Subject: [ASA-201611-18] w3m: multiple issues Arch Linux Security Advisory ASA-201611-18 ========================================== Severity: Critical Date : 2016-11-18 CVE-ID : CVE-2016-9422 CVE-2016-9423 CVE-2016-9424 CVE-2016-9425 CVE-2016-9426 CVE-2016-9428 CVE-2016-9429 CVE-2016-9430 CVE-2016-9431 CVE-2016-9432 CVE-2016-9433 CVE-2016-9434 CVE-2016-9435 CVE-2016-9436 CVE-2016-9437 CVE-2016-9438 CVE-2016-9439 CVE-2016-9440 CVE-2016-9441 CVE-2016-9442 Package : w3m Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-73 Summary ======= The package w3m before version 0.5.3.git20161031-1 is vulnerable to multiple issues including arbitrary code execution and denial of service. Resolution ========== Upgrade to 0.5.3.git20161031-1. # pacman -Syu "w3m>=0.5.3.git20161031-1" The problems have been fixed upstream in version 0.5.3.git20161031. Workaround ========== None. Description =========== - CVE-2016-9422 (arbitrary code execution) A problem has been discovered when rowspan and colspan are not at least 1. If either one of them is zero and the other is larger than 1, HTT_X and HTT_Y attributes are not set correctly resulting in a wrong calculation of maxcol or maxrow (not including colspan/rowspan). This is leading to a potentially exploitable buffer overflow. - CVE-2016-9423 (arbitrary code execution) A stack overflow vulnerability has been discovered in deleteFrameSet() on specially crafted input like a malformed HTML tag. - CVE-2016-9424 (arbitrary code execution) A heap out of bound write has been discovered due to a negative array index for selectnumber and textareanumber. - CVE-2016-9425 (arbitrary code execution) A heap buffer overflow vulnerability has been discovered in addMultirowsForm() duo to an invalid array access resulting in a write to lineBuf[-1]. - CVE-2016-9426 (arbitrary code execution) A heap corruption vulnerability has been discovered due to an integer overflow in renderTable() leading to an unexpected write outside the tabwidth array boundaries. - CVE-2016-9428 (arbitrary code execution) A heap buffer overflow vulnerability has been discovered in addMultirowsForm() duo to an invalid array access resulting in a write to lineBuf[-1]. - CVE-2016-9429 (arbitrary code execution) An out of bounds write vulnerability has been discovered in formUpdateBuffer() duo to invalid length and position checks. - CVE-2016-9430 (denial of service) A problem has been discovered resulting in malformed input field type properties leading to an application crash. - CVE-2016-9431 (arbitrary code execution) A stack overflow vulnerability has been discovered in deleteFrameSet() on specially crafted input like a malformed HTML tag. - CVE-2016-9432 (arbitrary code execution) A vulnerability has been discovered in formUpdateBuffer() duo to insufficient bounds validation leading to a negative sized bcopy() call getting converted to an unexpectedly large value. - CVE-2016-9433 (denial of service) An out of bounds read access has been discovered in the iso2022 parsing while calculating the WC_CCS_INDEX leading to an application crash resulting in denial of service. - CVE-2016-9434 (arbitrary code execution) An out of bounds write vulnerability has been discovered while handling form_int fields. An incorrect form_int fid is not properly checked and leads to an out of bounds write in forms[form_id]->next. - CVE-2016-9435 (arbitrary code execution) Multiple issues have been discovered related to uninitialized values for and
HTML elements. A missing PUSH_ENV(HTML_DL) call is leading to a conditional jump or move depending on an uninitialized value resulting in a stack overflow vulnerability. - CVE-2016-9436 (arbitrary code execution) Multiple issues have been discovered related to uninitialized values for and
HTML elements. A missing null string termination for the tagname variable in parsetagx.c is leading to an out of bounds access. - CVE-2016-9437 (arbitrary code execution) An out of bounds write access has been discovered when using invalid button element type properties like '