Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package w3m for openSUSE:Factory checked in at 2023-08-15 16:39:25 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/w3m (Old) and /work/SRC/openSUSE:Factory/.w3m.new.11712 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "w3m" Tue Aug 15 16:39:25 2023 rev:48 rq:1103875 version:0.5.3+git20230121 Changes: -------- --- /work/SRC/openSUSE:Factory/w3m/w3m.changes 2023-05-04 17:09:29.523984688 +0200 +++ /work/SRC/openSUSE:Factory/.w3m.new.11712/w3m.changes 2023-08-15 16:39:34.962813748 +0200 @@ -1,0 +2,9 @@ +Tue Jul 25 14:31:42 UTC 2023 - Thomas Blume <thomas.bl...@suse.com> + +- CVE-2023-38253: out-of-bounds read in growbuf_to_Str() at w3m/indep.c + (bsc#1213323) +- CVE-2023-38252 out-of-bounds read in Strnew_size() at w3m/Str.c + (bsc#1213324) +- add 0001-Fix-OOB-access-due-to-multiple-backspaces.patch + +------------------------------------------------------------------- New: ---- 0001-Fix-OOB-access-due-to-multiple-backspaces.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ w3m.spec ++++++ --- /var/tmp/diff_new_pack.fIfCgq/_old 2023-08-15 16:39:35.642818385 +0200 +++ /var/tmp/diff_new_pack.fIfCgq/_new 2023-08-15 16:39:35.646818412 +0200 @@ -25,7 +25,8 @@ Group: Productivity/Networking/Web/Browsers Source0: https://salsa.debian.org/debian/w3m/-/archive/v%{version}/w3m-v%{version}.tar.bz2 -patch0: 0001-Update-German-message-catalogue.patch +Patch0: 0001-Update-German-message-catalogue.patch +Patch1: 0001-Fix-OOB-access-due-to-multiple-backspaces.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: gc-devel ++++++ 0001-Fix-OOB-access-due-to-multiple-backspaces.patch ++++++ >From edc602651c506aeeb60544b55534dd1722a340d3 Mon Sep 17 00:00:00 2001 From: Rene Kita <m...@rkta.de> Date: Thu, 13 Jul 2023 07:50:26 +0200 Subject: [PATCH] Fix OOB access due to multiple backspaces Commit 419ca82d57 (Fix m17n backspace handling causes out-of-bounds write in checkType) introduced an incomplete fix. In function checkType we store the length of the previous multi-char character in a buffer plens_buffer with pointer plens pointing to the current position inside the buffer. When encountering a backspace plens is set to the previous position without a bounds check. This will lead to plens being out of bounds if we get more backspaces than we have processed multi-char characters before. If we are at the beginning of the buffer do not decrement and set plen (the current length) to 0. This also fixes GH Issue #270 [BUG] Out of bound read in Strnew_size , Str.c:61 If the above explanation does sound weird it's because I didn't fully grok that function. :-) --- etc.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/etc.c b/etc.c index 128717b..b566151 100644 --- a/etc.c +++ b/etc.c @@ -393,7 +393,10 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor) if (color) color -= plen; #endif - plen = *(--plens); + if (plens == plens_buffer) + plen = 0; + else + plen = *(--plens); str += 2; } } @@ -419,7 +422,10 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor) if (color) color -= plen; #endif - plen = *(--plens); + if (plens == plens_buffer) + plen = 0; + else + plen = *(--plens); str++; } #else -- 2.41.0
