Bug#820373: w3m: SEGFAULT on bogus HTML

Thu, 07 Apr 2016 12:15:33 -0700 

Package: w3m
Version: 0.5.3-19
Severity: important
Tags: security

Dear Maintainer,

Please find attached a pair of files, each of these cause w3m to
segfault when run as follows:

   cat $file | w3m -dump

The crash is a segfault, which is probably not exploitable but may
be to somebody who puts in more effort than I did!

On the face of it this is a minor/normal bug, until you consider
the case of users who run mutt and use w3m to convert HTML emails
to plaintext, that situation is common and as such I've raised the severity.

The crashes both have a similar backtrace:

(gdb) bt
#0  wc_N_to_johab1 (code=4294963072) at johab.c:163
#1  wc_cs128w_to_johab (cc=...) at johab.c:234
#2  0x0000000000715106 in wtf_parse1 (p=<optimized out>) at wtf.c:454
#3  0x0000000000716125 in wtf_parse (p=p@entry=0x7fffee1aa9f8) at wtf.c:473
#4  0x00000000006d4b8b in wc_conv_to_ces (ces=0, is=0x125b5e0) at conv.c:93
#5  wc_Str_conv (is=is@entry=0x125b5e0, f_ces=<optimized out>,
    t_ces=t_ces@entry=3178565) at conv.c:23
#6  0x00000000004ba1ea in _saveBuffer (buf=buf@entry=0x125ce00, l=0x1260f60,
    f=0x7fac731162a0 <_IO_2_1_stdout_>, cont=cont@entry=0) at file.c:7595
#7  0x00000000004ba726 in saveBuffer (buf=buf@entry=0x125ce00,
    f=<optimized out>, cont=cont@entry=0) at file.c:7613
#8  0x0000000000414ec2 in do_dump (buf=0x125ce00) at main.c:1337
#9  0x0000000000407b25 in main (argc=0, argv=0x125b980,
    envp=0x6f74a6 <wc_get_ucs_table+822>) at main.c:1043


PS. I have more samples that crash in the same area of code, I suspect that 
they will all be fixed at once as per #820162, so I'm only sharing a pair of 
files.


Steve
--


-- System Information:
Debian Release: 8.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages w3m depends on:
ii  libc6        2.19-18+deb8u4
ii  libgc1c2     1:7.2d-6.4
ii  libgpm2      1.20.4-6.1+b2
ii  libssl1.0.0  1.0.1k-3+deb8u4
ii  libtinfo5    5.9+20140913-1+b1
ii  zlib1g       1:1.2.8.dfsg-2+b1

Versions of packages w3m recommends:
ii  ca-certificates  20141019+deb8u1

Versions of packages w3m suggests:
pn  cmigemo       <none>
ii  man-db        2.7.0.2-5
ii  mime-support  3.58
pn  w3m-el        <none>
pn  w3m-img       <none>

-- no debconf information
�0����0���

Reply via email to