Bug#820162: w3m: SEGFAULT on bogus HTML

Tue, 05 Apr 2016 19:48:53 -0700 

Package: w3m
Version: 0.5.3-19
Severity: important
Tags: security

Dear Maintainer,

Please find attached a tarball which contains two files, a generated
one, and one which has been reduced to the smallest possible test-case.
Each of those files causes w3m to segfault when run as follows:

   cat $file | w3m -dump

The crash is a segfault, which is probably not exploitable but may
be to somebody who puts in more effort than I did!

On the face of it this is a minor/normal bug, until you consider
the case of users who run mutt and use w3m to convert HTML emails
to plaintext, that situation is common and as such I've raised the severity.

The crash is in some horrible code which is converting the file
to UTF-8, as the following backtrace shows:

(gdb) bt
#0  wc_any_to_ucs (cc=...) at ucs.c:274
#1  0x000000000070d73a in wc_push_to_utf8 (os=os@entry=0xed8940, cc=...,
    st=st@entry=0x7fff11c174c0) at utf8.c:276
#2  0x00000000006d4b9b in wc_conv_to_ces (ces=0, is=0xed8960) at conv.c:93
#3  wc_Str_conv (is=is@entry=0xed8960, f_ces=<optimized out>,
    t_ces=t_ces@entry=3178565) at conv.c:23
#4  0x00000000004ba1ea in _saveBuffer (buf=buf@entry=0xed9e00, l=0xeddf60,
    f=0x7efc1c5ce2a0 <_IO_2_1_stdout_>, cont=cont@entry=0) at file.c:7595
#5  0x00000000004ba726 in saveBuffer (buf=buf@entry=0xed9e00,
    f=<optimized out>, cont=cont@entry=0) at file.c:7613
#6  0x0000000000414ec2 in do_dump (buf=0xed9e00) at main.c:1337
#7  0x0000000000407b25 in main (argc=-1, argv=0xed8a00, envp=0x8800)
    at main.c:1043


Mitigating factors?  Interestingly the following does NOT crash:

   w3m -dump $file

Steve
--
https://www.steve.org.uk/


-- System Information:
Debian Release: 8.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages w3m depends on:
ii  libc6        2.19-18+deb8u3
ii  libgc1c2     1:7.2d-6.4
ii  libgpm2      1.20.4-6.1+b2
ii  libssl1.0.0  1.0.1k-3+deb8u4
ii  libtinfo5    5.9+20140913-1+b1
ii  zlib1g       1:1.2.8.dfsg-2+b1

Versions of packages w3m recommends:
ii  ca-certificates  20141019+deb8u1

Versions of packages w3m suggests:
pn  cmigemo       <none>
ii  man-db        2.7.0.2-5
ii  mime-support  3.58
pn  w3m-el        <none>
pn  w3m-img       <none>

-- no debconf information

Attachment: crash.tar.gz
Description: application/gzip

Reply via email to