Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2074 to
the following vulnerability:
Reference: MLIST:[oss-security] 20100614 CVE Request: w3m does not check null bytes CN/subjAltName
Reference: URL: http://www.openwall.com/lists/oss-security/2010/06/14/4
Reference: URL: http://www.securityfocus.com/bid/40837
Reference: URL: http://secunia.com/advisories/40134
Reference: URL: http://www.vupen.com/english/advisories/2010/1467
istream.c in w3m 0.5.2 and possibly other versions, when
ssl_verify_server is enabled, does not properly handle a '\0'
character in a domain name in the (1) subject's Common Name or (2)
Subject Alternative Name field of an X.509 certificate, which allows
man-in-the-middle attackers to spoof arbitrary SSL servers via a
crafted certificate issued by a legitimate Certification Authority, a
related issue to CVE-2009-2408.
As noted by Ludwig Nussel of the SUSE security team, w3m does not, by default, verify certificates, however the /etc/w3m/config configuration as supplied by Red Hat Enterprise Linux 5 and Fedora, do have "ssl_verify_server 1" set, so w3m is doing certificate verification by default.
Created attachment 424590 [details]
check for null bytes in CN/subjAltName
Patch provided by Ludwig Nussel from the SUSE security team.
Created attachment 424591 [details]
patch to force ssl_verify_server on and disable SSLv2 support
Patch provided by Ludwig Nussel from the SUSE security team. We don't necessarily need this to enable SSL verification as we do that already, however this patch also disables the use of SSLv2 which we may want.
Created w3m tracking bugs for this issue
Affects: fedora-all [bug 604864]
w3m-0.5.2-18.fc13 has been submitted as an update for Fedora 13.
w3m-0.5.2-17.fc12 has been submitted as an update for Fedora 12.
w3m-0.5.2-18.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
w3m-0.5.2-17.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2010:0565 https://rhn.redhat.com/errata/RHSA-2010-0565.html
Closing this as this is fixed in all needed product versions