FS#22346 - [w3m] does not properly handle a '\0' character
Attached to Project:
Arch Linux
Opened by Greg (dolby) - Friday, 07 January 2011, 09:40 GMT
Last edited by Gaetan Bisson (vesath) - Saturday, 15 January 2011, 11:53 GMT
Opened by Greg (dolby) - Friday, 07 January 2011, 09:40 GMT
Last edited by Gaetan Bisson (vesath) - Saturday, 15 January 2011, 11:53 GMT
|
Details
w3m doesn't verify certificates by default
('ssl_verify_server' is off by default). Theres two patches
in [1] that turn on 'ssl_verify_server' and fix the null
handling.
This has been fixed in the upstream CVS [2] CVE report just for reference [3] [1]: http://www.openwall.com/lists/oss-security/2010/06/14/4 [2]: http://w3m.cvs.sourceforge.net/viewvc/w3m/w3m/ChangeLog?revision=1.1049&view=markup (loads the whole ChangeLog) [3]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408 |
This task depends upon
Closed by Gaetan Bisson (vesath)
Saturday, 15 January 2011, 11:53 GMT
Reason for closing: Fixed
Additional comments about closing: upstream has answered our prayers: 0.5.3-1 is in [extra].
Saturday, 15 January 2011, 11:53 GMT
Reason for closing: Fixed
Additional comments about closing: upstream has answered our prayers: 0.5.3-1 is in [extra].
I have posted to their ML asking if they have future release plans; if they don't, I could be tempted to just package the CVS version...
My main concern is patching for the security issue.
The patch for istream.c in http://www.openwall.com/lists/oss-security/2010/06/14/4 does that.
But rather than fixing just this specific issue by adding a patch, I would prefer to fix all issues that have been fixed in the CVS since May 2007 by upgrading w3m to a new release or the CVS head. Of course, if I don't do that in the near future, I will add the patch...
Its annoying not having any especially the MANUAL.html and *definitely* the keymap.* and the menu.* ones.
Those things arent available online, you have to dig into the source to find em. Thanks.
It uses a CVS snapshot and includes the doc.