SUSE Security Update: Security update for w3m
______________________________________________________________________________

Announcement ID:    SUSE-SU-2020:14382-1
Rating:             moderate
References:         #1077559 #1077568 #1077572 
Cross-References:   CVE-2018-6196 CVE-2018-6197 CVE-2018-6198
                   
Affected Products:
                    SUSE Linux Enterprise Debuginfo 11-SP4
______________________________________________________________________________

   An update that fixes three vulnerabilities is now available.

Description:

   This update for w3m fixes several issues.

   These security issues were fixed:

   - CVE-2018-6196: Prevent infinite recursion in HTMLlineproc0 caused by the
     feed_table_block_tag function which did not prevent a negative indent
     value (bsc#1077559)
   - CVE-2018-6197: Prevent NULL pointer dereference in formUpdateBuffer
     (bsc#1077568)
   - CVE-2018-6198: w3m did not properly handle temporary files when the
     ~/.w3m directory is unwritable, which allowed a local attacker to craft
     a symlink attack to overwrite arbitrary files (bsc#1077572)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Debuginfo 11-SP4:

      zypper in -t patch dbgsp4-w3m-14382=1



Package List:

   - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64):

      w3m-debuginfo-0.5.3.git20161120-5.3.37
      w3m-debugsource-0.5.3.git20161120-5.3.37


References:

   https://www.suse.com/security/cve/CVE-2018-6196.html
   https://www.suse.com/security/cve/CVE-2018-6197.html
   https://www.suse.com/security/cve/CVE-2018-6198.html
   https://bugzilla.suse.com/1077559
   https://bugzilla.suse.com/1077568
   https://bugzilla.suse.com/1077572

_______________________________________________
sle-security-updates mailing list
[email protected]
https://lists.suse.com/mailman/listinfo/sle-security-updates