Date: Thu, 15 Dec 2016 02:28:07 +0800 From: Kuang-che Wu <kcwu@...e.org> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: Re: CVE request: w3m - multiple vulnerabilities FYI, my previous report was for debian's w3m fork. Now I also tested original w3m 0.5.3. (https://sourceforge.net/projects/w3m/files/w3m/w3m-0.5.3/) The original w3m 0.5.3 is also affected by at least following CVEs CVE-2016-9422 CVE-2016-9424 CVE-2016-9425 CVE-2016-9426 CVE-2016-9432 CVE-2016-9439 CVE-2016-9440 CVE-2016-9441 CVE-2016-9622 CVE-2016-9623 CVE-2016-9624 CVE-2016-9625 CVE-2016-9626 CVE-2016-9627 But the case of CVE-2016-9422, which made debian's w3m stack smashing, can only make original w3m 0.5.3 heap-buffer-overflow write. I haven't found cases to smash stack yet. For other CVEs, I don't know. Maybe original w3m is not affected. Maybe those issues are covered by above issues. kcwu Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.