Debian Bug report logs -
#888097
w3m: CVE-2018-6198: insecure temporary files creation when ~/.w3m is unwritable
Reported by: Tatsuya Kinoshita <tats@debian.org>
Date: Tue, 23 Jan 2018 10:18:02 UTC
Severity: important
Tags: patch, security, upstream
Found in version w3m/0.5.3-34
Fixed in versions w3m/0.5.3-36, w3m/0.5.3-34+deb9u1
Done: Tatsuya Kinoshita <tats@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org:
Bug#888097; Package w3m.
(Tue, 23 Jan 2018 10:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Tatsuya Kinoshita <tats@debian.org>:
New Bug report received and forwarded.
(Tue, 23 Jan 2018 10:18:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: w3m
Version: 0.5.3-34
Severity: important
Tags: patch security upstream pending
Only when ~/.w3m is unwritable, w3m uses /tmp in an insecure fashion,
which allows a local attacker to craft a symlink attack to overwrite
arbitrary files.
Patch is available:
- https://salsa.debian.org/debian/w3m/commit/18dcbadf2771cdb0c18509b14e4e73505b242753
Will be fixed in the next upload.
Thanks,
--
Tatsuya Kinoshita
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Tatsuya Kinoshita <tats@debian.org>:
Bug#888097; Package w3m.
(Thu, 25 Jan 2018 05:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Tatsuya Kinoshita <tats@debian.org>.
(Thu, 25 Jan 2018 05:30:03 GMT) (full text, mbox, link).
Message #10 received at 888097@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 w3m: CVE-2018-6198: nsecure temporary files creation when ~/.w3m is unwritable
Hi
On Tue, Jan 23, 2018 at 07:13:34PM +0900, Tatsuya Kinoshita wrote:
> Package: w3m
> Version: 0.5.3-34
> Severity: important
> Tags: patch security upstream pending
>
> Only when ~/.w3m is unwritable, w3m uses /tmp in an insecure fashion,
> which allows a local attacker to craft a symlink attack to overwrite
> arbitrary files.
>
> Patch is available:
>
> - https://salsa.debian.org/debian/w3m/commit/18dcbadf2771cdb0c18509b14e4e73505b242753
>
> Will be fixed in the next upload.
This issue has been assigned CVE-2018-6198.
Regards,
Salvatore
Changed Bug title to 'w3m: CVE-2018-6198: nsecure temporary files creation when ~/.w3m is unwritable' from 'w3m: insecure temporary files creation when ~/.w3m is unwritable'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 888097-submit@bugs.debian.org.
(Thu, 25 Jan 2018 05:30:03 GMT) (full text, mbox, link).
Changed Bug title to 'w3m: CVE-2018-6198: insecure temporary files creation when ~/.w3m is unwritable' from 'w3m: CVE-2018-6198: nsecure temporary files creation when ~/.w3m is unwritable'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 25 Jan 2018 05:39:03 GMT) (full text, mbox, link).
Reply sent
to Tatsuya Kinoshita <tats@debian.org>:
You have taken responsibility.
(Thu, 25 Jan 2018 11:33:15 GMT) (full text, mbox, link).
Notification sent
to Tatsuya Kinoshita <tats@debian.org>:
Bug acknowledged by developer.
(Thu, 25 Jan 2018 11:33:15 GMT) (full text, mbox, link).
Message #19 received at 888097-close@bugs.debian.org (full text, mbox, reply):
Source: w3m
Source-Version: 0.5.3-36
We believe that the bug you reported is fixed in the latest version of
w3m, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 888097@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tatsuya Kinoshita <tats@debian.org> (supplier of updated w3m package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 25 Jan 2018 18:53:30 +0900
Source: w3m
Binary: w3m w3m-img
Architecture: source amd64
Version: 0.5.3-36
Distribution: unstable
Urgency: medium
Maintainer: Tatsuya Kinoshita <tats@debian.org>
Changed-By: Tatsuya Kinoshita <tats@debian.org>
Description:
w3m - WWW browsable pager with excellent tables/frames support
w3m-img - inline image extension support utilities for w3m
Closes: 871425 874218 878106 888097
Changes:
w3m (0.5.3-36) unstable; urgency=medium
.
* Update 020_debian.patch to v0.5.3+git20180125.
- Fix stack overflow with malformed text [CVE-2018-6196]
- Fix null deref with malformed text [CVE-2018-6197]
- Fix /tmp file races only when ~/.w3m is unwritable [CVE-2018-6198]
(closes: #888097)
- Suppress error messages when ~/.w3m is unwritable (closes: #871425)
- Extend ssl_forbid_method to disable TLSv1.1 (closes: #874218)
- Typo fix in --help message (closes: #878106)
* Drop 030_fix_spelling_error.patch (merged in 020_debian.patch)
* Don't use deprecated autotools-dev tools
* Migrate from anonscm.debian.org to salsa.debian.org
* Update debian/copyright
* Update Standards-Version to 4.1.3
Checksums-Sha1:
262a87eefa49af460f02b0913d7fafe4974d7928 1989 w3m_0.5.3-36.dsc
1930edc60c9215883b8a42570cbf98297c5fccce 191708 w3m_0.5.3-36.debian.tar.xz
654a1fb0245ec144d429638e05a50eb8ec1bba1d 804156 w3m-dbgsym_0.5.3-36_amd64.deb
9e6c00e46dbe1eecf3e33a4d21e8f986184975ff 26920 w3m-img-dbgsym_0.5.3-36_amd64.deb
cedd1273e9e5d53e4436a8efab1aad30659908b5 131240 w3m-img_0.5.3-36_amd64.deb
773444f34770a6f8b3bab919ced4fb301d918fe4 7820 w3m_0.5.3-36_amd64.buildinfo
1e48bb0f5de007d098a4840d45e599191f330b90 1063336 w3m_0.5.3-36_amd64.deb
Checksums-Sha256:
f32f2c4024800032be9b9dc739945f802dceefcd73570a7a167c9f4e76058f08 1989 w3m_0.5.3-36.dsc
e7f41ac222c55830ce121e1c50e67ab04b292837b9bb1ece2eae2689c82147ec 191708 w3m_0.5.3-36.debian.tar.xz
2a9fb9cf8de4749726d6b7b638d36f64569c1c6bea04760278232e2f27b46b7b 804156 w3m-dbgsym_0.5.3-36_amd64.deb
15625a3b4ea68fd224814ddc6947395e742f17604b7af9d3b8a9e5bc148d98fd 26920 w3m-img-dbgsym_0.5.3-36_amd64.deb
3cec889f635ac690a1d06df070d0831eb6147967e44a062197b82180f53fcc7f 131240 w3m-img_0.5.3-36_amd64.deb
2403e09f6564863688f64929ad0173e6d0c3e03f65b32d45d47e3bfd3afbf5e3 7820 w3m_0.5.3-36_amd64.buildinfo
d734812d657841b4efa2d4ba3ddbddfef7eb5dd0a289b260478420d259215abb 1063336 w3m_0.5.3-36_amd64.deb
Files:
80f6e870fc1cd05ae97515ae9289925c 1989 web optional w3m_0.5.3-36.dsc
195a82d7d847ca7427966e9f1417d3bb 191708 web optional w3m_0.5.3-36.debian.tar.xz
7002334bcd77ca1485b6cf37a549fd25 804156 debug optional w3m-dbgsym_0.5.3-36_amd64.deb
771e3fe306793ab01ea627905872e1b0 26920 debug optional w3m-img-dbgsym_0.5.3-36_amd64.deb
fc8d58ba82085e2fb5ffb2fa05780882 131240 web optional w3m-img_0.5.3-36_amd64.deb
f75c0c3b7a4e7a8d0c64c8bf169a5e76 7820 web optional w3m_0.5.3-36_amd64.buildinfo
3bc9c851c3e9f161f16ab2d7c17732d4 1063336 web optional w3m_0.5.3-36_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEAxxiPZTvHz7xexyE5e+rkAgOpjwFAlppqywACgkQ5e+rkAgO
pjzMnA//aEZVsENqxIT3flYbkpvLFmaFbMEf/eWqDsKgYlKjs2eKynKjp+fuOn6y
VHCdUeyMr+csUokCM5SxUDzOLSBuxtHSFd6Iuzh5D41I9R0AQhAwnvzqo6wYjWyx
vO4DiHJDS5uebWAJJLdeEkEICFuaYPp9ROqXPCt8z87i3tNiOVnOW52l0LDdgZPK
iuOHTmLOnWvL9qsrzbtO3OvzLF/frAsN57LgdKtBRq22paSDRAWB3V5Ck0oV+AB1
RhpGYkBXD/BqWlyK3BMOEH72VzxGZCabu6rHQT47m/WoV6aptLNKUCDb2QLUVTK8
V99Z+dsw74RRAmeL2+anJ/1UefYhs2o6yC0T+ZwuiIO87uuc9fy7aTrxXL0Rshwq
dgZkgAbQ9Xw+2/FoucJ8vXXZDrQG76vJyUC+FrfZCRlrXh6c2JALpB4uGf0n6s/p
VtX0r+n/I74kNsNmw4RwpDidP53M1/nLFtKGBiUW5Hqg2grR5daol42r6HlR413C
7g0fPcWdokC/cQjbiJOxSkkRRmVWM3n6GX4iN9pKq8V8FzSvyYBfggChI8B3CpK7
a5cyWwZu8JcxHP6Z/os6xnp1XSN1O/j9fPwQ+1WTDw/F/p0xyuNpdZsJ/drbBrsj
jtL085EWNfiUveAgAQT+yJUKaocjCkXFEMWhL9QDiENA5MAOP1M=
=+C1F
-----END PGP SIGNATURE-----
Reply sent
to Tatsuya Kinoshita <tats@debian.org>:
You have taken responsibility.
(Sun, 25 Feb 2018 15:06:30 GMT) (full text, mbox, link).
Notification sent
to Tatsuya Kinoshita <tats@debian.org>:
Bug acknowledged by developer.
(Sun, 25 Feb 2018 15:06:30 GMT) (full text, mbox, link).
Message #24 received at 888097-close@bugs.debian.org (full text, mbox, reply):
Source: w3m
Source-Version: 0.5.3-34+deb9u1
We believe that the bug you reported is fixed in the latest version of
w3m, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 888097@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tatsuya Kinoshita <tats@debian.org> (supplier of updated w3m package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 26 Jan 2018 18:50:05 +0900
Source: w3m
Binary: w3m w3m-img
Architecture: source amd64
Version: 0.5.3-34+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Tatsuya Kinoshita <tats@debian.org>
Changed-By: Tatsuya Kinoshita <tats@debian.org>
Description:
w3m - WWW browsable pager with excellent tables/frames support
w3m-img - inline image extension support utilities for w3m
Closes: 888097
Changes:
w3m (0.5.3-34+deb9u1) stretch; urgency=medium
.
* New patch 955_tbl-indent.patch to fix stack overflow [CVE-2018-6196]
* New patch 956_columnpos.patch to fix null deref [CVE-2018-6197]
* New patch 957_mkdtemp.patch to fix /tmp file races [CVE-2018-6198]
(closes: #888097)
Checksums-Sha1:
2e670e0bd3f5f491f14f7df9edd059da94118ca7 2068 w3m_0.5.3-34+deb9u1.dsc
3175ed91a8ceeefc4f53d93a7a73ed8dbb828508 188232 w3m_0.5.3-34+deb9u1.debian.tar.xz
4d619e44b3d8a1745258537846ed81fd70a09a1b 806420 w3m-dbgsym_0.5.3-34+deb9u1_amd64.deb
c746215d548fc395c32688bee6e28fd1c75d50f5 27048 w3m-img-dbgsym_0.5.3-34+deb9u1_amd64.deb
21552f7bf823dd67e2525d102c573810108a7fc7 129408 w3m-img_0.5.3-34+deb9u1_amd64.deb
e4c58fd3d228265e8556942f98eb0c12f132d9d5 7892 w3m_0.5.3-34+deb9u1_amd64.buildinfo
8778b6dd703c03c5b2cd5042148d1254023f6994 1039900 w3m_0.5.3-34+deb9u1_amd64.deb
Checksums-Sha256:
a1623c5c0e0daa077b2ddf08b79c6c9e40b4e0a3c7f6e1b1fa3567f1f74121b7 2068 w3m_0.5.3-34+deb9u1.dsc
6a20536b2595e32af0def51303b214859deb5fe6f9b975e383641c551d2e5587 188232 w3m_0.5.3-34+deb9u1.debian.tar.xz
dbe78aa196794b7bd79aa32cb0ce9746edd08c90f942310e01ef844aa4a76673 806420 w3m-dbgsym_0.5.3-34+deb9u1_amd64.deb
c0cc24af0d583cc0b39d06a778300c9a83bea56282fe342ba455c3cbca9a14df 27048 w3m-img-dbgsym_0.5.3-34+deb9u1_amd64.deb
fe1cc58a3344712d82d16e523541b008b882c7caf9f62658fb5f1228d255141c 129408 w3m-img_0.5.3-34+deb9u1_amd64.deb
fc6e1262d6c3231bf73f412db4bdca2a21757ca709739b9f22841b2ef68b4edd 7892 w3m_0.5.3-34+deb9u1_amd64.buildinfo
0609e0e60e3335e1cfde8ecd080568da9f18331823cfc8ef4370c2587bb2e8e6 1039900 w3m_0.5.3-34+deb9u1_amd64.deb
Files:
aa150ee9fa77aef325e7c45c7c382c3f 2068 web optional w3m_0.5.3-34+deb9u1.dsc
90be8b8cab3423677eb7e5a629d8539a 188232 web optional w3m_0.5.3-34+deb9u1.debian.tar.xz
717ee77c9b52b223cc279d9a6bd63154 806420 debug extra w3m-dbgsym_0.5.3-34+deb9u1_amd64.deb
6a296c8cec1dac4801e732470dac3159 27048 debug extra w3m-img-dbgsym_0.5.3-34+deb9u1_amd64.deb
8290827512c243e7143e9a1aa0aadab7 129408 web optional w3m-img_0.5.3-34+deb9u1_amd64.deb
d56d12c0330ee080bd3915433180aaf0 7892 web optional w3m_0.5.3-34+deb9u1_amd64.buildinfo
c34689bc7b2adb5f7609e4c044b80c3e 1039900 web optional w3m_0.5.3-34+deb9u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEAxxiPZTvHz7xexyE5e+rkAgOpjwFAlqQlwYACgkQ5e+rkAgO
pjz3+A/9ERlHTQai+xy2a8qQd1ah7KLj+wwrnhIyROkyvw2ipAVhZUOwk9HdbmyF
oN+Sa2PCn/WzgE6t/d7+lU+Hhn7zmRSfFWmZpCjd6h4r+1t+zPXA77c5Y0WTVjZt
yD9yy36sa/CASifNRcZRnRv0ovpovHoEfboZ+zpJAS1xLLQH7hBYBSg5CF9kIfkk
ee+BQ8nJCo4UEu2LVJz35cpZeL+82PWcPLN3FZ/ooNlctIj5gKf35FQ4BkHDYdtI
onQIsxlu2EPKVZ5Z9ZTv4IEhzf7/FpDd0x7e/1V60VsQMcCJUg3z8dkRkNfq00Yg
yV4B5IWDFUo3Qf8fQAKxQquGOaYVuQIbIIA1Zet0XGZE6lY2ndOnQXM0syVIRT3+
muQPhvM6b6nAR9gqWnHqC9mI44ssXdyXoVYJurSiom5drFUevxD2+skVt0H3lYtu
VmelvWgunvjuASQ6OalZuenx269c2FY66LWfIhmG1s3xaP0jujPMUA2QuB6Spw0P
qn8xiJqvZ//duW6rDIRBJJNSDkEdnbrVm+xc8RKcmBn1hyuHHa3YIazZD6C5liPZ
tEYRgviKEZqS3Ddg6z2zL4vEcAjZidTP7tdev9A3vtZktTqVJ54twjnMDTEjuSM3
fXkUnkv478cayNIrzYuVtvyYOxdtj6kYUr8ecOh7eZjLKRDGScg=
=p5PI
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 05 Jun 2018 07:33:41 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:48:13 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon