Bug 221484 (CVE-2006-6772)

Summary: CVE-2006-6772 w3m is vulnerable to format string attack via CN field of SSL/TLS certificate when infoked with -dump/-backend
Product: [Fedora] Fedora Reporter: Lubomir Kundrak <lkundrak>
Component: w3mAssignee: Parag Nemade <pnemade>
Status: CLOSED RAWHIDE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 6Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://sourceforge.net/tracker/index.php?func=detail&aid=1612792&group_id=39518&atid=425439
Whiteboard: source=gentoo,impact=none,public=20061225,reported=20070102
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-07-24 06:41:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 221482    
Bug Blocks:    

Description Lubomir Kundrak 2007-01-04 19:36:03 UTC 
+++ This bug was initially created as a clone of Bug #221482 +++

Description of problem:

inputAnswer() function that invokes printf() gets called with user
supplied argument (via CN field of the certificate) when visiting HTTPS
site and infoked with -dump/-backend.

I believe this is either very hard or impossible to exploit as the
attacker is remote and has virtually no control of the stack contents,
and it is unlikely that the stack contains address of value, overwriting
which could lead to arbitrary code execution. Correct me if you observe
the opposite.

Version-Release number of selected component (if applicable):

Versions shipped with FC5, FC6, RHEL5
RHEL2.1 is not vulnerable

How reproducible:

Always.

Steps to Reproduce:

See URL for detailed description.
  
Additional info:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=404564
http://bugs.gentoo.org/show_bug.cgi?id=159145
https://bugzilla.novell.com/show_bug.cgi?id=230775

-- Additional comment from lkundrak on 2007-01-04 14:32 EST --
Created an attachment (id=144833)
Upstram patch for w3m CVE-2006-6772 format string flaw
Comment 2 Parag Nemade 2007-01-15 04:41:32 UTC 
Built successfully in w3m-0.5.1-15 version.