Closed iskindar closed 1 year ago
Affected version :
Not Affected version: < 0.5.3+git20220429-1
On Thu, Jun 29, 2023 at 04:40:34AM -0700, Zhijie Zhang wrote:
Hello, I found a out-of-bound write in w3m, [Snip] ==85==The signal is caused by a READ memory access.
Is it read or write?
Cannot reproduce.
Is it read or write?
It is read. My fault.
Cannot reproduce.
Have you tried the dockerized reproduction steps? I tried it just now, and it worked.
I reduce the input file which is poc1_trim.zip Maybe you can try it again? If you reproduce successfully, you may see similar output like below.
Pls told me if it's still not available.
I tried to reproduce it on Debian stable but also failed. It seems this bug only occurs on some specific OS systems with this PoC.
On Mon, Jul 10, 2023 at 05:16:28AM -0700, Zhijie Zhang wrote:
I tried to reproduce it on Debian stable but failed. It seems this bug only occurs on some specific OS systems.
Then why does your initial report says that OS is Debian 11? Please provide correct info about the test environment.
Sorry for not making it clear before.
I can reproduce it on Debian 11 with the following command.
docker pull debian:11 && docker run -it debian:11 bash
## now step into the container
...
./w3m -dump ./poc1
Since you said that your Debian version is Debian stable in other issues, I tried to reproduce it on Debian stable with the following command just now but failed.
docker pull debian:stable && docker run -it debian:stable bash
## now step into the container
...
./w3m -dump ./poc1
Actually, the Debian stable in docker images is Debian 12.
$ cat /etc/issue
Debian GNU/Linux 12 \n \l
So the bug is reproducible at Debian 11 not reproducible at Debian stable (12). My test environment is Debian 11 as the initial report said.
JFTR, I can reproduce it using docker with images debian:11 and debian:12.
I can not reproduce it on my VPS with Debian 11 nor with Debian 12 and also not on a laptop running Devuan GNU/Linux 4, which is a Debian 11 without systemd.
Assigned CVE-2023-38252 for this issue. If you wish to dispute please open a ticket here: https://access.redhat.com/security/team/contact
On Thu, Jul 13, 2023 at 09:31:40AM -0700, Pedro Sampaio wrote:
Assigned CVE-2023-38252 for this issue. If you wish to dispute please open a ticket here: https://access.redhat.com/security/team/contact
This is a READ violation, not write as the CVE states.
On Thu, Jul 13, 2023 at 09:31:40AM -0700, Pedro Sampaio wrote: Assigned CVE-2023-38252 for this issue. If you wish to dispute please open a ticket here: https://access.redhat.com/security/team/contact This is a READ violation, not write as the CVE states.
Fixed, thanks.
Prevented with https://github.com/tats/w3m/pull/273
Hello, I found a out-of-bound read in w3m, function Strnew_size , Str.c:61 while testing my new fuzzer.
Steps to reproduce
Dockerized reproduce steps (recommended)
Platform
ASAN
POC
poc1.zip