Package: release.debian.org Severity: normal Tags: bullseye User: release.debian.org@packages.debian.org Usertags: pu Hi release team, I'd like to update package w3m in bullseye to fix a security issue, managed as minor issue, no-dsa. cf. https://security-tracker.debian.org/tracker/CVE-2022-38223 See this changelog and the attached debdiff. w3m (0.5.3+git20210102-6+deb11u1) bullseye; urgency=medium * New patch 050_checktype.patch to fix out-of-bounds write in checkType [CVE-2022-38223] (closes: #1019599) -- Tatsuya Kinoshita <tats@debian.org> Thu, 12 Jan 2023 23:28:20 +0900 Please let me know if I can upload it. Thanks, -- Tatsuya Kinoshita
diffstat for w3m-0.5.3+git20210102 w3m-0.5.3+git20210102 changelog | 7 +++ patches/050_checktype.patch | 90 ++++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 98 insertions(+) diff -Nru w3m-0.5.3+git20210102/debian/changelog w3m-0.5.3+git20210102/debian/changelog --- w3m-0.5.3+git20210102/debian/changelog 2021-03-01 06:59:20.000000000 +0900 +++ w3m-0.5.3+git20210102/debian/changelog 2023-01-12 23:28:20.000000000 +0900 @@ -1,3 +1,10 @@ +w3m (0.5.3+git20210102-6+deb11u1) bullseye; urgency=medium + + * New patch 050_checktype.patch to fix out-of-bounds write in checkType + [CVE-2022-38223] (closes: #1019599) + + -- Tatsuya Kinoshita <tats@debian.org> Thu, 12 Jan 2023 23:28:20 +0900 + w3m (0.5.3+git20210102-6) unstable; urgency=medium * Update 030_str-overflow.patch to avoid zero size allocation in Str.c diff -Nru w3m-0.5.3+git20210102/debian/patches/050_checktype.patch w3m-0.5.3+git20210102/debian/patches/050_checktype.patch --- w3m-0.5.3+git20210102/debian/patches/050_checktype.patch 1970-01-01 09:00:00.000000000 +0900 +++ w3m-0.5.3+git20210102/debian/patches/050_checktype.patch 2023-01-12 23:25:35.000000000 +0900 @@ -0,0 +1,90 @@ +Subject: Fix m17n backspace handling causes out-of-bounds write in checkType [CVE-2022-38223] +Author: Tatsuya Kinoshita <tats@debian.org> +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019599 +Bug-Debian: https://github.com/tats/w3m/issues/242 + +--- a/etc.c ++++ b/etc.c +@@ -253,14 +253,26 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor) + char *es = NULL; + #endif + int do_copy = FALSE; ++#ifdef USE_M17N + int i; + int plen = 0, clen; ++ int *plens = NULL; ++ static int *plens_buffer = NULL; ++ static int plens_size = 0; ++#endif + + if (prop_size < s->length) { + prop_size = (s->length > LINELEN) ? s->length : LINELEN; + prop_buffer = New_Reuse(Lineprop, prop_buffer, prop_size); + } + prop = prop_buffer; ++#ifdef USE_M17N ++ if (plens_size < s->length) { ++ plens_size = (s->length > LINELEN) ? s->length : LINELEN; ++ plens_buffer = New_Reuse(int, plens_buffer, plens_size); ++ } ++ plens = plens_buffer; ++#endif + + if (ShowEffect) { + bs = memchr(str, '\b', s->length); +@@ -295,14 +307,21 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor) + #ifdef USE_ANSI_COLOR + if (color) + *(color++) = 0; ++#endif ++#ifdef USE_M17N ++ *(plens++) = plen = 1; + #endif + } + Strcat_charp_n(s, sp, (int)(str - sp)); + } + } + if (!do_copy) { +- for (; str < endp && IS_ASCII(*str); str++) ++ for (; str < endp && IS_ASCII(*str); str++) { + *(prop++) = PE_NORMAL | (IS_CNTRL(*str) ? PC_CTRL : PC_ASCII); ++#ifdef USE_M17N ++ *(plens++) = plen = 1; ++#endif ++ } + } + + while (str < endp) { +@@ -364,6 +383,7 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor) + else { + Strshrink(s, plen); + prop -= plen; ++ plen = *(--plens); + str += 2; + } + } +@@ -385,6 +405,7 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor) + else { + Strshrink(s, plen); + prop -= plen; ++ plen = *(--plens); + str++; + } + #else +@@ -429,7 +450,6 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor) + } + #endif + +- plen = get_mclen(str); + mode = get_mctype(str) | effect; + #ifdef USE_ANSI_COLOR + if (color) { +@@ -439,6 +459,8 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor) + #endif + *(prop++) = mode; + #ifdef USE_M17N ++ plen = get_mclen(str); ++ *(plens++) = plen; + if (plen > 1) { + mode = (mode & ~PC_WCHAR1) | PC_WCHAR2; + for (i = 1; i < plen; i++) { diff -Nru w3m-0.5.3+git20210102/debian/patches/series w3m-0.5.3+git20210102/debian/patches/series --- w3m-0.5.3+git20210102/debian/patches/series 2021-03-01 06:50:46.000000000 +0900 +++ w3m-0.5.3+git20210102/debian/patches/series 2023-01-12 23:25:35.000000000 +0900 @@ -1,3 +1,4 @@ 010_section.patch 030_str-overflow.patch 040_libwc-overflow.patch +050_checktype.patch
Attachment:
pgpTKaotU0W3J.pgp
Description: PGP signature