aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTatsuya Kinoshita <tats@debian.org>2016-11-21 14:09:44 +0000
committerTatsuya Kinoshita <tats@debian.org>2016-11-21 14:09:44 +0000
commit2115f92bbf11efd472a3ebc4bb9d0560fde99dc1 (patch)
tree13a10fb7195f794bc492cf1e2b017b785552b6d3
parentNew patch 908_forms.patch to fix null deref [CVE-2016-9434] (diff)
downloadw3m-2115f92bbf11efd472a3ebc4bb9d0560fde99dc1.tar.gz
w3m-2115f92bbf11efd472a3ebc4bb9d0560fde99dc1.zip
New patch 909_button-type.patch to fix rodata write [CVE-2016-9437]
-rw-r--r--debian/patches/909_button-type.patch27
-rw-r--r--debian/patches/series1
2 files changed, 28 insertions, 0 deletions
diff --git a/debian/patches/909_button-type.patch b/debian/patches/909_button-type.patch
new file mode 100644
index 0000000..067db83
--- /dev/null
+++ b/debian/patches/909_button-type.patch
@@ -0,0 +1,27 @@
+Subject: Prevent segfault with incorrect button type
+Author: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/17 [CVE-2016-9437]
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=67be73b03a5ad581e331ec97cb275cd8a52719ed
+
+diff --git a/file.c b/file.c
+index b30aa6b..3b7befe 100644
+--- a/file.c
++++ b/file.c
+@@ -3756,6 +3756,17 @@ process_button(struct parsed_tag *tag)
+ if (v == FORM_UNKNOWN)
+ return NULL;
+
++ switch (v) {
++ case FORM_INPUT_SUBMIT:
++ case FORM_INPUT_BUTTON:
++ case FORM_INPUT_RESET:
++ break;
++ default:
++ p = "submit";
++ v = FORM_INPUT_SUBMIT;
++ break;
++ }
++
+ if (!q) {
+ switch (v) {
+ case FORM_INPUT_SUBMIT:
diff --git a/debian/patches/series b/debian/patches/series
index 1d9a49d..74e09ac 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -44,3 +44,4 @@
906_form-update.patch
907_iso2022.patch
908_forms.patch
+909_button-type.patch