Bug#1029320: bullseye-pu: package w3m/0.5.3+git20210102-6+deb11u1

To: submit@bugs.debian.org
Subject: Bug#1029320: bullseye-pu: package w3m/0.5.3+git20210102-6+deb11u1
From: Tatsuya Kinoshita <tats@debian.org>
Date: Sat, 21 Jan 2023 19:51:21 +0900 (JST)
Message-id: <[🔎] 20230121.195121.1996365448025966329.tats%nobody@tats.iris.ne.jp>
Reply-to: Tatsuya Kinoshita <tats@debian.org>, 1029320@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

Hi release team,

I'd like to update package w3m in bullseye to fix a security issue,
managed as minor issue, no-dsa.
cf. https://security-tracker.debian.org/tracker/CVE-2022-38223

See this changelog and the attached debdiff.

w3m (0.5.3+git20210102-6+deb11u1) bullseye; urgency=medium

  * New patch 050_checktype.patch to fix out-of-bounds write in checkType
    [CVE-2022-38223] (closes: #1019599)

 -- Tatsuya Kinoshita <tats@debian.org>  Thu, 12 Jan 2023 23:28:20 +0900

Please let me know if I can upload it.

Thanks,
-- 
Tatsuya Kinoshita

diffstat for w3m-0.5.3+git20210102 w3m-0.5.3+git20210102

 changelog                   |    7 +++
 patches/050_checktype.patch |   90 ++++++++++++++++++++++++++++++++++++++++++++
 patches/series              |    1 
 3 files changed, 98 insertions(+)

diff -Nru w3m-0.5.3+git20210102/debian/changelog w3m-0.5.3+git20210102/debian/changelog
--- w3m-0.5.3+git20210102/debian/changelog	2021-03-01 06:59:20.000000000 +0900
+++ w3m-0.5.3+git20210102/debian/changelog	2023-01-12 23:28:20.000000000 +0900
@@ -1,3 +1,10 @@
+w3m (0.5.3+git20210102-6+deb11u1) bullseye; urgency=medium
+
+  * New patch 050_checktype.patch to fix out-of-bounds write in checkType
+    [CVE-2022-38223] (closes: #1019599)
+
+ -- Tatsuya Kinoshita <tats@debian.org>  Thu, 12 Jan 2023 23:28:20 +0900
+
 w3m (0.5.3+git20210102-6) unstable; urgency=medium
 
   * Update 030_str-overflow.patch to avoid zero size allocation in Str.c
diff -Nru w3m-0.5.3+git20210102/debian/patches/050_checktype.patch w3m-0.5.3+git20210102/debian/patches/050_checktype.patch
--- w3m-0.5.3+git20210102/debian/patches/050_checktype.patch	1970-01-01 09:00:00.000000000 +0900
+++ w3m-0.5.3+git20210102/debian/patches/050_checktype.patch	2023-01-12 23:25:35.000000000 +0900
@@ -0,0 +1,90 @@
+Subject: Fix m17n backspace handling causes out-of-bounds write in checkType [CVE-2022-38223]
+Author: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019599
+Bug-Debian: https://github.com/tats/w3m/issues/242
+
+--- a/etc.c
++++ b/etc.c
+@@ -253,14 +253,26 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+     char *es = NULL;
+ #endif
+     int do_copy = FALSE;
++#ifdef USE_M17N
+     int i;
+     int plen = 0, clen;
++    int *plens = NULL;
++    static int *plens_buffer = NULL;
++    static int plens_size = 0;
++#endif
+ 
+     if (prop_size < s->length) {
+ 	prop_size = (s->length > LINELEN) ? s->length : LINELEN;
+ 	prop_buffer = New_Reuse(Lineprop, prop_buffer, prop_size);
+     }
+     prop = prop_buffer;
++#ifdef USE_M17N
++    if (plens_size < s->length) {
++	plens_size = (s->length > LINELEN) ? s->length : LINELEN;
++	plens_buffer = New_Reuse(int, plens_buffer, plens_size);
++    }
++    plens = plens_buffer;
++#endif
+ 
+     if (ShowEffect) {
+ 	bs = memchr(str, '\b', s->length);
+@@ -295,14 +307,21 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+ #ifdef USE_ANSI_COLOR
+ 		if (color)
+ 		    *(color++) = 0;
++#endif
++#ifdef USE_M17N
++		*(plens++) = plen = 1;
+ #endif
+ 	    }
+ 	    Strcat_charp_n(s, sp, (int)(str - sp));
+ 	}
+     }
+     if (!do_copy) {
+-	for (; str < endp && IS_ASCII(*str); str++)
++	for (; str < endp && IS_ASCII(*str); str++) {
+ 	    *(prop++) = PE_NORMAL | (IS_CNTRL(*str) ? PC_CTRL : PC_ASCII);
++#ifdef USE_M17N
++	    *(plens++) = plen = 1;
++#endif
++	}
+     }
+ 
+     while (str < endp) {
+@@ -364,6 +383,7 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+ 			else {
+ 			    Strshrink(s, plen);
+ 			    prop -= plen;
++			    plen = *(--plens);
+ 			    str += 2;
+ 			}
+ 		    }
+@@ -385,6 +405,7 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+ 			else {
+ 			    Strshrink(s, plen);
+ 			    prop -= plen;
++			    plen = *(--plens);
+ 			    str++;
+ 			}
+ #else
+@@ -429,7 +450,6 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+ 	}
+ #endif
+ 
+-	plen = get_mclen(str);
+ 	mode = get_mctype(str) | effect;
+ #ifdef USE_ANSI_COLOR
+ 	if (color) {
+@@ -439,6 +459,8 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+ #endif
+ 	*(prop++) = mode;
+ #ifdef USE_M17N
++	plen = get_mclen(str);
++	*(plens++) = plen;
+ 	if (plen > 1) {
+ 	    mode = (mode & ~PC_WCHAR1) | PC_WCHAR2;
+ 	    for (i = 1; i < plen; i++) {
diff -Nru w3m-0.5.3+git20210102/debian/patches/series w3m-0.5.3+git20210102/debian/patches/series
--- w3m-0.5.3+git20210102/debian/patches/series	2021-03-01 06:50:46.000000000 +0900
+++ w3m-0.5.3+git20210102/debian/patches/series	2023-01-12 23:25:35.000000000 +0900
@@ -1,3 +1,4 @@
 010_section.patch
 030_str-overflow.patch
 040_libwc-overflow.patch
+050_checktype.patch

Attachment: pgpTKaotU0W3J.pgp
Description: PGP signature

Reply to:

Prev by Date: Bug#1027686: Rakudo transition is stuck ?
Next by Date: Bug#1028489: transition: boost1.81
Previous by thread: Bug#1026945: bullseye-pu: package guix/1.2.0-4
Next by thread: Bug#1014460: marked as done (transition: php8.2)
Index(es):
- Date
- Thread