-11-18 15:02:44 UTC
From $URL:

CVE-2016-9422 - https://github.com/tats/w3m/issues/8 stack smashed
  see analysis in https://github.com/tats/w3m/pull/19

CVE-2016-9423 - https://github.com/tats/w3m/issues/9 some buffer overflow

Note that both issues/9 and issues/10 are fixed by
9f0bdcfdf061db3520bd1f112bdc5e83acdec4be; however, they are different
vulnerabilities.


CVE-2016-9424 - https://github.com/tats/w3m/issues/12 heap write

CVE-2016-9425 - https://github.com/tats/w3m/issues/21 heap write

Note that both issues/21 and issues/26 are fixed by
4e464819dd360ffd3d58fa2a89216fe413cfcc74; however, they are different
vulnerabilities.


> https://github.com/tats/w3m/issues/25 heap corruption
>   itself should be only OOM. But it was affected by
>     https://github.com/ivmai/bdwgc/issues/135
>   which become heap corruption

Use CVE-2016-9426 for the issues/25 vulnerability in w3m. Use
CVE-2016-9427 for the issues/135 vulnerability in libgc (aka bdwgc or
boehmgc).


CVE-2016-9428 - https://github.com/tats/w3m/issues/26 heap write

CVE-2016-9429 - https://github.com/tats/w3m/issues/29 global-buffer-overflow write

CVE-2016-9430 - https://github.com/tats/w3m/issues/7 null deref

CVE-2016-9431 - https://github.com/tats/w3m/issues/10 stack overflow

CVE-2016-9432 - https://github.com/tats/w3m/issues/13 bcopy negative size

CVE-2016-9433 - https://github.com/tats/w3m/issues/14 array index out of bound read

CVE-2016-9434 - https://github.com/tats/w3m/issues/15 null deref


> https://github.com/tats/w3m/issues/16 use uninit value

Use CVE-2016-9435 for the problem fixed by the new conditional
PUSH_ENV(HTML_DL) call in file.c in
https://github.com/tats/w3m/commit/33509cc81ec5f2ba44eb6fd98bd5c1b5873e46bd

Use CVE-2016-9436 for the problem fixed by the new "tagname[0] = '\0'"
line in parsetagx.c in
https://github.com/tats/w3m/commit/33509cc81ec5f2ba44eb6fd98bd5c1b5873e46bd


CVE-2016-9437 - https://github.com/tats/w3m/issues/17 write to rodata

CVE-2016-9438 - https://github.com/tats/w3m/issues/18 null deref

CVE-2016-9439 - https://github.com/tats/w3m/issues/20 stack overflow

CVE-2016-9440 - https://github.com/tats/w3m/issues/22 near-null deref

CVE-2016-9441 - https://github.com/tats/w3m/issues/24 near-null deref

CVE-2016-9442 - https://github.com/tats/w3m/commit/d43527cfa0dbb3ccefec4a6f7b32c1434739aa29 potential heap buffer corruption
  I classify this as "moderate" because the allocator do preserve more space
  than required size due to bucketing. And w3m's allocator is boehmgc, it
  seems not easy replaceable. So the heap won't be corrupted in practice

CVE-2016-9443 - https://github.com/tats/w3m/issues/28 null deref
Comment 1 Thomas Deutschmann gentoo-dev Security 2016-11-18 15:04:54 UTC
@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 2 Agostino Sarubbo gentoo-dev 2016-11-18 16:59:34 UTC
For completeness:

the package mentioned in the bugreport is the debian's fork of w3m, available at https://github.com/tats/w3m.

Our www-client/w3m refers to https://sourceforge.net/projects/w3m/files/w3m/w3m-0.5.3/ which is dead upstream.

I'm not sure at all that all vulnerabilities and all patches applies to the original w3m.
Comment 3 Thomas Deutschmann gentoo-dev Security 2016-11-18 20:28:06 UTC
See the confirmed bug 576514. Looks like the Gentoo maintainer is aware of the changed upstream.
Comment 4 Yixun Lan gentoo-dev 2016-12-03 05:51:05 UTC
pushed/fixed at www-client/w3m-0.5.3-r9, thansk

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8980adf0be95c6fa394f71a2b7ff63b475c87aa5
Comment 5 Thomas Deutschmann gentoo-dev Security 2016-12-04 00:00:09 UTC
@ Arches,

please test and mark stable: =www-client/w3m-0.5.3-r9
Comment 6 Tobias Klausmann gentoo-dev 2016-12-05 15:49:07 UTC
Stable on alpha.
Comment 7 Agostino Sarubbo gentoo-dev 2016-12-05 19:11:55 UTC
While make the glsa please consider to add the following CVEs:
http://marc.info/?l=oss-security&m=147995099420114&w=2
Comment 8 Agostino Sarubbo gentoo-dev 2016-12-06 11:51:26 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-12-06 11:54:16 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-12-19 14:40:20 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-12-19 15:16:43 UTC
ia64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2016-12-20 09:49:42 UTC
ppc stable
Comment 13 Agostino Sarubbo gentoo-dev 2016-12-22 09:38:08 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2017-01-01 13:01:41 UTC
CVE-2016-9443 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9443):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  w3m allows remote attackers to cause a denial of service (segmentation fault
  and crash) via a crafted HTML page.

CVE-2016-9442 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9442):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  w3m allows remote attackers to cause memory corruption in certain conditions
  via a crafted HTML page.

CVE-2016-9441 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9441):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  w3m allows remote attackers to cause a denial of service (segmentation fault
  and crash) via a crafted HTML page.

CVE-2016-9440 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9440):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  w3m allows remote attackers to cause a denial of service (segmentation fault
  and crash) via a crafted HTML page.

CVE-2016-9439 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9439):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  Infinite recursion vulnerability in w3m allows remote attackers to cause a
  denial of service via a crafted HTML page.

CVE-2016-9438 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9438):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  w3m allows remote attackers to cause a denial of service (segmentation fault
  and crash) via a crafted HTML page.

CVE-2016-9437 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9437):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  w3m allows remote attackers to cause a denial of service (segmentation fault
  and crash) and possibly memory corruption via a crafted HTML page.

CVE-2016-9434 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9434):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  w3m allows remote attackers to cause a denial of service (segmentation fault
  and crash) via a crafted HTML page.

CVE-2016-9433 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9433):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  w3m allows remote attackers to cause a denial of service (out-of-bounds
  array access) via a crafted HTML page.

CVE-2016-9432 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9432):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  w3m allows remote attackers to cause a denial of service (memory corruption,
  segmentation fault, and crash) via a crafted HTML page.

CVE-2016-9431 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9431):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  Infinite recursion vulnerability in w3m allows remote attackers to cause a
  denial of service via a crafted HTML page.

CVE-2016-9430 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9430):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  w3m allows remote attackers to cause a denial of service (segmentation fault
  and crash) via a crafted HTML page.

CVE-2016-9429 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9429):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  Buffer overflow in the formUpdateBuffer function in w3m allows remote
  attackers to cause a denial of service (crash) and possibly execute
  arbitrary code via a crafted HTML page.

CVE-2016-9428 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9428):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  Heap-based buffer overflow in the addMultirowsForm function in w3m allows
  remote attackers to cause a denial of service (crash) and possibly execute
  arbitrary code via a crafted HTML page.

CVE-2016-9426 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9426):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  Integer overflow vulnerability in the renderTable function in w3m allows
  remote attackers to cause a denial of service (OOM) and possibly execute
  arbitrary code due to bdwgc's bug (CVE-2016-9427) via a crafted HTML page.

CVE-2016-9425 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9425):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  Heap-based buffer overflow in the addMultirowsForm function in w3m allows
  remote attackers to cause a denial of service (crash) and possibly execute
  arbitrary code via a crafted HTML page.

CVE-2016-9424 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9424):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  w3m doesn't properly validate the value of tag attribute, which allows
  remote attackers to cause a denial of service (heap buffer overflow crash)
  and possibly execute arbitrary code via a crafted HTML page.

CVE-2016-9423 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9423):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  Heap-based buffer overflow in w3m allows remote attackers to cause a denial
  of service (crash) and possibly execute arbitrary code via a crafted HTML
  page.

CVE-2016-9422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9422):
  An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31.
  The feed_table_tag function in w3m doesn't properly validate the value of
  table span, which allows remote attackers to cause a denial of service
  (stack and/or heap buffer overflow) and possibly execute arbitrary code via
  a crafted HTML page.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-01-01 16:18:24 UTC
This issue was resolved and addressed in
 GLSA 201701-08 at https://security.gentoo.org/glsa/201701-08
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 16 Thomas Deutschmann gentoo-dev Security 2017-01-01 16:20:18 UTC
Re-opening for cleanup.

@ Maintainer(s): Please drop <www-client/w3m-0.5.3-r9
Comment 17 Yixun Lan gentoo-dev 2017-01-02 07:46:40 UTC
all old vulnerable versions are dropped.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e93356f2a082efc77909d75820aba87dacd20e0b