Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package w3m for openSUSE:Factory checked in 
at 2023-08-15 16:39:25
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/w3m (Old)
 and      /work/SRC/openSUSE:Factory/.w3m.new.11712 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "w3m"

Tue Aug 15 16:39:25 2023 rev:48 rq:1103875 version:0.5.3+git20230121

Changes:
--------
--- /work/SRC/openSUSE:Factory/w3m/w3m.changes  2023-05-04 17:09:29.523984688 
+0200
+++ /work/SRC/openSUSE:Factory/.w3m.new.11712/w3m.changes       2023-08-15 
16:39:34.962813748 +0200
@@ -1,0 +2,9 @@
+Tue Jul 25 14:31:42 UTC 2023 - Thomas Blume <thomas.bl...@suse.com>
+
+- CVE-2023-38253: out-of-bounds read in growbuf_to_Str() at w3m/indep.c
+  (bsc#1213323)
+- CVE-2023-38252 out-of-bounds read in Strnew_size() at w3m/Str.c 
+  (bsc#1213324)
+- add 0001-Fix-OOB-access-due-to-multiple-backspaces.patch
+
+-------------------------------------------------------------------

New:
----
  0001-Fix-OOB-access-due-to-multiple-backspaces.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ w3m.spec ++++++
--- /var/tmp/diff_new_pack.fIfCgq/_old  2023-08-15 16:39:35.642818385 +0200
+++ /var/tmp/diff_new_pack.fIfCgq/_new  2023-08-15 16:39:35.646818412 +0200
@@ -25,7 +25,8 @@
 Group:          Productivity/Networking/Web/Browsers
 
 Source0:        
https://salsa.debian.org/debian/w3m/-/archive/v%{version}/w3m-v%{version}.tar.bz2
-patch0:         0001-Update-German-message-catalogue.patch
+Patch0:         0001-Update-German-message-catalogue.patch
+Patch1:         0001-Fix-OOB-access-due-to-multiple-backspaces.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  gc-devel

++++++ 0001-Fix-OOB-access-due-to-multiple-backspaces.patch ++++++
>From edc602651c506aeeb60544b55534dd1722a340d3 Mon Sep 17 00:00:00 2001
From: Rene Kita <m...@rkta.de>
Date: Thu, 13 Jul 2023 07:50:26 +0200
Subject: [PATCH] Fix OOB access due to multiple backspaces

Commit 419ca82d57 (Fix m17n backspace handling causes out-of-bounds
write in checkType) introduced an incomplete fix.

In function checkType we store the length of the previous multi-char
character in a buffer plens_buffer with pointer plens pointing to the
current position inside the buffer. When encountering a backspace plens
is set to the previous position without a bounds check. This will lead
to plens being out of bounds if we get more backspaces than we have
processed multi-char characters before.

If we are at the beginning of the buffer do not decrement and set plen
(the current length) to 0.

This also fixes GH Issue #270 [BUG] Out of bound read in Strnew_size ,
Str.c:61

If the above explanation does sound weird it's because I didn't fully
grok that function. :-)
---
 etc.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/etc.c b/etc.c
index 128717b..b566151 100644
--- a/etc.c
+++ b/etc.c
@@ -393,7 +393,10 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
                            if (color)
                                color -= plen;
 #endif
-                           plen = *(--plens);
+                           if (plens == plens_buffer)
+                               plen = 0;
+                           else
+                               plen = *(--plens);
                            str += 2;
                        }
                    }
@@ -419,7 +422,10 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
                            if (color)
                                color -= plen;
 #endif
-                           plen = *(--plens);
+                           if (plens == plens_buffer)
+                               plen = 0;
+                           else
+                               plen = *(--plens);
                            str++;
                        }
 #else
-- 
2.41.0

Reply via email to