Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
Hi release team,
I'd like to update package w3m in bullseye to fix a security issue,
managed as minor issue, no-dsa.
cf. https://security-tracker.debian.org/tracker/CVE-2022-38223
See this changelog and the attached debdiff.
w3m (0.5.3+git20210102-6+deb11u1) bullseye; urgency=medium
* New patch 050_checktype.patch to fix out-of-bounds write in checkType
[CVE-2022-38223] (closes: #1019599)
-- Tatsuya Kinoshita Thu, 12 Jan 2023 23:28:20 +0900
Please let me know if I can upload it.
Thanks,
--
Tatsuya Kinoshita
diffstat for w3m-0.5.3+git20210102 w3m-0.5.3+git20210102
changelog |7 +++
patches/050_checktype.patch | 90
patches/series |1
3 files changed, 98 insertions(+)
diff -Nru w3m-0.5.3+git20210102/debian/changelog
w3m-0.5.3+git20210102/debian/changelog
--- w3m-0.5.3+git20210102/debian/changelog 2021-03-01 06:59:20.0
+0900
+++ w3m-0.5.3+git20210102/debian/changelog 2023-01-12 23:28:20.0
+0900
@@ -1,3 +1,10 @@
+w3m (0.5.3+git20210102-6+deb11u1) bullseye; urgency=medium
+
+ * New patch 050_checktype.patch to fix out-of-bounds write in checkType
+[CVE-2022-38223] (closes: #1019599)
+
+ -- Tatsuya Kinoshita Thu, 12 Jan 2023 23:28:20 +0900
+
w3m (0.5.3+git20210102-6) unstable; urgency=medium
* Update 030_str-overflow.patch to avoid zero size allocation in Str.c
diff -Nru w3m-0.5.3+git20210102/debian/patches/050_checktype.patch
w3m-0.5.3+git20210102/debian/patches/050_checktype.patch
--- w3m-0.5.3+git20210102/debian/patches/050_checktype.patch1970-01-01
09:00:00.0 +0900
+++ w3m-0.5.3+git20210102/debian/patches/050_checktype.patch2023-01-12
23:25:35.0 +0900
@@ -0,0 +1,90 @@
+Subject: Fix m17n backspace handling causes out-of-bounds write in checkType
[CVE-2022-38223]
+Author: Tatsuya Kinoshita
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019599
+Bug-Debian: https://github.com/tats/w3m/issues/242
+
+--- a/etc.c
b/etc.c
+@@ -253,14 +253,26 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+ char *es = NULL;
+ #endif
+ int do_copy = FALSE;
++#ifdef USE_M17N
+ int i;
+ int plen = 0, clen;
++int *plens = NULL;
++static int *plens_buffer = NULL;
++static int plens_size = 0;
++#endif
+
+ if (prop_size < s->length) {
+ prop_size = (s->length > LINELEN) ? s->length : LINELEN;
+ prop_buffer = New_Reuse(Lineprop, prop_buffer, prop_size);
+ }
+ prop = prop_buffer;
++#ifdef USE_M17N
++if (plens_size < s->length) {
++ plens_size = (s->length > LINELEN) ? s->length : LINELEN;
++ plens_buffer = New_Reuse(int, plens_buffer, plens_size);
++}
++plens = plens_buffer;
++#endif
+
+ if (ShowEffect) {
+ bs = memchr(str, '\b', s->length);
+@@ -295,14 +307,21 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+ #ifdef USE_ANSI_COLOR
+ if (color)
+ *(color++) = 0;
++#endif
++#ifdef USE_M17N
++ *(plens++) = plen = 1;
+ #endif
+ }
+ Strcat_charp_n(s, sp, (int)(str - sp));
+ }
+ }
+ if (!do_copy) {
+- for (; str < endp && IS_ASCII(*str); str++)
++ for (; str < endp && IS_ASCII(*str); str++) {
+ *(prop++) = PE_NORMAL | (IS_CNTRL(*str) ? PC_CTRL : PC_ASCII);
++#ifdef USE_M17N
++ *(plens++) = plen = 1;
++#endif
++ }
+ }
+
+ while (str < endp) {
+@@ -364,6 +383,7 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+ else {
+ Strshrink(s, plen);
+ prop -= plen;
++ plen = *(--plens);
+ str += 2;
+ }
+ }
+@@ -385,6 +405,7 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+ else {
+ Strshrink(s, plen);
+ prop -= plen;
++ plen = *(--plens);
+ str++;
+ }
+ #else
+@@ -429,7 +450,6 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+ }
+ #endif
+
+- plen = get_mclen(str);
+ mode = get_mctype(str) | effect;
+ #ifdef USE_ANSI_COLOR
+ if (color) {
+@@ -439,6 +459,8 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+ #endif
+ *(prop++) = mode;
+ #ifdef USE_M17N
++ plen = get_mclen(str);
++ *(plens++) = plen;
+ if (plen > 1) {
+ mode = (mode & ~PC_WCHAR1) | PC_WCHAR2;
+ for (i = 1; i < plen; i++) {
diff -Nru w3m-0.5.3+git20210102/debian/patches/series
w3m-0.5.3+git20210102/debian/patches/series
--- w3m-0.5.3+git20210102/debian/patches/series 2021-03-01 06:50:46.0
+0900
+++ w3m-0.5.3+git20210102/debian/patches/series