Control: tags 1059265 + patch
Dear maintainer, I've prepared an NMU for w3m (versioned as 0.5.3+git20230121-2.1). The diff is attached to this message. Regards.diff -Nru w3m-0.5.3+git20230121/debian/changelog w3m-0.5.3+git20230121/debian/changelog --- w3m-0.5.3+git20230121/debian/changelog 2023-01-29 12:03:49.000000000 +0000 +++ w3m-0.5.3+git20230121/debian/changelog 2025-01-03 07:36:38.000000000 +0000
@@ -1,3 +1,11 @@
+w3m (0.5.3+git20230121-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Cherry-pick patch from upstream to fix a security bug.
+ (Closes: #1059265, CVE-2023-4255)
+
+ -- Niels Thykier <ni...@thykier.net> Fri, 03 Jan 2025 07:36:38 +0000
+
w3m (0.5.3+git20230121-2) unstable; urgency=medium
* Update German message catalogue (closes: #1029933)
diff -Nru w3m-0.5.3+git20230121/debian/patches/0002-CVE-2023-4255.patch
w3m-0.5.3+git20230121/debian/patches/0002-CVE-2023-4255.patch
--- w3m-0.5.3+git20230121/debian/patches/0002-CVE-2023-4255.patch
1970-01-01 00:00:00.000000000 +0000
+++ w3m-0.5.3+git20230121/debian/patches/0002-CVE-2023-4255.patch
2025-01-03 07:33:54.000000000 +0000
@@ -0,0 +1,55 @@ +From edc602651c506aeeb60544b55534dd1722a340d3 Mon Sep 17 00:00:00 2001 +From: Rene Kita <m...@rkta.de> +Date: Thu, 13 Jul 2023 07:50:26 +0200 +Subject: [PATCH] Fix OOB access due to multiple backspaces + +Commit 419ca82d57 (Fix m17n backspace handling causes out-of-bounds +write in checkType) introduced an incomplete fix. + +In function checkType we store the length of the previous multi-char +character in a buffer plens_buffer with pointer plens pointing to the +current position inside the buffer. When encountering a backspace plens +is set to the previous position without a bounds check. This will lead +to plens being out of bounds if we get more backspaces than we have +processed multi-char characters before. + +If we are at the beginning of the buffer do not decrement and set plen +(the current length) to 0. + +This also fixes GH Issue #270 [BUG] Out of bound read in Strnew_size , +Str.c:61 + +If the above explanation does sound weird it's because I didn't fully +grok that function. :-) +--- + etc.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/etc.c b/etc.c +index 128717b18..b56615136 100644 +--- a/etc.c ++++ b/etc.c +@@ -393,7 +393,10 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor) + if (color) + color -= plen; + #endif +- plen = *(--plens); ++ if (plens == plens_buffer) ++ plen = 0; ++ else ++ plen = *(--plens); + str += 2; + } + } +@@ -419,7 +422,10 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor) + if (color) + color -= plen; + #endif +- plen = *(--plens); ++ if (plens == plens_buffer) ++ plen = 0; ++ else ++ plen = *(--plens); + str++; + } + #elsediff -Nru w3m-0.5.3+git20230121/debian/patches/series w3m-0.5.3+git20230121/debian/patches/series --- w3m-0.5.3+git20230121/debian/patches/series 2023-01-29 11:46:01.000000000 +0000 +++ w3m-0.5.3+git20230121/debian/patches/series 2025-01-03 07:34:05.000000000 +0000
@@ -1 +1,2 @@ 0001-Update-German-message-catalogue.patch +0002-CVE-2023-4255.patch
OpenPGP_signature.asc
Description: OpenPGP digital signature
