Arch Linux Security Advisory ASA-201611-18
=========================================
Severity: Critical
Date    : 2016-11-18
CVE-ID  : CVE-2016-9422 CVE-2016-9423 CVE-2016-9424 CVE-2016-9425
          CVE-2016-9426 CVE-2016-9428 CVE-2016-9429 CVE-2016-9430
          CVE-2016-9431 CVE-2016-9432 CVE-2016-9433 CVE-2016-9434
          CVE-2016-9435 CVE-2016-9436 CVE-2016-9437 CVE-2016-9438
          CVE-2016-9439 CVE-2016-9440 CVE-2016-9441 CVE-2016-9442
Package : w3m
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package w3m before version 0.5.3.git20161031-1 is vulnerable to
multiple issues including arbitrary code execution and denial of
service.

Resolution
=========
Upgrade to 0.5.3.git20161031-1.

# pacman -Syu "w3m>=0.5.3.git20161031-1"

The problems have been fixed upstream in version 0.5.3.git20161031.

Workaround
=========
None.

Description
==========
- CVE-2016-9422 (arbitrary code execution)

A problem has been discovered when rowspan and colspan are not at least
1. If either one of them is zero and the other is larger than 1, HTT_X
and HTT_Y attributes are not set correctly resulting in a wrong
calculation of maxcol or maxrow (not including colspan/rowspan). This
is leading to a potentially exploitable buffer overflow.

- CVE-2016-9423 (arbitrary code execution)

A stack overflow vulnerability has been discovered in deleteFrameSet()
on specially crafted input like a malformed HTML tag.

- CVE-2016-9424 (arbitrary code execution)

A heap out of bound write has been discovered due to a negative array
index for selectnumber and textareanumber.

- CVE-2016-9425 (arbitrary code execution)

A heap buffer overflow vulnerability has been discovered in
addMultirowsForm() duo to an invalid array access resulting in a write
to lineBuf[-1].

- CVE-2016-9426 (arbitrary code execution)

A heap corruption vulnerability has been discovered due to an integer
overflow in renderTable() leading to an unexpected write outside the
tabwidth array boundaries.

- CVE-2016-9428 (arbitrary code execution)

A heap buffer overflow vulnerability has been discovered in
addMultirowsForm() duo to an invalid array access resulting in a write
to lineBuf[-1].

- CVE-2016-9429 (arbitrary code execution)

An out of bounds write vulnerability has been discovered in
formUpdateBuffer() duo to invalid length and position checks.

- CVE-2016-9430 (denial of service)

A problem has been discovered resulting in malformed input field type
properties leading to an application crash.

- CVE-2016-9431 (arbitrary code execution)

A stack overflow vulnerability has been discovered in deleteFrameSet()
on specially crafted input like a malformed HTML tag.

- CVE-2016-9432 (arbitrary code execution)

A vulnerability has been discovered in formUpdateBuffer() duo to
insufficient bounds validation leading to a negative sized bcopy() call
getting converted to an unexpectedly large value.

- CVE-2016-9433 (denial of service)

An out of bounds read access has been discovered in the iso2022 parsing
while calculating the WC_CCS_INDEX leading to an application crash
resulting in denial of service.

- CVE-2016-9434 (arbitrary code execution)

An out of bounds write vulnerability has been discovered while handling
form_int fields. An incorrect form_int fid is not properly checked and
leads to an out of bounds write in forms[form_id]->next.

- CVE-2016-9435 (arbitrary code execution)

Multiple issues have been discovered related to uninitialized values
for  and 
 HTML elements. A missing PUSH_ENV(HTML_DL) call is
leading to a conditional jump or move depending on an uninitialized
value resulting in a stack overflow vulnerability.

- CVE-2016-9436 (arbitrary code execution)

Multiple issues have been discovered related to uninitialized values
for  and 
 HTML elements. A missing null string termination for
the tagname variable in parsetagx.c is leading to an out of bounds
access.

- CVE-2016-9437 (arbitrary code execution)

An out of bounds write access has been discovered when using invalid
button element type properties like '

ArchLinux: 201611-18: w3m: multiple issues

November 18, 2016

Summary

- CVE-2016-9422 (arbitrary code execution) A problem has been discovered when rowspan and colspan are not at least 1. If either one of them is zero and the other is larger than 1, HTT_X and HTT_Y attributes are not set correctly resulting in a wrong calculation of maxcol or maxrow (not including colspan/rowspan). This is leading to a potentially exploitable buffer overflow.
- CVE-2016-9423 (arbitrary code execution)
A stack overflow vulnerability has been discovered in deleteFrameSet() on specially crafted input like a malformed HTML tag.
- CVE-2016-9424 (arbitrary code execution)
A heap out of bound write has been discovered due to a negative array index for selectnumber and textareanumber.
- CVE-2016-9425 (arbitrary code execution)
A heap buffer overflow vulnerability has been discovered in addMultirowsForm() duo to an invalid array access resulting in a write to lineBuf[-1].
- CVE-2016-9426 (arbitrary code execution)
A heap corruption vulnerability has been discovered due to an integer overflow in renderTable() leading to an unexpected write outside the tabwidth array boundaries.
- CVE-2016-9428 (arbitrary code execution)
A heap buffer overflow vulnerability has been discovered in addMultirowsForm() duo to an invalid array access resulting in a write to lineBuf[-1].
- CVE-2016-9429 (arbitrary code execution)
An out of bounds write vulnerability has been discovered in formUpdateBuffer() duo to invalid length and position checks.
- CVE-2016-9430 (denial of service)
A problem has been discovered resulting in malformed input field type properties leading to an application crash.
- CVE-2016-9431 (arbitrary code execution)
A stack overflow vulnerability has been discovered in deleteFrameSet() on specially crafted input like a malformed HTML tag.
- CVE-2016-9432 (arbitrary code execution)
A vulnerability has been discovered in formUpdateBuffer() duo to insufficient bounds validation leading to a negative sized bcopy() call getting converted to an unexpectedly large value.
- CVE-2016-9433 (denial of service)
An out of bounds read access has been discovered in the iso2022 parsing while calculating the WC_CCS_INDEX leading to an application crash resulting in denial of service.
- CVE-2016-9434 (arbitrary code execution)
An out of bounds write vulnerability has been discovered while handling form_int fields. An incorrect form_int fid is not properly checked and leads to an out of bounds write in forms[form_id]->next.
- CVE-2016-9435 (arbitrary code execution)
Multiple issues have been discovered related to uninitialized values for and

HTML elements. A missing PUSH_ENV(HTML_DL) call is leading to a conditional jump or move depending on an uninitialized value resulting in a stack overflow vulnerability.
- CVE-2016-9436 (arbitrary code execution)
Multiple issues have been discovered related to uninitialized values for and
HTML elements. A missing null string termination for the tagname variable in parsetagx.c is leading to an out of bounds access.
- CVE-2016-9437 (arbitrary code execution)
An out of bounds write access has been discovered when using invalid button element type properties like '

Resolution

Upgrade to 0.5.3.git20161031-1. # pacman -Syu "w3m>=0.5.3.git20161031-1"
The problems have been fixed upstream in version 0.5.3.git20161031.

References

https://www.openwall.com/lists/oss-security/2016/11/18/3 https://github.com/tats/w3m/issues/8 https://github.com/tats/w3m/issues/9 https://github.com/tats/w3m/issues/12 https://github.com/tats/w3m/issues/21 https://github.com/tats/w3m/issues/25 https://github.com/tats/w3m/issues/26 https://github.com/tats/w3m/issues/29 https://github.com/tats/w3m/issues/7 https://github.com/tats/w3m/issues/10 https://github.com/tats/w3m/issues/13 https://github.com/tats/w3m/issues/14 https://github.com/tats/w3m/issues/15 https://github.com/tats/w3m/issues/16 https://github.com/tats/w3m/commit/33509cc81ec5f2ba44eb6fd98bd5c1b5873e46bd https://github.com/tats/w3m/issues/17 https://github.com/tats/w3m/issues/18 https://github.com/tats/w3m/issues/20 https://github.com/tats/w3m/issues/22 https://github.com/tats/w3m/issues/24 https://github.com/tats/w3m/commit/d43527cfa0dbb3ccefec4a6f7b32c1434739aa29 https://access.redhat.com/security/cve/CVE-2016-9422 https://access.redhat.com/security/cve/CVE-2016-9423 https://access.redhat.com/security/cve/CVE-2016-9424 https://access.redhat.com/security/cve/CVE-2016-9425 https://access.redhat.com/security/cve/CVE-2016-9426 https://access.redhat.com/security/cve/CVE-2016-9428 https://access.redhat.com/security/cve/CVE-2016-9429 https://access.redhat.com/security/cve/CVE-2016-9430 https://access.redhat.com/security/cve/CVE-2016-9431 https://access.redhat.com/security/cve/CVE-2016-9432 https://access.redhat.com/security/cve/CVE-2016-9433 https://access.redhat.com/security/cve/CVE-2016-9434 https://access.redhat.com/security/cve/CVE-2016-9435 https://access.redhat.com/security/cve/CVE-2016-9436 https://access.redhat.com/security/cve/CVE-2016-9437 https://access.redhat.com/security/cve/CVE-2016-9438 https://access.redhat.com/security/cve/CVE-2016-9439 https://access.redhat.com/security/cve/CVE-2016-9440 https://access.redhat.com/security/cve/CVE-2016-9441 https://access.redhat.com/security/cve/CVE-2016-9442

Severity
CVE-2016-9426 CVE-2016-9428 CVE-2016-9429 CVE-2016-9430
CVE-2016-9431 CVE-2016-9432 CVE-2016-9433 CVE-2016-9434
CVE-2016-9435 CVE-2016-9436 CVE-2016-9437 CVE-2016-9438
CVE-2016-9439 CVE-2016-9440 CVE-2016-9441 CVE-2016-9442
Package : w3m
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/title/CVE

Workaround

None.

Related News

Linux Mint 22: Elevating Security and Usability for Admins
3 - 5 min read
Linux Mint has has long been recognized as a versatile and user-friendly distribution and has earned great popularity among administrators and
Exim 4.98 Addresses Critical Vulnerabilities, Bolsters Email Server Security
2 - 4 min read
Exim is one of Unix-like systems' most widely used mail transfer agents. It's essential for email delivery and handling and is a significant part of
Recent OpenSSH RCE Bug Explained: Impact & Mitigations
2 - 4 min read
In an era where cybersecurity threats loom larger than ever, the discovery of a Remote Code Execution (RCE) vulnerability in OpenSSH by Qualys’
CVE-2024-4577: A Swiftly Weaponized Vulnerability for Ransomware Distribution
2 - 4 min read
Security researchers recently issued an update detailing how attackers are exploiting a PHP code execution vulnerability to spread TellYouThePass
Play Ransomware Group Unleashes New Threat on ESXi Environments: Analysis & Mitigation Strategies
3 - 5 min read
The Play ransomware group, well-known for its double-extortion tactics, recently unveiled a Linux variant targeting ESXi environments. This
Critical Linux Kernel Vulnerabilities Patched in Ubuntu Azure Systems
2 - 4 min read
Canonical has fixed several recently identified critical Linux kernel vulnerabilities in July 2024. These vulnerabilities primarily affect Microsoft
The Urgent Need for Secure Software Development: New Report Serves as a Wake-Up Call for the Industry
3 - 5 min read
The Linux Foundation and Open Source Security Foundation recently published a report entitled "Secure Software Development Education 2024
Severe Linux Kernel Privilege Escalation Bugs Could Compromise Entire Systems
2 - 4 min read
The Cybersecurity and Infrastructure Security Agency (CISA) recently added a new Linux kernel privilege escalation bug ( CVE-2024-1086 ) to its

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved