Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 18 Nov 2016 03:13:48 -0500
From: <cve-assign@...re.org>
To: <kcwu@...e.org>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>
Subject: Re: CVE request: w3m - multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

CVE-2016-9422 - https://github.com/tats/w3m/issues/8 stack smashed
  see analysis in https://github.com/tats/w3m/pull/19

CVE-2016-9423 - https://github.com/tats/w3m/issues/9 some buffer overflow

Note that both issues/9 and issues/10 are fixed by
9f0bdcfdf061db3520bd1f112bdc5e83acdec4be; however, they are different
vulnerabilities.


CVE-2016-9424 - https://github.com/tats/w3m/issues/12 heap write

CVE-2016-9425 - https://github.com/tats/w3m/issues/21 heap write

Note that both issues/21 and issues/26 are fixed by
4e464819dd360ffd3d58fa2a89216fe413cfcc74; however, they are different
vulnerabilities.


> https://github.com/tats/w3m/issues/25 heap corruption
>   itself should be only OOM. But it was affected by
>     https://github.com/ivmai/bdwgc/issues/135
>   which become heap corruption

Use CVE-2016-9426 for the issues/25 vulnerability in w3m. Use
CVE-2016-9427 for the issues/135 vulnerability in libgc (aka bdwgc or
boehmgc).


CVE-2016-9428 - https://github.com/tats/w3m/issues/26 heap write

CVE-2016-9429 - https://github.com/tats/w3m/issues/29 global-buffer-overflow write

CVE-2016-9430 - https://github.com/tats/w3m/issues/7 null deref

CVE-2016-9431 - https://github.com/tats/w3m/issues/10 stack overflow

CVE-2016-9432 - https://github.com/tats/w3m/issues/13 bcopy negative size

CVE-2016-9433 - https://github.com/tats/w3m/issues/14 array index out of bound read

CVE-2016-9434 - https://github.com/tats/w3m/issues/15 null deref


> https://github.com/tats/w3m/issues/16 use uninit value

Use CVE-2016-9435 for the problem fixed by the new conditional
PUSH_ENV(HTML_DL) call in file.c in
https://github.com/tats/w3m/commit/33509cc81ec5f2ba44eb6fd98bd5c1b5873e46bd

Use CVE-2016-9436 for the problem fixed by the new "tagname[0] = '\0'"
line in parsetagx.c in
https://github.com/tats/w3m/commit/33509cc81ec5f2ba44eb6fd98bd5c1b5873e46bd


CVE-2016-9437 - https://github.com/tats/w3m/issues/17 write to rodata

CVE-2016-9438 - https://github.com/tats/w3m/issues/18 null deref

CVE-2016-9439 - https://github.com/tats/w3m/issues/20 stack overflow

CVE-2016-9440 - https://github.com/tats/w3m/issues/22 near-null deref

CVE-2016-9441 - https://github.com/tats/w3m/issues/24 near-null deref

CVE-2016-9442 - https://github.com/tats/w3m/commit/d43527cfa0dbb3ccefec4a6f7b32c1434739aa29 potential heap buffer corruption
  I classify this as "moderate" because the allocator do preserve more space
  than required size due to bucketing. And w3m's allocator is boehmgc, it
  seems not easy replaceable. So the heap won't be corrupted in practice

CVE-2016-9443 - https://github.com/tats/w3m/issues/28 null deref

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYLrfFAAoJEHb/MwWLVhi2oVkP/37BjwMtl3eBG7iJMhMJ+CM2
q6MswxfueNx+xJFoEKY6bcFY7Es4S2iVMLVnGVPwWXRhQPLOww2jGNv8kSrrQ5S/
TJ5aHU1pbnmCg3Cz/SQDRpNAAr6pQiqXqRC0zvXEBhLWqfyZH4qfWu2WPVfBvuKz
6JC53YrHUPrHzbD97+FhBGBuIXWUv2hUKQ4pLa7ikzQ/WfsOkQn70GIT6cEVSkef
wFu4H+3Umq0EufW/ScTfCkDoWeNyk5/kg44Q5jsOiKbco/bEMrlKOt4hSjt5dZNB
/RKnNkGri3vJA3d50wIjIq6vlDgbCTEOhJx1Q+9CAYwXlWytgmYTUHl4Mb0z1rqm
4ljlkTVIW3MQl0l3bIDdL8WYEJ6eUvj+nL8WeiszwpZneZr+eStD67T/tKJipJla
yeG9bnVfWtDytobHO7s8EN8KJhGPanmzj6vPoqiXt52S/Tcp3oe24EGa+CtfnDnG
i4BDm9yAnRuZ7ZkeynnnRBxA+kOU9gTlfx23PL7N8slRpZeNONrNVsgl83Trp1Q1
UdUxLv3qleJJFWA1F2MQPMaiHYICF4aWh02Tf5Dmp42tHU58Ezhv5LFD7CpEoKj2
Nws7sati4M5CmOkLjkFSFcg8fPkPiGR0kqBt8Ck+3QVDeln+zD3+LQBg/4dU6qnJ
VkeNyH+PpwPAk5+CyOr3
=QSeZ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ