From 1db054fee2d6dc00904228898af5ad363d7305cb Mon Sep 17 00:00:00 2001 From: Thorsten Alteholz Date: Fri, 1 May 2020 20:30:11 +0900 Subject: Update to 0.5.3-19+deb8u3 for jessie-security --- debian/changelog | 10 ++++++++++ debian/patches/955_CVE-2018-6196_tbl-indent.patch | 24 +++++++++++++++++++++++ debian/patches/956_CVE-2018-6197_columnpos.patch | 18 +++++++++++++++++ debian/patches/series | 3 +++ 4 files changed, 55 insertions(+) create mode 100644 debian/patches/955_CVE-2018-6196_tbl-indent.patch create mode 100644 debian/patches/956_CVE-2018-6197_columnpos.patch diff --git a/debian/changelog b/debian/changelog index 9fe6cca..45dba1e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +w3m (0.5.3-19+deb8u3) jessie-security; urgency=high + + * Non-maintainer upload by the LTS Team. + * CVE-2018-6196 + fix for stack overflow + * CVE-2018-6197 + fix for null pointer dereference + + -- Thorsten Alteholz Wed, 29 Apr 2020 19:03:02 +0200 + w3m (0.5.3-19+deb8u2) jessie; urgency=medium * Fix multiple vulnerabilities (closes: #850432) diff --git a/debian/patches/955_CVE-2018-6196_tbl-indent.patch b/debian/patches/955_CVE-2018-6196_tbl-indent.patch new file mode 100644 index 0000000..279d2dd --- /dev/null +++ b/debian/patches/955_CVE-2018-6196_tbl-indent.patch @@ -0,0 +1,24 @@ +Subject: Prevent negative indent value in feed_table_block_tag() +From: Tatsuya Kinoshita +Bug-Debian: https://github.com/tats/w3m/issues/88 [CVE-2018-6196] +Origin: https://salsa.debian.org/debian/w3m/commit/8354763b90490d4105695df52674d0fcef823e92 + +Index: w3m-0.5.3/table.c +=================================================================== +--- w3m-0.5.3.orig/table.c 2020-04-29 13:52:52.596689311 +0200 ++++ w3m-0.5.3/table.c 2020-04-29 13:52:52.592689010 +0200 +@@ -2357,10 +2357,14 @@ + if (mode->indent_level < MAX_INDENT_LEVEL) + tbl->indent -= INDENT_INCR; + } ++ if (tbl->indent < 0) ++ tbl->indent = 0; + offset = tbl->indent; + if (cmd == HTML_DT) { + if (mode->indent_level > 0 && mode->indent_level <= MAX_INDENT_LEVEL) + offset -= INDENT_INCR; ++ if (offset < 0) ++ offset = 0; + } + if (tbl->indent > 0) { + check_minimum0(tbl, 0); diff --git a/debian/patches/956_CVE-2018-6197_columnpos.patch b/debian/patches/956_CVE-2018-6197_columnpos.patch new file mode 100644 index 0000000..10e94e3 --- /dev/null +++ b/debian/patches/956_CVE-2018-6197_columnpos.patch @@ -0,0 +1,18 @@ +Subject: Prevent invalid columnPos() call in formUpdateBuffer() +From: Tatsuya Kinoshita +Bug-Debian: https://github.com/tats/w3m/issues/89 [CVE-2018-6197] +Origin: https://salsa.debian.org/debian/w3m/commit/7fdc83b0364005a0b5ed869230dd81752ba022e8 + +Index: w3m-0.5.3/form.c +=================================================================== +--- w3m-0.5.3.orig/form.c 2020-04-29 13:52:58.629142811 +0200 ++++ w3m-0.5.3/form.c 2020-04-29 13:52:58.621142209 +0200 +@@ -483,6 +483,8 @@ + rows = form->rows ? form->rows : 1; + col = COLPOS(l, a->start.pos); + for (c_rows = 0; c_rows < rows; c_rows++, l = l->next) { ++ if (l == NULL) ++ break; + if (rows > 1) { + pos = columnPos(l, col); + a = retrieveAnchor(buf->formitem, l->linenumber, pos); diff --git a/debian/patches/series b/debian/patches/series index 2deaeaf..bada3b7 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -90,3 +90,6 @@ 952_formupdatebuffer.patch 953_formupdateline.patch 954_wtfparse1.patch + +955_CVE-2018-6196_tbl-indent.patch +956_CVE-2018-6197_columnpos.patch -- cgit v1.2.3