Your message dated Fri, 03 Jan 2025 07:51:46 +0000
with message-id <e1ttctc-002oko...@fasolo.debian.org>
and subject line Bug#1059265: fixed in w3m 0.5.3+git20230121-2.1
has caused the Debian Bug report #1059265,
regarding w3m: CVE-2023-4255
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1059265: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059265
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: w3m
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for w3m.
CVE-2023-4255[0]:
| An out-of-bounds write issue has been discovered in the backspace
| handling of the checkType() function in etc.c within the W3M
| application. This vulnerability is triggered by supplying a
| specially crafted HTML file to the w3m binary. Exploitation of this
| flaw could lead to application crashes, resulting in a denial of
| service condition.
https://github.com/tats/w3m/commit/edc602651c506aeeb60544b55534dd1722a340d3
https://github.com/tats/w3m/issues/268
https://github.com/tats/w3m/pull/273
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-4255
https://www.cve.org/CVERecord?id=CVE-2023-4255
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: w3m
Source-Version: 0.5.3+git20230121-2.1
Done: Niels Thykier <ni...@thykier.net>
We believe that the bug you reported is fixed in the latest version of
w3m, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1059...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Niels Thykier <ni...@thykier.net> (supplier of updated w3m package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 03 Jan 2025 07:36:38 +0000
Source: w3m
Architecture: source
Version: 0.5.3+git20230121-2.1
Distribution: unstable
Urgency: medium
Maintainer: Tatsuya Kinoshita <t...@debian.org>
Changed-By: Niels Thykier <ni...@thykier.net>
Closes: 1059265
Changes:
w3m (0.5.3+git20230121-2.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Cherry-pick patch from upstream to fix a security bug.
(Closes: #1059265, CVE-2023-4255)
Checksums-Sha1:
2b9563cb7edbf51a68d00ab2756df90f81e985bb 1767 w3m_0.5.3+git20230121-2.1.dsc
77e823aa0218b08d3481a7867d78c42539d65636 28268
w3m_0.5.3+git20230121-2.1.debian.tar.xz
4164ef40d381011ab9d7e88dacc4564cf87e6309 12014
w3m_0.5.3+git20230121-2.1_source.buildinfo
Checksums-Sha256:
56aeb1dd7549d13b76022681dc036d0bb043bf44a8a94c9436d4baa458b4d816 1767
w3m_0.5.3+git20230121-2.1.dsc
b186829d6f1b8813dae0e3510a9e7256ba0a039309b603b8522f86119bde5437 28268
w3m_0.5.3+git20230121-2.1.debian.tar.xz
bceac4a5a6ce05f4adddafdf258c1cc209471fa6800b738309108a6fe4d51bb6 12014
w3m_0.5.3+git20230121-2.1_source.buildinfo
Files:
4757a90fc47ee90aa70cdbefaf368be0 1767 web optional
w3m_0.5.3+git20230121-2.1.dsc
d967231b8d994ba2664eb9324eccc959 28268 web optional
w3m_0.5.3+git20230121-2.1.debian.tar.xz
7f583acf7944ff2d6c9c8b80786005de 12014 web optional
w3m_0.5.3+git20230121-2.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFGBAEBCgAwFiEE9ecZmu9eXGflVYc/dA1oiINl0okFAmd3k9ESHG5pZWxzQHRo
eWtpZXIubmV0AAoJEHQNaIiDZdKJcHUIAIbwHZr9HQ+slazB0LgzLu7VqzUlgCuC
w/zSdo8vJBVcCDrhpC5Tan35vh/HqRr7YgSr9F/4/Z5j6VeVqWVtSU8vjaYjF0U+
vscxD9rgWAN11n/8sm4+UIh59WK3HFtyO9WTXRJMUHb0UrUCisI4k2gN1Z3LcNQ/
ZCreT0FyLtK1IWFTYhWmOn/Ob7RuAwoC0tlVg57omuN8d5h/PYGqB4Y0s+CPCV5k
gFK/fufTmV3r9u5W4FGB73ObupYEQpPFcVQAWB9u/7KDVuLqmV93nhm7IFLKYOjR
fnoqElf9sEzQsa+RHDEXBlpo/nIKKZ4jxG//wFWC1eq3/2/U+G+/qcY=
=Anv4
-----END PGP SIGNATURE-----
pgp7U2RC4rFkj.pgp
Description: PGP signature
--- End Message ---
