Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 15 Dec 2016 02:28:07 +0800
From: Kuang-che Wu <kcwu@...e.org>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: Re: CVE request: w3m - multiple vulnerabilities

FYI, my previous report was for debian's w3m fork. Now I also tested
original w3m 0.5.3.
(https://sourceforge.net/projects/w3m/files/w3m/w3m-0.5.3/)

The original w3m 0.5.3 is also affected by at least following CVEs
CVE-2016-9422
CVE-2016-9424
CVE-2016-9425
CVE-2016-9426
CVE-2016-9432
CVE-2016-9439
CVE-2016-9440
CVE-2016-9441
CVE-2016-9622
CVE-2016-9623
CVE-2016-9624
CVE-2016-9625
CVE-2016-9626
CVE-2016-9627

But the case of CVE-2016-9422, which made debian's w3m stack smashing,
can only make original w3m 0.5.3 heap-buffer-overflow write. I haven't
found cases to smash stack yet.

For other CVEs, I don't know. Maybe original w3m is not affected. Maybe
those issues are covered by above issues.

kcwu

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.