diff --git a/debian/changelog b/debian/changelog index 38029eb..ce54bba 100644 --- a/debian/changelog +++ b/debian/changelog @@ -22,23 +22,26 @@ w3m (0.5.3-19+deb8u1) jessie; urgency=medium * New patch 917_strgrow.patch to fix potential heap buffer corruption [CVE-2016-9442] * New patch 918_form-value.patch to fix null deref [CVE-2016-9443] - * New patch 919_form-update.patch to fix buffer overflow [CVE-2016-9429] + * New patch 919_form-update.patch to fix buffer overflow + [CVE-2016-9429] [CVE-2016-9621] * New patch 920_table.patch to fix stack overflow [CVE-2016-9439] (closes: #844726) * New patch 921_cotable.patch to fix null deref - * New patch 922_lineproc.patch to fix null deref - * New patch 923_tagproc.patch to fix negative size allocation - * New patch 924_curline.patch to fix near-null deref - * New patch 925_lineproc.patch to fix stack overflow - * New patch 926_indent-level.patch to fix stack overflow - * New patch 927_symbol.patch to fix array index - * New patch 928_form-id.patch to fix null deref - * New patch 929_anchor.patch to fix null deref - * New patch 930_tbl-mode.patch to fix null deref - * New patch 931_parse-url.patch to fix global-buffer-overflow - * New patch 932_ucsmap.patch to fix global-buffer-overflow - - -- Tatsuya Kinoshita Tue, 22 Nov 2016 00:34:52 +0900 + (additional fix for #844726) + * New patch 922_lineproc.patch to fix null deref [CVE-2016-9622] + * New patch 923_tagproc.patch to fix null deref [CVE-2016-9623] + * New patch 924_curline.patch to fix near-null deref [CVE-2016-9624] + * New patch 925_lineproc.patch to fix stack overflow [CVE-2016-9625] + * New patch 926_indent-level.patch to fix stack overflow [CVE-2016-9626] + * New patch 927_symbol.patch to fix array index [CVE-2016-9627] + * New patch 928_form-id.patch to fix null deref [CVE-2016-9628] + * New patch 929_anchor.patch to fix null deref [CVE-2016-9629] + * New patch 930_tbl-mode.patch to fix null deref [CVE-2016-9631] + * New patch 931_parse-url.patch to fix buffer overflow [CVE-2016-9630] + * New patch 932_ucsmap.patch to fix buffer overflow [CVE-2016-9632] + * New patch 933_table-level.patch to fix out of memory [CVE-2016-9633] + + -- Tatsuya Kinoshita Thu, 24 Nov 2016 19:49:18 +0900 w3m (0.5.3-19) unstable; urgency=medium diff --git a/debian/patches/919_form-update.patch b/debian/patches/919_form-update.patch index bfd1d8a..7407e44 100644 --- a/debian/patches/919_form-update.patch +++ b/debian/patches/919_form-update.patch @@ -1,6 +1,6 @@ Subject: Prevent global-buffer-overflow write in formUpdateBuffer Author: Tatsuya Kinoshita -Bug-Debian: https://github.com/tats/w3m/issues/29 [CVE-2016-9429] +Bug-Debian: https://github.com/tats/w3m/issues/29 [CVE-2016-9429] [CVE-2016-9621] Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=d01de738f599441740437c6600dd5b1ae7155d27 diff --git a/form.c b/form.c diff --git a/debian/patches/922_lineproc.patch b/debian/patches/922_lineproc.patch index 172ea1e..791c996 100644 --- a/debian/patches/922_lineproc.patch +++ b/debian/patches/922_lineproc.patch @@ -1,6 +1,6 @@ Subject: Prevent null pointer dereference in HTMLlineproc2body Author: Tatsuya Kinoshita -Bug-Debian: https://github.com/tats/w3m/issues/32 +Bug-Debian: https://github.com/tats/w3m/issues/32 [CVE-2016-9622] Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=c6c39973e7d336854e9a2d43119d1220b36e2035 Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=a59a35211c63f12951b6266646081b08488b10ea diff --git a/debian/patches/923_tagproc.patch b/debian/patches/923_tagproc.patch index 6859d79..1a240f3 100644 --- a/debian/patches/923_tagproc.patch +++ b/debian/patches/923_tagproc.patch @@ -1,6 +1,6 @@ Subject: Prevent crash after allocate string of negative size Author: Tatsuya Kinoshita -Bug-Debian: https://github.com/tats/w3m/issues/33 +Bug-Debian: https://github.com/tats/w3m/issues/33 [CVE-2016-9623] Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=af592aa5f154f1b0366513ddc2f545032a7b8721 diff --git a/file.c b/file.c diff --git a/debian/patches/924_curline.patch b/debian/patches/924_curline.patch index 361813b..d4e000f 100644 --- a/debian/patches/924_curline.patch +++ b/debian/patches/924_curline.patch @@ -1,6 +1,6 @@ Subject: Prevent dereference near-null pointer in formUpdateBuffer Author: Tatsuya Kinoshita -Bug-Debian: https://github.com/tats/w3m/issues/35 +Bug-Debian: https://github.com/tats/w3m/issues/35 [CVE-2016-9624] Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=e2c7ecec6f9b730ad3c9bf8c8df9212970f183d7 diff --git a/form.c b/form.c diff --git a/debian/patches/925_lineproc.patch b/debian/patches/925_lineproc.patch index b2626ed..c0ba963 100644 --- a/debian/patches/925_lineproc.patch +++ b/debian/patches/925_lineproc.patch @@ -1,6 +1,6 @@ Subject: Prevent infinite recursion in HTMLlineproc0 Author: Tatsuya Kinoshita -Bug-Debian: https://github.com/tats/w3m/issues/36 +Bug-Debian: https://github.com/tats/w3m/issues/36 [CVE-2016-9625] Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=ff8510ab954ac5db478964351f6a78891c34f1d8 diff --git a/file.c b/file.c diff --git a/debian/patches/926_indent-level.patch b/debian/patches/926_indent-level.patch index 6d520e9..6478340 100644 --- a/debian/patches/926_indent-level.patch +++ b/debian/patches/926_indent-level.patch @@ -1,6 +1,6 @@ Subject: Check indent_level to prevent infinite recursion Author: Tatsuya Kinoshita -Bug-Debian: https://github.com/tats/w3m/issues/37 +Bug-Debian: https://github.com/tats/w3m/issues/37 [CVE-2016-9626] Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=e458def067859615ce4bc7170733d368f49d63c2 diff --git a/table.c b/table.c diff --git a/debian/patches/927_symbol.patch b/debian/patches/927_symbol.patch index ca2c4d6..8400865 100644 --- a/debian/patches/927_symbol.patch +++ b/debian/patches/927_symbol.patch @@ -1,6 +1,6 @@ Subject: Prevent array index out of bounds for symbol Author: Tatsuya Kinoshita -Bug-Debian: https://github.com/tats/w3m/issues/38 +Bug-Debian: https://github.com/tats/w3m/issues/38 [CVE-2016-9627] Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=0c3f5d0e0d9269ad47b8f4b061d7818993913189 diff --git a/display.c b/display.c diff --git a/debian/patches/928_form-id.patch b/debian/patches/928_form-id.patch index 68a72c5..429c8d7 100644 --- a/debian/patches/928_form-id.patch +++ b/debian/patches/928_form-id.patch @@ -1,6 +1,6 @@ Subject: Prevent null pointer deref due to bad form id Author: Tatsuya Kinoshita -Bug-Debian: https://github.com/tats/w3m/issues/39 +Bug-Debian: https://github.com/tats/w3m/issues/39 [CVE-2016-9628] Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=9db438094e5f0d84842bcbd248f282594ccb3c89 diff --git a/file.c b/file.c diff --git a/debian/patches/929_anchor.patch b/debian/patches/929_anchor.patch index 87d0634..1d22028 100644 --- a/debian/patches/929_anchor.patch +++ b/debian/patches/929_anchor.patch @@ -1,6 +1,6 @@ Subject: Prevent deref null pointer in shiftAnchorPosition() Author: Tatsuya Kinoshita -Bug-Debian: https://github.com/tats/w3m/issues/40 +Bug-Debian: https://github.com/tats/w3m/issues/40 [CVE-2016-9629] Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=a088e0263c48ba406a7ae0932a1ae64a25be7acd diff --git a/anchor.c b/anchor.c diff --git a/debian/patches/930_tbl-mode.patch b/debian/patches/930_tbl-mode.patch index ad591b8..ac7fd0e 100644 --- a/debian/patches/930_tbl-mode.patch +++ b/debian/patches/930_tbl-mode.patch @@ -1,6 +1,6 @@ Subject: Prevent deref null pointer in HTMLlineproc0() Author: Tatsuya Kinoshita -Bug-Debian: https://github.com/tats/w3m/issues/42 +Bug-Debian: https://github.com/tats/w3m/issues/42 [CVE-2016-9631] Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=ecfdcbe1131591502c5e7f9ff4f34b24c5a2db97 diff --git a/file.c b/file.c diff --git a/debian/patches/931_parse-url.patch b/debian/patches/931_parse-url.patch index f7de9f5..5e93546 100644 --- a/debian/patches/931_parse-url.patch +++ b/debian/patches/931_parse-url.patch @@ -1,6 +1,6 @@ Subject: Prevent global-buffer-overflow in parseURL() Author: Tatsuya Kinoshita -Bug-Debian: https://github.com/tats/w3m/issues/41 +Bug-Debian: https://github.com/tats/w3m/issues/41 [CVE-2016-9630] Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=ba9d78faeba9024c3e8840579c3b0e959ae2cb0f diff --git a/url.c b/url.c diff --git a/debian/patches/932_ucsmap.patch b/debian/patches/932_ucsmap.patch index 9ec68b1..dd76abe 100644 --- a/debian/patches/932_ucsmap.patch +++ b/debian/patches/932_ucsmap.patch @@ -1,6 +1,6 @@ Subject: Prevent global-buffer-overflow in wc_any_to_ucs() Author: Tatsuya Kinoshita -Bug-Debian: https://github.com/tats/w3m/issues/43 +Bug-Debian: https://github.com/tats/w3m/issues/43 [CVE-2016-9632] Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=716bc126638393c733399d11d3228edb82877faa Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=88110c2658ad9badd292430c75ebb0444c3312eb diff --git a/debian/patches/933_table-level.patch b/debian/patches/933_table-level.patch new file mode 100644 index 0000000..f541eba --- /dev/null +++ b/debian/patches/933_table-level.patch @@ -0,0 +1,22 @@ +Subject: Prevent memory exhausted due to repeat appending "" +Author: Tatsuya Kinoshita +Bug-Debian: https://github.com/tats/w3m/issues/23 [CVE-2016-9633] +Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=216722ed7282cec4338b177ea9ffdd39ad1b8c8c + +diff --git a/file.c b/file.c +index 660b10e..e82eaf1 100644 +--- a/file.c ++++ b/file.c +@@ -6988,9 +6988,12 @@ completeHTMLstream(struct html_feed_environ *h_env, struct readbuffer *obuf) + obuf->table_level = MAX_TABLE - 1; + + while (obuf->table_level >= 0) { ++ int tmp = obuf->table_level; + table_mode[obuf->table_level].pre_mode + &= ~(TBLM_SCRIPT | TBLM_STYLE | TBLM_PLAIN); + HTMLlineproc1("", h_env); ++ if (obuf->table_level >= tmp) ++ break; + } + } + diff --git a/debian/patches/series b/debian/patches/series index ca29872..d7c9aee 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -68,3 +68,4 @@ 930_tbl-mode.patch 931_parse-url.patch 932_ucsmap.patch +933_table-level.patch