Your message dated Sat, 29 Apr 2023 10:54:14 +0100
with message-id
<502b8fb37ece620c9723446611a9287974ba5a0c.ca...@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 11.7
has caused the Debian Bug report #1029320,
regarding bullseye-pu: package w3m/0.5.3+git20210102-6+deb11u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1029320: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029320
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: [email protected]
Usertags: pu
Hi release team,
I'd like to update package w3m in bullseye to fix a security issue,
managed as minor issue, no-dsa.
cf. https://security-tracker.debian.org/tracker/CVE-2022-38223
See this changelog and the attached debdiff.
w3m (0.5.3+git20210102-6+deb11u1) bullseye; urgency=medium
* New patch 050_checktype.patch to fix out-of-bounds write in checkType
[CVE-2022-38223] (closes: #1019599)
-- Tatsuya Kinoshita <[email protected]> Thu, 12 Jan 2023 23:28:20 +0900
Please let me know if I can upload it.
Thanks,
--
Tatsuya Kinoshita
diffstat for w3m-0.5.3+git20210102 w3m-0.5.3+git20210102
changelog | 7 +++
patches/050_checktype.patch | 90 ++++++++++++++++++++++++++++++++++++++++++++
patches/series | 1
3 files changed, 98 insertions(+)
diff -Nru w3m-0.5.3+git20210102/debian/changelog
w3m-0.5.3+git20210102/debian/changelog
--- w3m-0.5.3+git20210102/debian/changelog 2021-03-01 06:59:20.000000000
+0900
+++ w3m-0.5.3+git20210102/debian/changelog 2023-01-12 23:28:20.000000000
+0900
@@ -1,3 +1,10 @@
+w3m (0.5.3+git20210102-6+deb11u1) bullseye; urgency=medium
+
+ * New patch 050_checktype.patch to fix out-of-bounds write in checkType
+ [CVE-2022-38223] (closes: #1019599)
+
+ -- Tatsuya Kinoshita <[email protected]> Thu, 12 Jan 2023 23:28:20 +0900
+
w3m (0.5.3+git20210102-6) unstable; urgency=medium
* Update 030_str-overflow.patch to avoid zero size allocation in Str.c
diff -Nru w3m-0.5.3+git20210102/debian/patches/050_checktype.patch
w3m-0.5.3+git20210102/debian/patches/050_checktype.patch
--- w3m-0.5.3+git20210102/debian/patches/050_checktype.patch 1970-01-01
09:00:00.000000000 +0900
+++ w3m-0.5.3+git20210102/debian/patches/050_checktype.patch 2023-01-12
23:25:35.000000000 +0900
@@ -0,0 +1,90 @@
+Subject: Fix m17n backspace handling causes out-of-bounds write in checkType
[CVE-2022-38223]
+Author: Tatsuya Kinoshita <[email protected]>
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019599
+Bug-Debian: https://github.com/tats/w3m/issues/242
+
+--- a/etc.c
++++ b/etc.c
+@@ -253,14 +253,26 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+ char *es = NULL;
+ #endif
+ int do_copy = FALSE;
++#ifdef USE_M17N
+ int i;
+ int plen = 0, clen;
++ int *plens = NULL;
++ static int *plens_buffer = NULL;
++ static int plens_size = 0;
++#endif
+
+ if (prop_size < s->length) {
+ prop_size = (s->length > LINELEN) ? s->length : LINELEN;
+ prop_buffer = New_Reuse(Lineprop, prop_buffer, prop_size);
+ }
+ prop = prop_buffer;
++#ifdef USE_M17N
++ if (plens_size < s->length) {
++ plens_size = (s->length > LINELEN) ? s->length : LINELEN;
++ plens_buffer = New_Reuse(int, plens_buffer, plens_size);
++ }
++ plens = plens_buffer;
++#endif
+
+ if (ShowEffect) {
+ bs = memchr(str, '\b', s->length);
+@@ -295,14 +307,21 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+ #ifdef USE_ANSI_COLOR
+ if (color)
+ *(color++) = 0;
++#endif
++#ifdef USE_M17N
++ *(plens++) = plen = 1;
+ #endif
+ }
+ Strcat_charp_n(s, sp, (int)(str - sp));
+ }
+ }
+ if (!do_copy) {
+- for (; str < endp && IS_ASCII(*str); str++)
++ for (; str < endp && IS_ASCII(*str); str++) {
+ *(prop++) = PE_NORMAL | (IS_CNTRL(*str) ? PC_CTRL : PC_ASCII);
++#ifdef USE_M17N
++ *(plens++) = plen = 1;
++#endif
++ }
+ }
+
+ while (str < endp) {
+@@ -364,6 +383,7 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+ else {
+ Strshrink(s, plen);
+ prop -= plen;
++ plen = *(--plens);
+ str += 2;
+ }
+ }
+@@ -385,6 +405,7 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+ else {
+ Strshrink(s, plen);
+ prop -= plen;
++ plen = *(--plens);
+ str++;
+ }
+ #else
+@@ -429,7 +450,6 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+ }
+ #endif
+
+- plen = get_mclen(str);
+ mode = get_mctype(str) | effect;
+ #ifdef USE_ANSI_COLOR
+ if (color) {
+@@ -439,6 +459,8 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+ #endif
+ *(prop++) = mode;
+ #ifdef USE_M17N
++ plen = get_mclen(str);
++ *(plens++) = plen;
+ if (plen > 1) {
+ mode = (mode & ~PC_WCHAR1) | PC_WCHAR2;
+ for (i = 1; i < plen; i++) {
diff -Nru w3m-0.5.3+git20210102/debian/patches/series
w3m-0.5.3+git20210102/debian/patches/series
--- w3m-0.5.3+git20210102/debian/patches/series 2021-03-01 06:50:46.000000000
+0900
+++ w3m-0.5.3+git20210102/debian/patches/series 2023-01-12 23:25:35.000000000
+0900
@@ -1,3 +1,4 @@
010_section.patch
030_str-overflow.patch
040_libwc-overflow.patch
+050_checktype.patch
pgpaedNeMMsJv.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.7
Hi,
Each of the updates referred to in these requests was included in this
morning's 11.7 point release.
Regards,
Adam
--- End Message ---
