[arch-security] [ASA-201611-18] w3m: multiple issues
Arch Linux Security Advisory ASA-201611-18 ========================================== Severity: Critical Date : 2016-11-18 CVE-ID : CVE-2016-9422 CVE-2016-9423 CVE-2016-9424 CVE-2016-9425 CVE-2016-9426 CVE-2016-9428 CVE-2016-9429 CVE-2016-9430 CVE-2016-9431 CVE-2016-9432 CVE-2016-9433 CVE-2016-9434 CVE-2016-9435 CVE-2016-9436 CVE-2016-9437 CVE-2016-9438 CVE-2016-9439 CVE-2016-9440 CVE-2016-9441 CVE-2016-9442 Package : w3m Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package w3m before version 0.5.3.git20161031-1 is vulnerable to multiple issues including arbitrary code execution and denial of service. Resolution ========== Upgrade to 0.5.3.git20161031-1. # pacman -Syu "w3m>=0.5.3.git20161031-1" The problems have been fixed upstream in version 0.5.3.git20161031. Workaround ========== None. Description =========== - CVE-2016-9422 (arbitrary code execution) A problem has been discovered when rowspan and colspan are not at least 1. If either one of them is zero and the other is larger than 1, HTT_X and HTT_Y attributes are not set correctly resulting in a wrong calculation of maxcol or maxrow (not including colspan/rowspan). This is leading to a potentially exploitable buffer overflow. - CVE-2016-9423 (arbitrary code execution) A stack overflow vulnerability has been discovered in deleteFrameSet() on specially crafted input like a malformed HTML tag. - CVE-2016-9424 (arbitrary code execution) A heap out of bound write has been discovered due to a negative array index for selectnumber and textareanumber. - CVE-2016-9425 (arbitrary code execution) A heap buffer overflow vulnerability has been discovered in addMultirowsForm() duo to an invalid array access resulting in a write to lineBuf[-1]. - CVE-2016-9426 (arbitrary code execution) A heap corruption vulnerability has been discovered due to an integer overflow in renderTable() leading to an unexpected write outside the tabwidth array boundaries. - CVE-2016-9428 (arbitrary code execution) A heap buffer overflow vulnerability has been discovered in addMultirowsForm() duo to an invalid array access resulting in a write to lineBuf[-1]. - CVE-2016-9429 (arbitrary code execution) An out of bounds write vulnerability has been discovered in formUpdateBuffer() duo to invalid length and position checks. - CVE-2016-9430 (denial of service) A problem has been discovered resulting in malformed input field type properties leading to an application crash. - CVE-2016-9431 (arbitrary code execution) A stack overflow vulnerability has been discovered in deleteFrameSet() on specially crafted input like a malformed HTML tag. - CVE-2016-9432 (arbitrary code execution) A vulnerability has been discovered in formUpdateBuffer() duo to insufficient bounds validation leading to a negative sized bcopy() call getting converted to an unexpectedly large value. - CVE-2016-9433 (denial of service) An out of bounds read access has been discovered in the iso2022 parsing while calculating the WC_CCS_INDEX leading to an application crash resulting in denial of service. - CVE-2016-9434 (arbitrary code execution) An out of bounds write vulnerability has been discovered while handling form_int fields. An incorrect form_int fid is not properly checked and leads to an out of bounds write in forms[form_id]->next. - CVE-2016-9435 (arbitrary code execution) Multiple issues have been discovered related to uninitialized values for <i> and <dd> HTML elements. A missing PUSH_ENV(HTML_DL) call is leading to a conditional jump or move depending on an uninitialized value resulting in a stack overflow vulnerability. - CVE-2016-9436 (arbitrary code execution) Multiple issues have been discovered related to uninitialized values for <i> and <dd> HTML elements. A missing null string termination for the tagname variable in parsetagx.c is leading to an out of bounds access. - CVE-2016-9437 (arbitrary code execution) An out of bounds write access has been discovered when using invalid button element type properties like '<button type=radio>'. - CVE-2016-9438 (denial of service) A null pointer dereference problem has been discovered while processing the input_alt tag leading to an application crash. - CVE-2016-9439 (denial of service) An infinite recursion problem has been discovered when processing nested table and textarea elements leading to an application crash. - CVE-2016-9440 (denial of service) A null pointer dereference problem has been discovered in the formUpdateBuffer() function leading to a segmentation fault resulting in an application crash. - CVE-2016-9441 (denial of service) A null pointer dereference problem has been discovered in the do_refill() function triggered by a malformed table_alt tag leading to a segmentation fault resulting in an application crash. - CVE-2016-9442 (denial of service) A potential heap buffer corruption vulnerability has been discovered due to Strgrow. Note that w3m's allocator (boehmgc) preserves more space than the required size due to bucketing so the heap shouldn't be corrupted in practice. Impact ====== A remote attacker is able to execute arbitrary code or crash the application via various vectors. References ========== http://www.openwall.com/lists/oss-security/2016/11/18/3 https://github.com/tats/w3m/issues/8 https://github.com/tats/w3m/issues/9 https://github.com/tats/w3m/issues/12 https://github.com/tats/w3m/issues/21 https://github.com/tats/w3m/issues/25 https://github.com/tats/w3m/issues/26 https://github.com/tats/w3m/issues/29 https://github.com/tats/w3m/issues/7 https://github.com/tats/w3m/issues/10 https://github.com/tats/w3m/issues/13 https://github.com/tats/w3m/issues/14 https://github.com/tats/w3m/issues/15 https://github.com/tats/w3m/issues/16 https://github.com/tats/w3m/commit/33509cc81ec5f2ba44eb6fd98bd5c1b5873e46bd https://github.com/tats/w3m/issues/17 https://github.com/tats/w3m/issues/18 https://github.com/tats/w3m/issues/20 https://github.com/tats/w3m/issues/22 https://github.com/tats/w3m/issues/24 https://github.com/tats/w3m/commit/d43527cfa0dbb3ccefec4a6f7b32c1434739aa29 https://access.redhat.com/security/cve/CVE-2016-9422 https://access.redhat.com/security/cve/CVE-2016-9423 https://access.redhat.com/security/cve/CVE-2016-9424 https://access.redhat.com/security/cve/CVE-2016-9425 https://access.redhat.com/security/cve/CVE-2016-9426 https://access.redhat.com/security/cve/CVE-2016-9428 https://access.redhat.com/security/cve/CVE-2016-9429 https://access.redhat.com/security/cve/CVE-2016-9430 https://access.redhat.com/security/cve/CVE-2016-9431 https://access.redhat.com/security/cve/CVE-2016-9432 https://access.redhat.com/security/cve/CVE-2016-9433 https://access.redhat.com/security/cve/CVE-2016-9434 https://access.redhat.com/security/cve/CVE-2016-9435 https://access.redhat.com/security/cve/CVE-2016-9436 https://access.redhat.com/security/cve/CVE-2016-9437 https://access.redhat.com/security/cve/CVE-2016-9438 https://access.redhat.com/security/cve/CVE-2016-9439 https://access.redhat.com/security/cve/CVE-2016-9440 https://access.redhat.com/security/cve/CVE-2016-9441 https://access.redhat.com/security/cve/CVE-2016-9442
participants (1)
-
Levente Polyak