aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThorsten Alteholz <debian@alteholz.de>2020-05-01 11:30:11 +0000
committerTatsuya Kinoshita <tats@debian.org>2020-05-01 11:30:11 +0000
commit1db054fee2d6dc00904228898af5ad363d7305cb (patch)
tree675488be3c488e2370595b2120cb721e484d16b2
parentDebian release 0.5.3-19+deb8u2 (diff)
downloadw3m-debian/0.5.3-19+deb8u3.tar.gz
w3m-debian/0.5.3-19+deb8u3.zip
Update to 0.5.3-19+deb8u3 for jessie-securitydebian/0.5.3-19+deb8u3debian-jessie
Diffstat (limited to '')
-rw-r--r--debian/changelog10
-rw-r--r--debian/patches/955_CVE-2018-6196_tbl-indent.patch24
-rw-r--r--debian/patches/956_CVE-2018-6197_columnpos.patch18
-rw-r--r--debian/patches/series3
4 files changed, 55 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index 9fe6cca..45dba1e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+w3m (0.5.3-19+deb8u3) jessie-security; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2018-6196
+ fix for stack overflow
+ * CVE-2018-6197
+ fix for null pointer dereference
+
+ -- Thorsten Alteholz <debian@alteholz.de> Wed, 29 Apr 2020 19:03:02 +0200
+
w3m (0.5.3-19+deb8u2) jessie; urgency=medium
* Fix multiple vulnerabilities (closes: #850432)
diff --git a/debian/patches/955_CVE-2018-6196_tbl-indent.patch b/debian/patches/955_CVE-2018-6196_tbl-indent.patch
new file mode 100644
index 0000000..279d2dd
--- /dev/null
+++ b/debian/patches/955_CVE-2018-6196_tbl-indent.patch
@@ -0,0 +1,24 @@
+Subject: Prevent negative indent value in feed_table_block_tag()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/88 [CVE-2018-6196]
+Origin: https://salsa.debian.org/debian/w3m/commit/8354763b90490d4105695df52674d0fcef823e92
+
+Index: w3m-0.5.3/table.c
+===================================================================
+--- w3m-0.5.3.orig/table.c 2020-04-29 13:52:52.596689311 +0200
++++ w3m-0.5.3/table.c 2020-04-29 13:52:52.592689010 +0200
+@@ -2357,10 +2357,14 @@
+ if (mode->indent_level < MAX_INDENT_LEVEL)
+ tbl->indent -= INDENT_INCR;
+ }
++ if (tbl->indent < 0)
++ tbl->indent = 0;
+ offset = tbl->indent;
+ if (cmd == HTML_DT) {
+ if (mode->indent_level > 0 && mode->indent_level <= MAX_INDENT_LEVEL)
+ offset -= INDENT_INCR;
++ if (offset < 0)
++ offset = 0;
+ }
+ if (tbl->indent > 0) {
+ check_minimum0(tbl, 0);
diff --git a/debian/patches/956_CVE-2018-6197_columnpos.patch b/debian/patches/956_CVE-2018-6197_columnpos.patch
new file mode 100644
index 0000000..10e94e3
--- /dev/null
+++ b/debian/patches/956_CVE-2018-6197_columnpos.patch
@@ -0,0 +1,18 @@
+Subject: Prevent invalid columnPos() call in formUpdateBuffer()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/89 [CVE-2018-6197]
+Origin: https://salsa.debian.org/debian/w3m/commit/7fdc83b0364005a0b5ed869230dd81752ba022e8
+
+Index: w3m-0.5.3/form.c
+===================================================================
+--- w3m-0.5.3.orig/form.c 2020-04-29 13:52:58.629142811 +0200
++++ w3m-0.5.3/form.c 2020-04-29 13:52:58.621142209 +0200
+@@ -483,6 +483,8 @@
+ rows = form->rows ? form->rows : 1;
+ col = COLPOS(l, a->start.pos);
+ for (c_rows = 0; c_rows < rows; c_rows++, l = l->next) {
++ if (l == NULL)
++ break;
+ if (rows > 1) {
+ pos = columnPos(l, col);
+ a = retrieveAnchor(buf->formitem, l->linenumber, pos);
diff --git a/debian/patches/series b/debian/patches/series
index 2deaeaf..bada3b7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -90,3 +90,6 @@
952_formupdatebuffer.patch
953_formupdateline.patch
954_wtfparse1.patch
+
+955_CVE-2018-6196_tbl-indent.patch
+956_CVE-2018-6197_columnpos.patch