Red Hat Bugzilla – Bug 221484
CVE-2006-6772 w3m is vulnerable to format string attack via CN field of SSL/TLS certificate when infoked with -dump/-backend
Last modified: 2007-11-30 17:11:52 EST
+++ This bug was initially created as a clone of Bug #221482 +++
Description of problem:
inputAnswer() function that invokes printf() gets called with user
supplied argument (via CN field of the certificate) when visiting HTTPS
site and infoked with -dump/-backend.
I believe this is either very hard or impossible to exploit as the
attacker is remote and has virtually no control of the stack contents,
and it is unlikely that the stack contains address of value, overwriting
which could lead to arbitrary code execution. Correct me if you observe
Version-Release number of selected component (if applicable):
Versions shipped with FC5, FC6, RHEL5
RHEL2.1 is not vulnerable
Steps to Reproduce:
See URL for detailed description.
-- Additional comment from email@example.com on 2007-01-04 14:32 EST --
Created an attachment (id=144833)
Upstram patch for w3m CVE-2006-6772 format string flaw
Built successfully in w3m-0.5.1-15 version.