Bug 2255207 (CVE-2023-4255) - CVE-2023-4255 w3m: out-of-bounds write in function checkType() in etc.c (incomplete fix for CVE-2022-38223)
Summary: CVE-2023-4255 w3m: out-of-bounds write in function checkType() in etc.c (inco...
Keywords:
Status: NEW
Alias: CVE-2023-4255
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2255208 2255209
Blocks: 2224664
TreeView+ depends on / blocked
 
Reported: 2023-12-19 10:31 UTC by TEJ RATHI
Modified: 2023-12-22 10:26 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds write issue has been discovered in the backspace handling of the checkType() function in etc.c within the W3M application. This vulnerability is triggered by supplying a specially crafted HTML file to the w3m binary. Exploitation of this flaw could lead to application crashes, resulting in a denial of service condition.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description TEJ RATHI 2023-12-19 10:31:11 UTC
w3m has an out-of-bounds write in function checkType() in etc.c. It allows a local attacker to cause Denial of Service or possibly have unspecified other impact via a crafted HTML file. NOTE: It was introduced in the fix of CVE-2022-38223.

Affects: w3m 0.5.3+git20230129, 0.5.3+git20230121-1, 0.5.3+git20230121-2
Not Affected version: < 0.5.3+git20220429-1

https://github.com/tats/w3m/issues/268
https://github.com/tats/w3m/pull/273

Comment 1 TEJ RATHI 2023-12-19 10:31:45 UTC
Created w3m tracking bugs for this issue:

Affects: epel-all [bug 2255209]
Affects: fedora-all [bug 2255208]

Comment 3 Rene Kita 2023-12-22 10:26:37 UTC
What's the relevance of the upstream commit here?

Is this about https://github.com/tats/w3m/issues/282 which is addressed in https://github.com/tats/w3m/pull/285 ?


Note You need to log in before you can comment on or make changes to this bug.