Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package w3m for openSUSE:Factory checked in at 2023-01-14 20:30:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/w3m (Old) and /work/SRC/openSUSE:Factory/.w3m.new.32243 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "w3m" Sat Jan 14 20:30:53 2023 rev:46 rq:1058135 version:0.5.3+git20180125 Changes: -------- --- /work/SRC/openSUSE:Factory/w3m/w3m.changes 2018-01-30 15:37:21.222353227 +0100 +++ /work/SRC/openSUSE:Factory/.w3m.new.32243/w3m.changes 2023-01-14 20:31:08.941011332 +0100 @@ -1,0 +2,9 @@ +Tue Jan 10 08:22:40 UTC 2023 - Thomas Blume <thomas.bl...@suse.com> + +- CVE-2022-38223 Out-of-bounds write in checkType located in etc.c + (bsc#1202684) + - add: + 0002-Fix-m17n-backspace-handling-causes-out-of-bounds-wri.patch + 0001-Fix-warning-for-unused-variable-without-USE_M17N.patch + +------------------------------------------------------------------- New: ---- 0001-Fix-warning-for-unused-variable-without-USE_M17N.patch 0002-Fix-m17n-backspace-handling-causes-out-of-bounds-wri.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ w3m.spec ++++++ --- /var/tmp/diff_new_pack.jyM52Q/_old 2023-01-14 20:31:11.413025931 +0100 +++ /var/tmp/diff_new_pack.jyM52Q/_new 2023-01-14 20:31:11.421025978 +0100 @@ -1,7 +1,7 @@ # # spec file for package w3m # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,12 +12,12 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # Name: w3m -Url: http://w3m.sourceforge.net/ +URL: http://w3m.sourceforge.net/ Version: 0.5.3+git20180125 Release: 0 Summary: A text-based WWW browser @@ -29,6 +29,8 @@ Patch1: 0001-implements-simple-session-management.patch Patch2: 0001-handle-EXDEV-during-history-file-rename.patch Patch3: 0001-w3mman-don-t-show-invalid-characters-bsc-950800.patch +Patch4: 0001-Fix-warning-for-unused-variable-without-USE_M17N.patch +Patch5: 0002-Fix-m17n-backspace-handling-causes-out-of-bounds-wri.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: gc-devel @@ -70,7 +72,6 @@ If w3m-inline-image is installed it can display graphics inside terminals, even on the console on some platforms. - %description inline-image Inline image extension for w3m, the text-based WWW browser. @@ -80,10 +81,7 @@ %prep %setup -q -n w3m-%{version} find -name CVS -exec rm -Rf "{}" "+" -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 +%autopatch -p1 %build export CFLAGS="$RPM_OPT_FLAGS -DUSE_BUFINFO -DOPENSSL_NO_SSL_INTERN -D_GNU_SOURCE $(getconf LFS_CFLAGS) -fno-strict-aliasing `ncursesw6-config --cflags` -fPIE" ++++++ 0001-Fix-warning-for-unused-variable-without-USE_M17N.patch ++++++ >From 0c8c1db8d29b5bb8bbd6214d640230dd6b1545dd Mon Sep 17 00:00:00 2001 From: Rene Kita <m...@rkta.de> Date: Mon, 13 Sep 2021 19:47:02 +0200 Subject: [PATCH 1/2] Fix warning for unused variable without USE_M17N (cherry picked from commit 4901408ea5ea167696175a5da3c92e709702ca4f) --- display.c | 6 ++---- etc.c | 4 +++- file.c | 3 +-- linein.c | 2 -- table.c | 2 +- 5 files changed, 7 insertions(+), 10 deletions(-) diff --git a/display.c b/display.c index f1d6f99..e04b79b 100644 --- a/display.c +++ b/display.c @@ -1364,15 +1364,14 @@ cursorRight(Buffer *buf, int n) { int i, delta = 1, cpos, vpos2; Line *l = buf->currentLine; - Lineprop *p; if (buf->firstLine == NULL) return; if (buf->pos == l->len && !(l->next && l->next->bpos)) return; i = buf->pos; - p = l->propBuf; #ifdef USE_M17N + Lineprop *p = l->propBuf; while (i + delta < l->len && p[i + delta] & PC_WCHAR2) delta++; #endif @@ -1415,13 +1414,12 @@ cursorLeft(Buffer *buf, int n) { int i, delta = 1, cpos; Line *l = buf->currentLine; - Lineprop *p; if (buf->firstLine == NULL) return; i = buf->pos; - p = l->propBuf; #ifdef USE_M17N + Lineprop *p = l->propBuf; while (i - delta > 0 && p[i - delta] & PC_WCHAR2) delta++; #endif diff --git a/etc.c b/etc.c index dcc6edd..dea56b5 100644 --- a/etc.c +++ b/etc.c @@ -253,8 +253,10 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor) char *es = NULL; #endif int do_copy = FALSE; +#ifdef USE_M17N int i; int plen = 0, clen; +#endif if (prop_size < s->length) { prop_size = (s->length > LINELEN) ? s->length : LINELEN; @@ -429,7 +431,6 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor) } #endif - plen = get_mclen(str); mode = get_mctype(str) | effect; #ifdef USE_ANSI_COLOR if (color) { @@ -439,6 +440,7 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor) #endif *(prop++) = mode; #ifdef USE_M17N + plen = get_mclen(str); if (plen > 1) { mode = (mode & ~PC_WCHAR1) | PC_WCHAR2; for (i = 1; i < plen; i++) { diff --git a/file.c b/file.c index 86af3a9..af92794 100644 --- a/file.c +++ b/file.c @@ -7966,7 +7966,6 @@ int save2tmp(URLFile uf, char *tmpf) { FILE *ff; - int check; clen_t linelen = 0, trbyte = 0; MySignalHandler(*volatile prevtrap) (SIGNAL_ARG) = NULL; static JMP_BUF env_bak; @@ -7983,8 +7982,8 @@ save2tmp(URLFile uf, char *tmpf) goto _end; } TRAP_ON; - check = 0; #ifdef USE_NNTP + int check = 0; if (uf.scheme == SCM_NEWS) { char c; while (c = UFgetc(&uf), !iseos(uf.stream)) { diff --git a/linein.c b/linein.c index d8f9023..282c2f4 100644 --- a/linein.c +++ b/linein.c @@ -77,8 +77,6 @@ static Str strCurrentBuf; static int use_hist; #ifdef USE_M17N static void ins_char(Str str); -#else -static void ins_char(char c); #endif char * diff --git a/table.c b/table.c index 572ebd6..842de18 100644 --- a/table.c +++ b/table.c @@ -415,7 +415,7 @@ suspend_or_pushdata(struct table *tbl, char *line) #ifdef USE_M17N #define PUSH_TAG(str,n) Strcat_charp_n(tagbuf, str, n) #else -#define PUSH_TAG(str,n) Strcat_char(tagbuf, *str) +#define PUSH_TAG(str,n) Strcat_char(tagbuf, *str), (void)n #endif int visible_length_offset = 0; -- 2.39.0 ++++++ 0002-Fix-m17n-backspace-handling-causes-out-of-bounds-wri.patch ++++++ >From b4d0aba9da50ee62c43c1ac7bd1b70c4c5909438 Mon Sep 17 00:00:00 2001 From: Tatsuya Kinoshita <t...@debian.org> Date: Tue, 20 Dec 2022 21:16:48 +0900 Subject: [PATCH 2/2] Fix m17n backspace handling causes out-of-bounds write in checkType [CVE-2022-38223] Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019599 Bug-Debian: https://github.com/tats/w3m/issues/242 (cherry picked from commit 419ca82d57c72242817b55e2eaa4cdbf6916e7fa) --- etc.c | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/etc.c b/etc.c index dea56b5..e7b4c53 100644 --- a/etc.c +++ b/etc.c @@ -256,6 +256,9 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor) #ifdef USE_M17N int i; int plen = 0, clen; + int *plens = NULL; + static int *plens_buffer = NULL; + static int plens_size = 0; #endif if (prop_size < s->length) { @@ -263,6 +266,13 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor) prop_buffer = New_Reuse(Lineprop, prop_buffer, prop_size); } prop = prop_buffer; +#ifdef USE_M17N + if (plens_size < s->length) { + plens_size = (s->length > LINELEN) ? s->length : LINELEN; + plens_buffer = New_Reuse(int, plens_buffer, plens_size); + } + plens = plens_buffer; +#endif if (ShowEffect) { bs = memchr(str, '\b', s->length); @@ -297,14 +307,21 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor) #ifdef USE_ANSI_COLOR if (color) *(color++) = 0; +#endif +#ifdef USE_M17N + *(plens++) = plen = 1; #endif } Strcat_charp_n(s, sp, (int)(str - sp)); } } if (!do_copy) { - for (; str < endp && IS_ASCII(*str); str++) + for (; str < endp && IS_ASCII(*str); str++) { *(prop++) = PE_NORMAL | (IS_CNTRL(*str) ? PC_CTRL : PC_ASCII); +#ifdef USE_M17N + *(plens++) = plen = 1; +#endif + } } while (str < endp) { @@ -366,6 +383,7 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor) else { Strshrink(s, plen); prop -= plen; + plen = *(--plens); str += 2; } } @@ -387,6 +405,7 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor) else { Strshrink(s, plen); prop -= plen; + plen = *(--plens); str++; } #else @@ -441,6 +460,7 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor) *(prop++) = mode; #ifdef USE_M17N plen = get_mclen(str); + *(plens++) = plen; if (plen > 1) { mode = (mode & ~PC_WCHAR1) | PC_WCHAR2; for (i = 1; i < plen; i++) { -- 2.39.0
