Bug#1029320: bullseye-pu: package w3m/0.5.3+git20210102-6+deb11u1

2023-02-04 Thread Tatsuya Kinoshita 
On 2023-02-04 at 19:01 +, Adam D. Barratt wrote:
> On Sat, 2023-01-21 at 19:51 +0900, Tatsuya Kinoshita wrote:
> > I'd like to update package w3m in bullseye to fix a security issue,
> > managed as minor issue, no-dsa.
> > cf. https://security-tracker.debian.org/tracker/CVE-2022-38223
> >
>
> Please go ahead.

Uploaded.

Thanks,
--
Tatsuya Kinoshita


pgpUhdorUiFNO.pgp
Description: PGP signature

Bug#1029320: bullseye-pu: package w3m/0.5.3+git20210102-6+deb11u1

2023-02-04 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Sat, 2023-01-21 at 19:51 +0900, Tatsuya Kinoshita wrote:
> I'd like to update package w3m in bullseye to fix a security issue,
> managed as minor issue, no-dsa.
> cf. https://security-tracker.debian.org/tracker/CVE-2022-38223
> 

Please go ahead.

Regards,

Adam

Bug#1029320: bullseye-pu: package w3m/0.5.3+git20210102-6+deb11u1

2023-01-21 Thread Tatsuya Kinoshita 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

Hi release team,

I'd like to update package w3m in bullseye to fix a security issue,
managed as minor issue, no-dsa.
cf. https://security-tracker.debian.org/tracker/CVE-2022-38223

See this changelog and the attached debdiff.

w3m (0.5.3+git20210102-6+deb11u1) bullseye; urgency=medium

  * New patch 050_checktype.patch to fix out-of-bounds write in checkType
[CVE-2022-38223] (closes: #1019599)

 -- Tatsuya Kinoshita   Thu, 12 Jan 2023 23:28:20 +0900

Please let me know if I can upload it.

Thanks,
-- 
Tatsuya Kinoshita
diffstat for w3m-0.5.3+git20210102 w3m-0.5.3+git20210102

 changelog   |7 +++
 patches/050_checktype.patch |   90 
 patches/series  |1 
 3 files changed, 98 insertions(+)

diff -Nru w3m-0.5.3+git20210102/debian/changelog 
w3m-0.5.3+git20210102/debian/changelog
--- w3m-0.5.3+git20210102/debian/changelog  2021-03-01 06:59:20.0 
+0900
+++ w3m-0.5.3+git20210102/debian/changelog  2023-01-12 23:28:20.0 
+0900
@@ -1,3 +1,10 @@
+w3m (0.5.3+git20210102-6+deb11u1) bullseye; urgency=medium
+
+  * New patch 050_checktype.patch to fix out-of-bounds write in checkType
+[CVE-2022-38223] (closes: #1019599)
+
+ -- Tatsuya Kinoshita   Thu, 12 Jan 2023 23:28:20 +0900
+
 w3m (0.5.3+git20210102-6) unstable; urgency=medium
 
   * Update 030_str-overflow.patch to avoid zero size allocation in Str.c
diff -Nru w3m-0.5.3+git20210102/debian/patches/050_checktype.patch 
w3m-0.5.3+git20210102/debian/patches/050_checktype.patch
--- w3m-0.5.3+git20210102/debian/patches/050_checktype.patch1970-01-01 
09:00:00.0 +0900
+++ w3m-0.5.3+git20210102/debian/patches/050_checktype.patch2023-01-12 
23:25:35.0 +0900
@@ -0,0 +1,90 @@
+Subject: Fix m17n backspace handling causes out-of-bounds write in checkType 
[CVE-2022-38223]
+Author: Tatsuya Kinoshita 
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019599
+Bug-Debian: https://github.com/tats/w3m/issues/242
+
+--- a/etc.c
 b/etc.c
+@@ -253,14 +253,26 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+ char *es = NULL;
+ #endif
+ int do_copy = FALSE;
++#ifdef USE_M17N
+ int i;
+ int plen = 0, clen;
++int *plens = NULL;
++static int *plens_buffer = NULL;
++static int plens_size = 0;
++#endif
+ 
+ if (prop_size < s->length) {
+   prop_size = (s->length > LINELEN) ? s->length : LINELEN;
+   prop_buffer = New_Reuse(Lineprop, prop_buffer, prop_size);
+ }
+ prop = prop_buffer;
++#ifdef USE_M17N
++if (plens_size < s->length) {
++  plens_size = (s->length > LINELEN) ? s->length : LINELEN;
++  plens_buffer = New_Reuse(int, plens_buffer, plens_size);
++}
++plens = plens_buffer;
++#endif
+ 
+ if (ShowEffect) {
+   bs = memchr(str, '\b', s->length);
+@@ -295,14 +307,21 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+ #ifdef USE_ANSI_COLOR
+   if (color)
+   *(color++) = 0;
++#endif
++#ifdef USE_M17N
++  *(plens++) = plen = 1;
+ #endif
+   }
+   Strcat_charp_n(s, sp, (int)(str - sp));
+   }
+ }
+ if (!do_copy) {
+-  for (; str < endp && IS_ASCII(*str); str++)
++  for (; str < endp && IS_ASCII(*str); str++) {
+   *(prop++) = PE_NORMAL | (IS_CNTRL(*str) ? PC_CTRL : PC_ASCII);
++#ifdef USE_M17N
++  *(plens++) = plen = 1;
++#endif
++  }
+ }
+ 
+ while (str < endp) {
+@@ -364,6 +383,7 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+   else {
+   Strshrink(s, plen);
+   prop -= plen;
++  plen = *(--plens);
+   str += 2;
+   }
+   }
+@@ -385,6 +405,7 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+   else {
+   Strshrink(s, plen);
+   prop -= plen;
++  plen = *(--plens);
+   str++;
+   }
+ #else
+@@ -429,7 +450,6 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+   }
+ #endif
+ 
+-  plen = get_mclen(str);
+   mode = get_mctype(str) | effect;
+ #ifdef USE_ANSI_COLOR
+   if (color) {
+@@ -439,6 +459,8 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
+ #endif
+   *(prop++) = mode;
+ #ifdef USE_M17N
++  plen = get_mclen(str);
++  *(plens++) = plen;
+   if (plen > 1) {
+   mode = (mode & ~PC_WCHAR1) | PC_WCHAR2;
+   for (i = 1; i < plen; i++) {
diff -Nru w3m-0.5.3+git20210102/debian/patches/series 
w3m-0.5.3+git20210102/debian/patches/series
--- w3m-0.5.3+git20210102/debian/patches/series 2021-03-01 06:50:46.0 
+0900
+++ w3m-0.5.3+git20210102/debian/patches/series