Your message dated Sun, 25 Feb 2018 15:02:20 +0000
with message-id <[email protected]>
and subject line Bug#888097: fixed in w3m 0.5.3-34+deb9u1
has caused the Debian Bug report #888097,
regarding w3m: CVE-2018-6198: insecure temporary files creation when ~/.w3m is
unwritable
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
888097: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888097
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: w3m
Version: 0.5.3-34
Severity: important
Tags: patch security upstream pending
Only when ~/.w3m is unwritable, w3m uses /tmp in an insecure fashion,
which allows a local attacker to craft a symlink attack to overwrite
arbitrary files.
Patch is available:
-
https://salsa.debian.org/debian/w3m/commit/18dcbadf2771cdb0c18509b14e4e73505b242753
Will be fixed in the next upload.
Thanks,
--
Tatsuya Kinoshita
pgp1PkUeCE_HU.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: w3m
Source-Version: 0.5.3-34+deb9u1
We believe that the bug you reported is fixed in the latest version of
w3m, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tatsuya Kinoshita <[email protected]> (supplier of updated w3m package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 26 Jan 2018 18:50:05 +0900
Source: w3m
Binary: w3m w3m-img
Architecture: source amd64
Version: 0.5.3-34+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Tatsuya Kinoshita <[email protected]>
Changed-By: Tatsuya Kinoshita <[email protected]>
Description:
w3m - WWW browsable pager with excellent tables/frames support
w3m-img - inline image extension support utilities for w3m
Closes: 888097
Changes:
w3m (0.5.3-34+deb9u1) stretch; urgency=medium
.
* New patch 955_tbl-indent.patch to fix stack overflow [CVE-2018-6196]
* New patch 956_columnpos.patch to fix null deref [CVE-2018-6197]
* New patch 957_mkdtemp.patch to fix /tmp file races [CVE-2018-6198]
(closes: #888097)
Checksums-Sha1:
2e670e0bd3f5f491f14f7df9edd059da94118ca7 2068 w3m_0.5.3-34+deb9u1.dsc
3175ed91a8ceeefc4f53d93a7a73ed8dbb828508 188232
w3m_0.5.3-34+deb9u1.debian.tar.xz
4d619e44b3d8a1745258537846ed81fd70a09a1b 806420
w3m-dbgsym_0.5.3-34+deb9u1_amd64.deb
c746215d548fc395c32688bee6e28fd1c75d50f5 27048
w3m-img-dbgsym_0.5.3-34+deb9u1_amd64.deb
21552f7bf823dd67e2525d102c573810108a7fc7 129408
w3m-img_0.5.3-34+deb9u1_amd64.deb
e4c58fd3d228265e8556942f98eb0c12f132d9d5 7892
w3m_0.5.3-34+deb9u1_amd64.buildinfo
8778b6dd703c03c5b2cd5042148d1254023f6994 1039900 w3m_0.5.3-34+deb9u1_amd64.deb
Checksums-Sha256:
a1623c5c0e0daa077b2ddf08b79c6c9e40b4e0a3c7f6e1b1fa3567f1f74121b7 2068
w3m_0.5.3-34+deb9u1.dsc
6a20536b2595e32af0def51303b214859deb5fe6f9b975e383641c551d2e5587 188232
w3m_0.5.3-34+deb9u1.debian.tar.xz
dbe78aa196794b7bd79aa32cb0ce9746edd08c90f942310e01ef844aa4a76673 806420
w3m-dbgsym_0.5.3-34+deb9u1_amd64.deb
c0cc24af0d583cc0b39d06a778300c9a83bea56282fe342ba455c3cbca9a14df 27048
w3m-img-dbgsym_0.5.3-34+deb9u1_amd64.deb
fe1cc58a3344712d82d16e523541b008b882c7caf9f62658fb5f1228d255141c 129408
w3m-img_0.5.3-34+deb9u1_amd64.deb
fc6e1262d6c3231bf73f412db4bdca2a21757ca709739b9f22841b2ef68b4edd 7892
w3m_0.5.3-34+deb9u1_amd64.buildinfo
0609e0e60e3335e1cfde8ecd080568da9f18331823cfc8ef4370c2587bb2e8e6 1039900
w3m_0.5.3-34+deb9u1_amd64.deb
Files:
aa150ee9fa77aef325e7c45c7c382c3f 2068 web optional w3m_0.5.3-34+deb9u1.dsc
90be8b8cab3423677eb7e5a629d8539a 188232 web optional
w3m_0.5.3-34+deb9u1.debian.tar.xz
717ee77c9b52b223cc279d9a6bd63154 806420 debug extra
w3m-dbgsym_0.5.3-34+deb9u1_amd64.deb
6a296c8cec1dac4801e732470dac3159 27048 debug extra
w3m-img-dbgsym_0.5.3-34+deb9u1_amd64.deb
8290827512c243e7143e9a1aa0aadab7 129408 web optional
w3m-img_0.5.3-34+deb9u1_amd64.deb
d56d12c0330ee080bd3915433180aaf0 7892 web optional
w3m_0.5.3-34+deb9u1_amd64.buildinfo
c34689bc7b2adb5f7609e4c044b80c3e 1039900 web optional
w3m_0.5.3-34+deb9u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEAxxiPZTvHz7xexyE5e+rkAgOpjwFAlqQlwYACgkQ5e+rkAgO
pjz3+A/9ERlHTQai+xy2a8qQd1ah7KLj+wwrnhIyROkyvw2ipAVhZUOwk9HdbmyF
oN+Sa2PCn/WzgE6t/d7+lU+Hhn7zmRSfFWmZpCjd6h3r+1t+zPXA77c5Y0WTVjZt
yD9yy36sa/CASifNRcZRnRv0ovpovHoEfboZ+zpJAS1xLLQH7hBYBSg5CF9kIfkk
ee+BQ8nJCo4UEu2LVJz35cpZeL+82PWcPLN3FZ/ooNlctIj5gKf35FQ4BkHDYdtI
onQIsxlu2EPKVZ5Z9ZTv4IEhzf7/FpDd0x7e/1V60VsQMcCJUg3z8dkRkNfq00Yg
yV4B5IWDFUo3Qf8fQAKxQquGOaYVuQIbIIA1Zet0XGZE6lY2ndOnQXM0syVIRT3+
muQPhvM6b6nAR9gqWnHqC9mI44ssXdyXoVYJurSiom5drFUevxD2+skVt0H3lYtu
VmelvWgunvjuASQ6OalZuenx269c2FY66LWfIhmG1s3xaP0jujPMUA2QuB6Spw0P
qn8xiJqvZ//duW6rDIRBJJNSDkEdnbrVm+xc8RKcmBn1hyuHHa3YIazZD6C5liPZ
tEYRgviKEZqS3Ddg6z2zL4vEcAjZidTP7tdev9A3vtZktTqVJ54twjnMDTEjuSM3
fXkUnkv478cayNIrzYuVtvyYOxdtj6kYUr8ecOh7eZjLKRDGScg=
=p5PI
-----END PGP SIGNATURE-----
--- End Message ---
