Date: Fri, 18 Nov 2016 03:13:48 -0500 From: <cve-assign@...re.org> To: <kcwu@...e.org> CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com> Subject: Re: CVE request: w3m - multiple vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 CVE-2016-9422 - https://github.com/tats/w3m/issues/8 stack smashed see analysis in https://github.com/tats/w3m/pull/19 CVE-2016-9423 - https://github.com/tats/w3m/issues/9 some buffer overflow Note that both issues/9 and issues/10 are fixed by 9f0bdcfdf061db3520bd1f112bdc5e83acdec4be; however, they are different vulnerabilities. CVE-2016-9424 - https://github.com/tats/w3m/issues/12 heap write CVE-2016-9425 - https://github.com/tats/w3m/issues/21 heap write Note that both issues/21 and issues/26 are fixed by 4e464819dd360ffd3d58fa2a89216fe413cfcc74; however, they are different vulnerabilities. > https://github.com/tats/w3m/issues/25 heap corruption > itself should be only OOM. But it was affected by > https://github.com/ivmai/bdwgc/issues/135 > which become heap corruption Use CVE-2016-9426 for the issues/25 vulnerability in w3m. Use CVE-2016-9427 for the issues/135 vulnerability in libgc (aka bdwgc or boehmgc). CVE-2016-9428 - https://github.com/tats/w3m/issues/26 heap write CVE-2016-9429 - https://github.com/tats/w3m/issues/29 global-buffer-overflow write CVE-2016-9430 - https://github.com/tats/w3m/issues/7 null deref CVE-2016-9431 - https://github.com/tats/w3m/issues/10 stack overflow CVE-2016-9432 - https://github.com/tats/w3m/issues/13 bcopy negative size CVE-2016-9433 - https://github.com/tats/w3m/issues/14 array index out of bound read CVE-2016-9434 - https://github.com/tats/w3m/issues/15 null deref > https://github.com/tats/w3m/issues/16 use uninit value Use CVE-2016-9435 for the problem fixed by the new conditional PUSH_ENV(HTML_DL) call in file.c in https://github.com/tats/w3m/commit/33509cc81ec5f2ba44eb6fd98bd5c1b5873e46bd Use CVE-2016-9436 for the problem fixed by the new "tagname = '\0'" line in parsetagx.c in https://github.com/tats/w3m/commit/33509cc81ec5f2ba44eb6fd98bd5c1b5873e46bd CVE-2016-9437 - https://github.com/tats/w3m/issues/17 write to rodata CVE-2016-9438 - https://github.com/tats/w3m/issues/18 null deref CVE-2016-9439 - https://github.com/tats/w3m/issues/20 stack overflow CVE-2016-9440 - https://github.com/tats/w3m/issues/22 near-null deref CVE-2016-9441 - https://github.com/tats/w3m/issues/24 near-null deref CVE-2016-9442 - https://github.com/tats/w3m/commit/d43527cfa0dbb3ccefec4a6f7b32c1434739aa29 potential heap buffer corruption I classify this as "moderate" because the allocator do preserve more space than required size due to bucketing. And w3m's allocator is boehmgc, it seems not easy replaceable. So the heap won't be corrupted in practice CVE-2016-9443 - https://github.com/tats/w3m/issues/28 null deref - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYLrfFAAoJEHb/MwWLVhi2oVkP/37BjwMtl3eBG7iJMhMJ+CM2 q6MswxfueNx+xJFoEKY6bcFY7Es4S2iVMLVnGVPwWXRhQPLOww2jGNv8kSrrQ5S/ TJ5aHU1pbnmCg3Cz/SQDRpNAAr6pQiqXqRC0zvXEBhLWqfyZH4qfWu2WPVfBvuKz 6JC53YrHUPrHzbD97+FhBGBuIXWUv2hUKQ4pLa7ikzQ/WfsOkQn70GIT6cEVSkef wFu4H+3Umq0EufW/ScTfCkDoWeNyk5/kg44Q5jsOiKbco/bEMrlKOt4hSjt5dZNB /RKnNkGri3vJA3d50wIjIq6vlDgbCTEOhJx1Q+9CAYwXlWytgmYTUHl4Mb0z1rqm 4ljlkTVIW3MQl0l3bIDdL8WYEJ6eUvj+nL8WeiszwpZneZr+eStD67T/tKJipJla yeG9bnVfWtDytobHO7s8EN8KJhGPanmzj6vPoqiXt52S/Tcp3oe24EGa+CtfnDnG i4BDm9yAnRuZ7ZkeynnnRBxA+kOU9gTlfx23PL7N8slRpZeNONrNVsgl83Trp1Q1 UdUxLv3qleJJFWA1F2MQPMaiHYICF4aWh02Tf5Dmp42tHU58Ezhv5LFD7CpEoKj2 Nws7sati4M5CmOkLjkFSFcg8fPkPiGR0kqBt8Ck+3QVDeln+zD3+LQBg/4dU6qnJ VkeNyH+PpwPAk5+CyOr3 =QSeZ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ