Bug 221484 - (CVE-2006-6772) CVE-2006-6772 w3m is vulnerable to format string attack via CN field of SSL/TLS certificate when infoked with -dump/-backend
CVE-2006-6772 w3m is vulnerable to format string attack via CN field of SSL/T...
Product: Fedora
Classification: Fedora
Component: w3m (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Parag Nemade
: Security
Depends On: 221482
  Show dependency treegraph
Reported: 2007-01-04 14:36 EST by Lubomir Kundrak
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-07-24 02:41:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Lubomir Kundrak 2007-01-04 14:36:03 EST
+++ This bug was initially created as a clone of Bug #221482 +++

Description of problem:

inputAnswer() function that invokes printf() gets called with user
supplied argument (via CN field of the certificate) when visiting HTTPS
site and infoked with -dump/-backend.

I believe this is either very hard or impossible to exploit as the
attacker is remote and has virtually no control of the stack contents,
and it is unlikely that the stack contains address of value, overwriting
which could lead to arbitrary code execution. Correct me if you observe
the opposite.

Version-Release number of selected component (if applicable):

Versions shipped with FC5, FC6, RHEL5
RHEL2.1 is not vulnerable

How reproducible:


Steps to Reproduce:

See URL for detailed description.
Additional info:


-- Additional comment from lkundrak@redhat.com on 2007-01-04 14:32 EST --
Created an attachment (id=144833)
Upstram patch for w3m CVE-2006-6772 format string flaw
Comment 2 Parag Nemade 2007-01-14 23:41:32 EST
Built successfully in w3m-0.5.1-15 version.

Note You need to log in before you can comment on or make changes to this bug.