Bug#1029320: bullseye-pu: package w3m/0.5.3+git20210102-6+deb11u1

Tatsuya Kinoshita Sat, 21 Jan 2023 02:57:31 -0800

Package: release.debian.org
Severity: normal
Tags: bullseye
User: [email protected]
Usertags: pu


Hi release team,

I'd like to update package w3m in bullseye to fix a security issue,
managed as minor issue, no-dsa.
cf. https://security-tracker.debian.org/tracker/CVE-2022-38223

See this changelog and the attached debdiff.

w3m (0.5.3+git20210102-6+deb11u1) bullseye; urgency=medium

  * New patch 050_checktype.patch to fix out-of-bounds write in checkType
    [CVE-2022-38223] (closes: #1019599)

 -- Tatsuya Kinoshita <[email protected]>  Thu, 12 Jan 2023 23:28:20 +0900

Please let me know if I can upload it.

Thanks,
-- 
Tatsuya Kinoshita

diffstat for w3m-0.5.3+git20210102 w3m-0.5.3+git20210102

 changelog                   |    7 +++
 patches/050_checktype.patch |   90 ++++++++++++++++++++++++++++++++++++++++++++
 patches/series              |    1 
 3 files changed, 98 insertions(+)

diff -Nru w3m-0.5.3+git20210102/debian/changelog 
w3m-0.5.3+git20210102/debian/changelog
--- w3m-0.5.3+git20210102/debian/changelog      2021-03-01 06:59:20.000000000 
+0900
+++ w3m-0.5.3+git20210102/debian/changelog      2023-01-12 23:28:20.000000000 
+0900
@@ -1,3 +1,10 @@
+w3m (0.5.3+git20210102-6+deb11u1) bullseye; urgency=medium
+
+  * New patch 050_checktype.patch to fix out-of-bounds write in checkType
+    [CVE-2022-38223] (closes: #1019599)
+
+ -- Tatsuya Kinoshita <[email protected]>  Thu, 12 Jan 2023 23:28:20 +0900
+
 w3m (0.5.3+git20210102-6) unstable; urgency=medium
 
   * Update 030_str-overflow.patch to avoid zero size allocation in Str.c
diff -Nru w3m-0.5.3+git20210102/debian/patches/050_checktype.patch 
w3m-0.5.3+git20210102/debian/patches/050_checktype.patch
--- w3m-0.5.3+git20210102/debian/patches/050_checktype.patch    1970-01-01 
09:00:00.000000000 +0900
+++ w3m-0.5.3+git20210102/debian/patches/050_checktype.patch    2023-01-12 
23:25:35.000000000 +0900
@@ -0,0 +1,90 @@
+Subject: Fix m17n backspace handling causes out-of-bounds write in checkType 
[CVE-2022-38223]
+Author: Tatsuya Kinoshita <[email protected]>
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019599
+Bug-Debian: https://github.com/tats/w3m/issues/242
+
+--- a/etc.c
++++ b/etc.c
+@@ -253,14 +253,26 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+     char *es = NULL;
+ #endif
+     int do_copy = FALSE;
++#ifdef USE_M17N
+     int i;
+     int plen = 0, clen;
++    int *plens = NULL;
++    static int *plens_buffer = NULL;
++    static int plens_size = 0;
++#endif
+ 
+     if (prop_size < s->length) {
+       prop_size = (s->length > LINELEN) ? s->length : LINELEN;
+       prop_buffer = New_Reuse(Lineprop, prop_buffer, prop_size);
+     }
+     prop = prop_buffer;
++#ifdef USE_M17N
++    if (plens_size < s->length) {
++      plens_size = (s->length > LINELEN) ? s->length : LINELEN;
++      plens_buffer = New_Reuse(int, plens_buffer, plens_size);
++    }
++    plens = plens_buffer;
++#endif
+ 
+     if (ShowEffect) {
+       bs = memchr(str, '\b', s->length);
+@@ -295,14 +307,21 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+ #ifdef USE_ANSI_COLOR
+               if (color)
+                   *(color++) = 0;
++#endif
++#ifdef USE_M17N
++              *(plens++) = plen = 1;
+ #endif
+           }
+           Strcat_charp_n(s, sp, (int)(str - sp));
+       }
+     }
+     if (!do_copy) {
+-      for (; str < endp && IS_ASCII(*str); str++)
++      for (; str < endp && IS_ASCII(*str); str++) {
+           *(prop++) = PE_NORMAL | (IS_CNTRL(*str) ? PC_CTRL : PC_ASCII);
++#ifdef USE_M17N
++          *(plens++) = plen = 1;
++#endif
++      }
+     }
+ 
+     while (str < endp) {
+@@ -364,6 +383,7 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+                       else {
+                           Strshrink(s, plen);
+                           prop -= plen;
++                          plen = *(--plens);
+                           str += 2;
+                       }
+                   }
+@@ -385,6 +405,7 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+                       else {
+                           Strshrink(s, plen);
+                           prop -= plen;
++                          plen = *(--plens);
+                           str++;
+                       }
+ #else
+@@ -429,7 +450,6 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+       }
+ #endif
+ 
+-      plen = get_mclen(str);
+       mode = get_mctype(str) | effect;
+ #ifdef USE_ANSI_COLOR
+       if (color) {
+@@ -439,6 +459,8 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+ #endif
+       *(prop++) = mode;
+ #ifdef USE_M17N
++      plen = get_mclen(str);
++      *(plens++) = plen;
+       if (plen > 1) {
+           mode = (mode & ~PC_WCHAR1) | PC_WCHAR2;
+           for (i = 1; i < plen; i++) {
diff -Nru w3m-0.5.3+git20210102/debian/patches/series 
w3m-0.5.3+git20210102/debian/patches/series
--- w3m-0.5.3+git20210102/debian/patches/series 2021-03-01 06:50:46.000000000 
+0900
+++ w3m-0.5.3+git20210102/debian/patches/series 2023-01-12 23:25:35.000000000 
+0900
@@ -1,3 +1,4 @@
 010_section.patch
 030_str-overflow.patch
 040_libwc-overflow.patch
+050_checktype.patch

pgpf9r2VaBTxd.pgp
Description: PGP signature

Bug#1029320: bullseye-pu: package w3m/0.5.3+git20210102-6+deb11u1

Reply via email to