Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-38252: [BUG] Out of bound read in Strnew_size , Str.c:61 · Issue #270 · tats/w3m

An out-of-bounds read flaw was found in w3m, in the Strnew_size function in Str.c. This issue may allow an attacker to cause a denial of service through a crafted HTML file.

CVE
Open in Source
#linux#debian#dos#git#c++#docker

Hello, I found a out-of-bound read in w3m, function Strnew_size , Str.c:61 while testing my new fuzzer.

Steps to reproduce

export CC=gcc
export CFLAGS="-fsanitize=address -g"
./configure && make -j
./w3m -dump $POC

Dockerized reproduce steps (recommended)

docker pull debian:11 && docker run -it debian:11 bash
## now step into the container
apt update && apt install wget git unzip gcc g++ make libgc-dev libtinfo-dev -y
git clone https://github.com/tats/w3m && pushd w3m
export CC="gcc -fsanitize=address -g" && ./configure && make -j
wget https://github.com/tats/w3m/files/11905204/poc1.zip && unzip poc1.zip
./w3m -dump ./poc1

Platform

  • OS: Debian 11

    $ cat /etc/issue Debian GNU/Linux 11 \n \l

  • w3m latest commit 93ad5ee

    $ ./w3m -version w3m version w3m/0.5.3+git20230129, options lang=en,m17n,image,color,ansi-color,mouse,menu,cookie,external-uri-loader,w3mmailer,nntp,gopher,ipv6,alarm,mark

ASAN

AddressSanitizer:DEADLYSIGNAL
=================================================================
==85==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7f147749b742 bp 0x000000000080 sp 0x7ffddcd7c740 T0)
==85==The signal is caused by a READ memory access.
==85==Hint: this fault was caused by a dereference of a high value address (see register values below).  Dissassemble the provided pc to learn which register was used.
    #0 0x7f147749b742 in GC_malloc_kind_global (/usr/lib/x86_64-linux-gnu/libgc.so.1+0x19742)
    #1 0x5639c506e050 in Strnew_size /w3m/Str.c:61
    #2 0x5639c507a2fb in wc_conv_to_ces /w3m/libwc/conv.c:70
    #3 0x5639c4fbde57 in _saveBuffer /w3m/file.c:7875
    #4 0x5639c4f6cb97 in do_dump /w3m/main.c:1409
    #5 0x5639c4f65a4d in main /w3m/main.c:1115
    #6 0x7f14772a2d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
    #7 0x5639c4f69979 in _start (/w3m/w3m+0xb3979)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libgc.so.1+0x19742) in GC_malloc_kind_global
==85==ABORTING

POC

poc1.zip

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE