(Debian Issues Fix) w3m Text-based Web Browser May Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1002572 |
|
SecurityTracker URL: http://securitytracker.com/id/1002572
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Updated: Oct 19 2001
|
Original Entry Date: Oct 18 2001
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): w3m 0.2.1
|
Description:
Secure Net Service reported a vulnerability in the w3m text-based web browser that allows a remote web site to cause arbitrary code to be executed by the web browser.
The vulnerability is reportedly due to a buffer overflow in the processing of MIME headers. If a remote web site returns a malformed MIME header containing executable instructions to the w3m user, the malformed header could cause the code to be executed by the w3m browser with the privileges of the w3m user.
The vulnerability can reportedly be triggered by a MIME encoded header in base 64 format with more than 34 characters, such as the following header:
MIME header:
=?AAAAAAAAAAAAAA(50 'A' characters in the header)AAAAAAAA?=
A listing of the resulting memory dump and register contents is provided in the Source Message.
|
Impact:
A remote web site could return a malformed MIME header containing code that will be executed by the w3m browser with the privileges of the w3m user.
|
Solution:
The vendor has released a fix. See the Source Message for the vendor's advisory containing directions on how to obtain the appropriate fix. Note that Debian released a follow-on message to indicate that there they cannot provide a fixed version for the powerpc architecture (the Source Message indicates otherwise). In the addendum, they note that for the powerpc architecture there is only a very old version of w3m available and Debian recommends that you don't use w3m on the powerpc distribution.
|
Vendor URL: ei5nazha.yz.yamagata-u.ac.jp/~aito/w3m/eng/index.html (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Debian)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Thu, 18 Oct 2001 15:23:09 +0200
Subject: [SECURITY] [DSA 081-1] New w3m packages fix buffer overflow
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA 081-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
October 18th, 2001
- --------------------------------------------------------------------------
Packages : w3m, w3m-ssl
Vulnerability : Buffer Overflow
Problem-Type : remote code execution
Debian-specific: no
In SNS Advisory No. 32 a buffer overflow vulnerability has been
reported in the routine which parses MIME headers that are returned
from web servers. A malicious web server administrator could exploit
this and let the client web browser execute arbitrary code.
W3m handles MIME headers included in the request/response message of
HTTP communication like any other we bbrowser. A buffer overflow will
be occur when w3m receives a MIME encoded header with base64 format.
This problem has been fixed by the maintainer in version
0.1.10+0.1.11pre+kokb23-4 of w3m and w3m-ssl (for the SSL-enabled
version), both for Debian GNU/Linux 2.2.
We recommend that you upgrade your w3m packages immediately.
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 2.2 alias potato
- ------------------------------------
Source archives:
http://security.debian.org/dists/stable/updates/main/source/w3m_0.1.10+0.1.11pre+kokb23-4.diff.gz
MD5 checksum: 94e868f1fa21be50a56d40007a21acc6
http://security.debian.org/dists/stable/updates/main/source/w3m_0.1.10+0.1.11pre+kokb23.orig.tar.gz
MD5 checksum: 8f4503bbc966761d806d770fe1632450
http://security.debian.org/dists/stable/updates/main/source/w3m_0.1.10+0.1.11pre+kokb23-4.dsc
MD5 checksum: 46bd8e55a198036391b57a847486c303
http://security.debian.org/dists/stable/updates/main/source/w3m-ssl_0.1.10+0.1.11pre+kokb23-4.dsc
MD5 checksum: 6bc881ce595e5f723bcbd61dc6520523
http://security.debian.org/dists/stable/updates/main/source/w3m-ssl_0.1.10+0.1.11pre+kokb23-4.tar.gz
MD5 checksum: c857fd94c8e76f451ddfc3e59ce2d678
Alpha architecture:
http://security.debian.org/dists/stable/updates/main/binary-alpha/w3m_0.1.10+0.1.11pre+kokb23-4_alpha.deb
MD5 checksum: 2da17834f750361ef11f956aea86bcdc
http://security.debian.org/dists/stable/updates/main/binary-alpha/w3m-ssl_0.1.10+0.1.11pre+kokb23-4_alpha.deb
MD5 checksum: b5b17b0ab958e1ce5ae82998c8c52a21
ARM architecture:
http://security.debian.org/dists/stable/updates/main/binary-arm/w3m_0.1.10+0.1.11pre+kokb23-4_arm.deb
MD5 checksum: da67534b0182355a57618231addd92ae
http://security.debian.org/dists/stable/updates/main/binary-arm/w3m-ssl_0.1.10+0.1.11pre+kokb23-4_arm.deb
MD5 checksum: cd5a22df1fbca97ec3ce9d7a6760ab41
Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/binary-i386/w3m_0.1.10+0.1.11pre+kokb23-4_i386.deb
MD5 checksum: 7b811019f0f246338cbf438952358b54
http://security.debian.org/dists/stable/updates/main/binary-i386/w3m-ssl_0.1.10+0.1.11pre+kokb23-4_i386.deb
MD5 checksum: 07c9aa2738a22e4984c290657c71b79d
PowerPC architecture:
http://security.debian.org/dists/stable/updates/main/binary-powerpc/w3m_0.1.10+0.1.11pre+kokb23-4_powerpc.deb
MD5 checksum: 64211980c4101e493aa2c0f906c6be9c
Sun Sparc architecture:
http://security.debian.org/dists/stable/updates/main/binary-sparc/w3m_0.1.10+0.1.11pre+kokb23-4_sparc.deb
MD5 checksum: 4016ba11b084cd94e6023b47e7270f74
http://security.debian.org/dists/stable/updates/main/binary-sparc/w3m-ssl_0.1.10+0.1.11pre+kokb23-4_sparc.deb
MD5 checksum: 4a50edab63b9fe3c6c40638902018ebb
w3m-ssl is not available for stable/powerpc and neither w3m nor
w3m-ssl are available for m68k.
These files will be moved into the stable distribution on its next
revision.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7ztdUW5ql+IAeqTIRAkX/AJ0fTY4IwDBVPP/VWvxFZVPdBJ9dEwCfTFDV
IsG1nUkpU38Gd/i0RBfSqs8=
=hKOS
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
|
|
