Arch Linux: 2016-11-18 Security Advisory for w3m - Critical Issues Found

The package w3m before version 0.5.3.git20161031-1 is vulnerable to multiple issues including arbitrary code execution and denial of service.

Arch Linux Security Advisory ASA-201611-18
=========================================
Severity: Critical
Date    : 2016-11-18
CVE-ID  : CVE-2016-9422 CVE-2016-9423 CVE-2016-9424 CVE-2016-9425
          CVE-2016-9426 CVE-2016-9428 CVE-2016-9429 CVE-2016-9430
          CVE-2016-9431 CVE-2016-9432 CVE-2016-9433 CVE-2016-9434
          CVE-2016-9435 CVE-2016-9436 CVE-2016-9437 CVE-2016-9438
          CVE-2016-9439 CVE-2016-9440 CVE-2016-9441 CVE-2016-9442
Package : w3m
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package w3m before version 0.5.3.git20161031-1 is vulnerable to
multiple issues including arbitrary code execution and denial of
service.

Resolution
=========
Upgrade to 0.5.3.git20161031-1.

# pacman -Syu "w3m>=0.5.3.git20161031-1"

The problems have been fixed upstream in version 0.5.3.git20161031.

Workaround
=========
None.

Description
==========
- CVE-2016-9422 (arbitrary code execution)

A problem has been discovered when rowspan and colspan are not at least
1. If either one of them is zero and the other is larger than 1, HTT_X
and HTT_Y attributes are not set correctly resulting in a wrong
calculation of maxcol or maxrow (not including colspan/rowspan). This
is leading to a potentially exploitable buffer overflow.

- CVE-2016-9423 (arbitrary code execution)

A stack overflow vulnerability has been discovered in deleteFrameSet()
on specially crafted input like a malformed HTML tag.

- CVE-2016-9424 (arbitrary code execution)

A heap out of bound write has been discovered due to a negative array
index for selectnumber and textareanumber.

- CVE-2016-9425 (arbitrary code execution)

A heap buffer overflow vulnerability has been discovered in
addMultirowsForm() duo to an invalid array access resulting in a write
to lineBuf[-1].

- CVE-2016-9426 (arbitrary code execution)

A heap corruption vulnerability has been discovered due to an integer
overflow in renderTable() leading to an unexpected write outside the
tabwidth array boundaries.

- CVE-2016-9428 (arbitrary code execution)

A heap buffer overflow vulnerability has been discovered in
addMultirowsForm() duo to an invalid array access resulting in a write
to lineBuf[-1].

- CVE-2016-9429 (arbitrary code execution)

An out of bounds write vulnerability has been discovered in
formUpdateBuffer() duo to invalid length and position checks.

- CVE-2016-9430 (denial of service)

A problem has been discovered resulting in malformed input field type
properties leading to an application crash.

- CVE-2016-9431 (arbitrary code execution)

A stack overflow vulnerability has been discovered in deleteFrameSet()
on specially crafted input like a malformed HTML tag.

- CVE-2016-9432 (arbitrary code execution)

A vulnerability has been discovered in formUpdateBuffer() duo to
insufficient bounds validation leading to a negative sized bcopy() call
getting converted to an unexpectedly large value.

- CVE-2016-9433 (denial of service)

An out of bounds read access has been discovered in the iso2022 parsing
while calculating the WC_CCS_INDEX leading to an application crash
resulting in denial of service.

- CVE-2016-9434 (arbitrary code execution)

An out of bounds write vulnerability has been discovered while handling
form_int fields. An incorrect form_int fid is not properly checked and
leads to an out of bounds write in forms[form_id]->next.

- CVE-2016-9435 (arbitrary code execution)

Multiple issues have been discovered related to uninitialized values
for  and 
 HTML elements. A missing PUSH_ENV(HTML_DL) call is
leading to a conditional jump or move depending on an uninitialized
value resulting in a stack overflow vulnerability.

- CVE-2016-9436 (arbitrary code execution)

Multiple issues have been discovered related to uninitialized values
for  and 
 HTML elements. A missing null string termination for
the tagname variable in parsetagx.c is leading to an out of bounds
access.

- CVE-2016-9437 (arbitrary code execution)

An out of bounds write access has been discovered when using invalid
button element type properties like ''.

- CVE-2016-9438 (denial of service)

A null pointer dereference problem has been discovered while processing
the input_alt tag leading to an application crash.

- CVE-2016-9439 (denial of service)

An infinite recursion problem has been discovered when processing
nested table and textarea elements leading to an application crash.

- CVE-2016-9440 (denial of service)

A null pointer dereference problem has been discovered in the
formUpdateBuffer() function leading to a segmentation fault resulting
in an application crash.

- CVE-2016-9441 (denial of service)

A null pointer dereference problem has been discovered in the
do_refill() function triggered by a malformed table_alt tag leading to
a segmentation fault resulting in an application crash.

- CVE-2016-9442 (denial of service)

A potential heap buffer corruption vulnerability has been discovered
due to Strgrow. Note that w3m's allocator (boehmgc) preserves more
space than the required size due to bucketing so the heap shouldn't be
corrupted in practice.

Impact
=====
A remote attacker is able to execute arbitrary code or crash the
application via various vectors.

References
=========
https://www.openwall.com/lists/oss-security/2016/11/18/3
https://github.com/tats/w3m/issues/8
https://github.com/tats/w3m/issues/9
https://github.com/tats/w3m/issues/12
https://github.com/tats/w3m/issues/21
https://github.com/tats/w3m/issues/25
https://github.com/tats/w3m/issues/26
https://github.com/tats/w3m/issues/29
https://github.com/tats/w3m/issues/7
https://github.com/tats/w3m/issues/10
https://github.com/tats/w3m/issues/13
https://github.com/tats/w3m/issues/14
https://github.com/tats/w3m/issues/15
https://github.com/tats/w3m/issues/16
https://github.com/tats/w3m/commit/33509cc81ec5f2ba44eb6fd98bd5c1b5873e46bd
https://github.com/tats/w3m/issues/17
https://github.com/tats/w3m/issues/18
https://github.com/tats/w3m/issues/20
https://github.com/tats/w3m/issues/22
https://github.com/tats/w3m/issues/24
https://github.com/tats/w3m/commit/d43527cfa0dbb3ccefec4a6f7b32c1434739aa29
https://access.redhat.com/security/cve/CVE-2016-9422
https://access.redhat.com/security/cve/CVE-2016-9423
https://access.redhat.com/security/cve/CVE-2016-9424
https://access.redhat.com/security/cve/CVE-2016-9425
https://access.redhat.com/security/cve/CVE-2016-9426
https://access.redhat.com/security/cve/CVE-2016-9428
https://access.redhat.com/security/cve/CVE-2016-9429
https://access.redhat.com/security/cve/CVE-2016-9430
https://access.redhat.com/security/cve/CVE-2016-9431
https://access.redhat.com/security/cve/CVE-2016-9432
https://access.redhat.com/security/cve/CVE-2016-9433
https://access.redhat.com/security/cve/CVE-2016-9434
https://access.redhat.com/security/cve/CVE-2016-9435
https://access.redhat.com/security/cve/CVE-2016-9436
https://access.redhat.com/security/cve/CVE-2016-9437
https://access.redhat.com/security/cve/CVE-2016-9438
https://access.redhat.com/security/cve/CVE-2016-9439
https://access.redhat.com/security/cve/CVE-2016-9440
https://access.redhat.com/security/cve/CVE-2016-9441
https://access.redhat.com/security/cve/CVE-2016-9442