+++ This bug was initially created as a clone of Bug #221482 +++ Description of problem: inputAnswer() function that invokes printf() gets called with user supplied argument (via CN field of the certificate) when visiting HTTPS site and infoked with -dump/-backend. I believe this is either very hard or impossible to exploit as the attacker is remote and has virtually no control of the stack contents, and it is unlikely that the stack contains address of value, overwriting which could lead to arbitrary code execution. Correct me if you observe the opposite. Version-Release number of selected component (if applicable): Versions shipped with FC5, FC6, RHEL5 RHEL2.1 is not vulnerable How reproducible: Always. Steps to Reproduce: See URL for detailed description. Additional info: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=404564 http://bugs.gentoo.org/show_bug.cgi?id=159145 https://bugzilla.novell.com/show_bug.cgi?id=230775 -- Additional comment from lkundrak on 2007-01-04 14:32 EST -- Created an attachment (id=144833) Upstram patch for w3m CVE-2006-6772 format string flaw
Built successfully in w3m-0.5.1-15 version.