[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1029320: marked as done (bullseye-pu: package w3m/0.5.3+git20210102-6+deb11u1)

Your message dated Sat, 29 Apr 2023 10:54:14 +0100
with message-id <502b8fb37ece620c9723446611a9287974ba5a0c.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 11.7
has caused the Debian Bug report #1029320,
regarding bullseye-pu: package w3m/0.5.3+git20210102-6+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1029320: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029320
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

Hi release team,

I'd like to update package w3m in bullseye to fix a security issue,
managed as minor issue, no-dsa.
cf. https://security-tracker.debian.org/tracker/CVE-2022-38223

See this changelog and the attached debdiff.

w3m (0.5.3+git20210102-6+deb11u1) bullseye; urgency=medium

  * New patch 050_checktype.patch to fix out-of-bounds write in checkType
    [CVE-2022-38223] (closes: #1019599)

 -- Tatsuya Kinoshita <tats@debian.org>  Thu, 12 Jan 2023 23:28:20 +0900

Please let me know if I can upload it.

Thanks,
-- 
Tatsuya Kinoshita

diffstat for w3m-0.5.3+git20210102 w3m-0.5.3+git20210102

 changelog                   |    7 +++
 patches/050_checktype.patch |   90 ++++++++++++++++++++++++++++++++++++++++++++
 patches/series              |    1 
 3 files changed, 98 insertions(+)

diff -Nru w3m-0.5.3+git20210102/debian/changelog w3m-0.5.3+git20210102/debian/changelog
--- w3m-0.5.3+git20210102/debian/changelog	2021-03-01 06:59:20.000000000 +0900
+++ w3m-0.5.3+git20210102/debian/changelog	2023-01-12 23:28:20.000000000 +0900
@@ -1,3 +1,10 @@
+w3m (0.5.3+git20210102-6+deb11u1) bullseye; urgency=medium
+
+  * New patch 050_checktype.patch to fix out-of-bounds write in checkType
+    [CVE-2022-38223] (closes: #1019599)
+
+ -- Tatsuya Kinoshita <tats@debian.org>  Thu, 12 Jan 2023 23:28:20 +0900
+
 w3m (0.5.3+git20210102-6) unstable; urgency=medium
 
   * Update 030_str-overflow.patch to avoid zero size allocation in Str.c
diff -Nru w3m-0.5.3+git20210102/debian/patches/050_checktype.patch w3m-0.5.3+git20210102/debian/patches/050_checktype.patch
--- w3m-0.5.3+git20210102/debian/patches/050_checktype.patch	1970-01-01 09:00:00.000000000 +0900
+++ w3m-0.5.3+git20210102/debian/patches/050_checktype.patch	2023-01-12 23:25:35.000000000 +0900
@@ -0,0 +1,90 @@
+Subject: Fix m17n backspace handling causes out-of-bounds write in checkType [CVE-2022-38223]
+Author: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019599
+Bug-Debian: https://github.com/tats/w3m/issues/242
+
+--- a/etc.c
++++ b/etc.c
+@@ -253,14 +253,26 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+     char *es = NULL;
+ #endif
+     int do_copy = FALSE;
++#ifdef USE_M17N
+     int i;
+     int plen = 0, clen;
++    int *plens = NULL;
++    static int *plens_buffer = NULL;
++    static int plens_size = 0;
++#endif
+ 
+     if (prop_size < s->length) {
+ 	prop_size = (s->length > LINELEN) ? s->length : LINELEN;
+ 	prop_buffer = New_Reuse(Lineprop, prop_buffer, prop_size);
+     }
+     prop = prop_buffer;
++#ifdef USE_M17N
++    if (plens_size < s->length) {
++	plens_size = (s->length > LINELEN) ? s->length : LINELEN;
++	plens_buffer = New_Reuse(int, plens_buffer, plens_size);
++    }
++    plens = plens_buffer;
++#endif
+ 
+     if (ShowEffect) {
+ 	bs = memchr(str, '\b', s->length);
+@@ -295,14 +307,21 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+ #ifdef USE_ANSI_COLOR
+ 		if (color)
+ 		    *(color++) = 0;
++#endif
++#ifdef USE_M17N
++		*(plens++) = plen = 1;
+ #endif
+ 	    }
+ 	    Strcat_charp_n(s, sp, (int)(str - sp));
+ 	}
+     }
+     if (!do_copy) {
+-	for (; str < endp && IS_ASCII(*str); str++)
++	for (; str < endp && IS_ASCII(*str); str++) {
+ 	    *(prop++) = PE_NORMAL | (IS_CNTRL(*str) ? PC_CTRL : PC_ASCII);
++#ifdef USE_M17N
++	    *(plens++) = plen = 1;
++#endif
++	}
+     }
+ 
+     while (str < endp) {
+@@ -364,6 +383,7 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+ 			else {
+ 			    Strshrink(s, plen);
+ 			    prop -= plen;
++			    plen = *(--plens);
+ 			    str += 2;
+ 			}
+ 		    }
+@@ -385,6 +405,7 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+ 			else {
+ 			    Strshrink(s, plen);
+ 			    prop -= plen;
++			    plen = *(--plens);
+ 			    str++;
+ 			}
+ #else
+@@ -429,7 +450,6 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+ 	}
+ #endif
+ 
+-	plen = get_mclen(str);
+ 	mode = get_mctype(str) | effect;
+ #ifdef USE_ANSI_COLOR
+ 	if (color) {
+@@ -439,6 +459,8 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+ #endif
+ 	*(prop++) = mode;
+ #ifdef USE_M17N
++	plen = get_mclen(str);
++	*(plens++) = plen;
+ 	if (plen > 1) {
+ 	    mode = (mode & ~PC_WCHAR1) | PC_WCHAR2;
+ 	    for (i = 1; i < plen; i++) {
diff -Nru w3m-0.5.3+git20210102/debian/patches/series w3m-0.5.3+git20210102/debian/patches/series
--- w3m-0.5.3+git20210102/debian/patches/series	2021-03-01 06:50:46.000000000 +0900
+++ w3m-0.5.3+git20210102/debian/patches/series	2023-01-12 23:25:35.000000000 +0900
@@ -1,3 +1,4 @@
 010_section.patch
 030_str-overflow.patch
 040_libwc-overflow.patch
+050_checktype.patch

Attachment: pgphCTYaB9EAy.pgp
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.7

Hi,

Each of the updates referred to in these requests was included in this
morning's 11.7 point release.

Regards,

Adam

--- End Message ---
Reply to: