diffstat for w3m-0.5.3 w3m-0.5.3 changelog | 17 +++++++ control | 3 - patches/CVE-2018-6196.patch | 29 ++++++++++++ patches/CVE-2018-6197.patch | 23 ++++++++++ patches/CVE-2018-6198.patch | 101 ++++++++++++++++++++++++++++++++++++++++++++ patches/series | 3 + 6 files changed, 175 insertions(+), 1 deletion(-) diff -Nru w3m-0.5.3/debian/changelog w3m-0.5.3/debian/changelog --- w3m-0.5.3/debian/changelog 2017-01-04 14:25:02.000000000 +0000 +++ w3m-0.5.3/debian/changelog 2018-01-30 19:34:00.000000000 +0000 @@ -1,3 +1,20 @@ +w3m (0.5.3-34ubuntu0.1) artful-security; urgency=medium + + * SECURITY UPDATE: Infinite recursion flaw in HTMLlineproc0 + - debian/patches/CVE-2018-6196.patch: prevent negative indent value + in table.c. + - CVE-2018-6196 + * SECURITY UPDATE: NULL pointer dereference flaw in formUpdateBuffer + - debian/patches/CVE-2018-6197.patch: prevent invalid columnPos() call + in form.c. + - CVE-2018-6197 + * SECURITY UPDATE: does not properly handle temp files + - debian/patches/CVE-218-6198.patch: make temp directory safely + in config.h.dist, config.h.in, configure, configure.ac, main.c and rc.c. + - CVE-2018-6198 + + -- Leonidas S. Barbosa Tue, 30 Jan 2018 16:34:00 -0300 + w3m (0.5.3-34) unstable; urgency=medium * Update 020_debian.patch to v0.5.3+git20170102 diff -Nru w3m-0.5.3/debian/control w3m-0.5.3/debian/control --- w3m-0.5.3/debian/control 2017-01-04 14:11:21.000000000 +0000 +++ w3m-0.5.3/debian/control 2018-01-30 19:34:00.000000000 +0000 @@ -1,7 +1,8 @@ Source: w3m Section: web Priority: optional -Maintainer: Tatsuya Kinoshita +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Tatsuya Kinoshita Uploaders: HIGUCHI Daisuke (VDR dai) Build-Depends: libgc-dev, libncurses5-dev, libgpm-dev [linux-any], zlib1g-dev, libssl-dev, debhelper (>= 9), gawk | awk, libimlib2-dev, pkg-config, autotools-dev (>= 20100122) Homepage: http://sourceforge.net/projects/w3m/ diff -Nru w3m-0.5.3/debian/patches/CVE-2018-6196.patch w3m-0.5.3/debian/patches/CVE-2018-6196.patch --- w3m-0.5.3/debian/patches/CVE-2018-6196.patch 1970-01-01 00:00:00.000000000 +0000 +++ w3m-0.5.3/debian/patches/CVE-2018-6196.patch 2018-01-30 19:33:23.000000000 +0000 @@ -0,0 +1,29 @@ +From 8354763b90490d4105695df52674d0fcef823e92 Mon Sep 17 00:00:00 2001 +From: Tatsuya Kinoshita +Date: Sat, 20 Jan 2018 21:31:03 +0900 +Subject: [PATCH] Prevent negative indent value in feed_table_block_tag() + +Bug-Debian: https://github.com/tats/w3m/issues/88 +--- + table.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/table.c b/table.c +index 221db92..4f193e1 100644 +--- a/table.c ++++ b/table.c +@@ -2356,10 +2356,14 @@ feed_table_block_tag(struct table *tbl, + if (mode->indent_level < MAX_INDENT_LEVEL) + tbl->indent -= INDENT_INCR; + } ++ if (tbl->indent < 0) ++ tbl->indent = 0; + offset = tbl->indent; + if (cmd == HTML_DT) { + if (mode->indent_level > 0 && mode->indent_level <= MAX_INDENT_LEVEL) + offset -= INDENT_INCR; ++ if (offset < 0) ++ offset = 0; + } + if (tbl->indent > 0) { + check_minimum0(tbl, 0); diff -Nru w3m-0.5.3/debian/patches/CVE-2018-6197.patch w3m-0.5.3/debian/patches/CVE-2018-6197.patch --- w3m-0.5.3/debian/patches/CVE-2018-6197.patch 1970-01-01 00:00:00.000000000 +0000 +++ w3m-0.5.3/debian/patches/CVE-2018-6197.patch 2018-01-30 19:33:42.000000000 +0000 @@ -0,0 +1,23 @@ +From 7fdc83b0364005a0b5ed869230dd81752ba022e8 Mon Sep 17 00:00:00 2001 +From: Tatsuya Kinoshita +Date: Wed, 27 Dec 2017 06:43:52 +0900 +Subject: [PATCH] Prevent invalid columnPos() call in formUpdateBuffer() + +Bug-Debian: https://github.com/tats/w3m/issues/89 +--- + form.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: w3m-0.5.3/form.c +=================================================================== +--- w3m-0.5.3.orig/form.c ++++ w3m-0.5.3/form.c +@@ -483,6 +483,8 @@ formUpdateBuffer(Anchor *a, Buffer *buf, + rows = form->rows ? form->rows : 1; + col = COLPOS(l, a->start.pos); + for (c_rows = 0; c_rows < rows; c_rows++, l = l->next) { ++ if (l == NULL) ++ break; + if (rows > 1) { + pos = columnPos(l, col); + a = retrieveAnchor(buf->formitem, l->linenumber, pos); diff -Nru w3m-0.5.3/debian/patches/CVE-2018-6198.patch w3m-0.5.3/debian/patches/CVE-2018-6198.patch --- w3m-0.5.3/debian/patches/CVE-2018-6198.patch 1970-01-01 00:00:00.000000000 +0000 +++ w3m-0.5.3/debian/patches/CVE-2018-6198.patch 2018-01-30 19:33:53.000000000 +0000 @@ -0,0 +1,101 @@ +From 18dcbadf2771cdb0c18509b14e4e73505b242753 Mon Sep 17 00:00:00 2001 +From: Tatsuya Kinoshita +Date: Sun, 21 Jan 2018 01:29:10 +0900 +Subject: [PATCH] Make temporary directory safely when ~/.w3m is unwritable + +--- + config.h.dist | 1 + + config.h.in | 1 + + configure | 2 +- + configure.ac | 2 +- + main.c | 7 +++++++ + rc.c | 5 +++++ + 6 files changed, 16 insertions(+), 2 deletions(-) + +diff --git a/config.h.dist b/config.h.dist +index 0440927..4d9c119 100644 +--- a/config.h.dist ++++ b/config.h.dist +@@ -210,6 +210,7 @@ typedef long clen_t; + #define HAVE_SRANDOM + #undef HAVE_GETPASSPHRASE + #define HAVE_CHDIR ++#define HAVE_MKDTEMP + + + #define SETJMP(env) sigsetjmp(env,1) +diff --git a/config.h.in b/config.h.in +index 3b575e4..6ab3008 100644 +--- a/config.h.in ++++ b/config.h.in +@@ -143,6 +143,7 @@ typedef long clen_t; + #undef HAVE_SRANDOM + #undef HAVE_GETPASSPHRASE + #undef HAVE_CHDIR ++#undef HAVE_MKDTEMP + #undef HAVE_SETPGRP + #undef HAVE_SETLOCALE + #undef HAVE_LANGINFO_CODESET +diff --git a/configure b/configure +index 140f050..8699b43 100755 +--- a/configure ++++ b/configure +@@ -8767,7 +8767,7 @@ _ACEOF + + + +-for ac_func in strcasecmp strcasestr strchr memcpy strerror bcopy setpgrp chdir getcwd getwd readlink setenv putenv strtoll stroq atoll atoq symlink readlink lstat srand48 srandom getpassphrase waitpid setlocale ++for ac_func in strcasecmp strcasestr strchr memcpy strerror bcopy setpgrp chdir mkdtemp getcwd getwd readlink setenv putenv strtoll stroq atoll atoq symlink readlink lstat srand48 srandom getpassphrase waitpid setlocale + do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` + ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +diff --git a/configure.ac b/configure.ac +index 320a6e2..ebb3282 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -150,7 +150,7 @@ dnl AC_FUNC_MEMCMP + dnl AC_FUNC_MMAP + dnl AC_FUNC_SETVBUF_REVERSED + dnl AC_FUNC_VPRINTF +-AC_CHECK_FUNCS(strcasecmp strcasestr strchr memcpy strerror bcopy setpgrp chdir getcwd getwd readlink setenv putenv strtoll stroq atoll atoq symlink readlink lstat srand48 srandom getpassphrase waitpid setlocale) ++AC_CHECK_FUNCS(strcasecmp strcasestr strchr memcpy strerror bcopy setpgrp chdir mkdtemp getcwd getwd readlink setenv putenv strtoll stroq atoll atoq symlink readlink lstat srand48 srandom getpassphrase waitpid setlocale) + AC_FUNC_STRFTIME + AC_FUNC_WAIT3 + AC_FUNC_SETPGRP +diff --git a/main.c b/main.c +index a20b4a1..43e181c 100644 +--- a/main.c ++++ b/main.c +@@ -5972,6 +5972,13 @@ w3m_exit(int i) + #ifdef __MINGW32_VERSION + WSACleanup(); + #endif ++#ifdef HAVE_MKDTEMP ++ if (no_rc_dir && tmp_dir != rc_dir) ++ if (rmdir(tmp_dir) != 0) { ++ fprintf(stderr, "Can't remove temporary directory (%s)!\n", tmp_dir); ++ exit(1); ++ } ++#endif + exit(i); + } + +diff --git a/rc.c b/rc.c +index eb562c9..3fd84ef 100644 +--- a/rc.c ++++ b/rc.c +@@ -1330,6 +1330,11 @@ init_rc(void) + ((tmp_dir = getenv("TMP")) == NULL || *tmp_dir == '\0') && + ((tmp_dir = getenv("TEMP")) == NULL || *tmp_dir == '\0')) + tmp_dir = "/tmp"; ++#ifdef HAVE_MKDTEMP ++ tmp_dir = mkdtemp(Strnew_m_charp(tmp_dir, "/w3m-XXXXXX", NULL)->ptr); ++ if (tmp_dir == NULL) ++ tmp_dir = rc_dir; ++#endif + create_option_search_table(); + goto open_rc; + } +-- +libgit2 0.26.0 + diff -Nru w3m-0.5.3/debian/patches/series w3m-0.5.3/debian/patches/series --- w3m-0.5.3/debian/patches/series 2017-01-04 14:11:21.000000000 +0000 +++ w3m-0.5.3/debian/patches/series 2018-01-30 19:33:53.000000000 +0000 @@ -1,2 +1,5 @@ 010_upstream.patch 020_debian.patch +CVE-2018-6196.patch +CVE-2018-6197.patch +CVE-2018-6198.patch