Bugzilla – Bug 1213324
VUL-0: CVE-2023-38252: w3m: out-of-bounds read in Strnew_size() at w3m/Str.c
Last modified: 2023-11-14 16:30:02 UTC
CVE-2023-38252 w3m 0.5.3+git20230129 has an out-of-bounds write in function Strnew_size in Str.c. This allows attackers to cause a denial of service via a crafted HTML file. Upstream issue: https://github.com/tats/w3m/issues/270 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38252 https://bugzilla.redhat.com/show_bug.cgi?id=2222775
Affected version : 0.5.3+git20230129 0.5.3+git20230121-1 0.5.3+git20230121-2 Only affecting: openSUSE:Factory w3m-v0.5.3+git20230121
awaiting upstream patch
Patch was submitted via: https://build.opensuse.org/request/show/1100670 closing
SUSE-SU-2023:4439-1: An update that solves two vulnerabilities can now be installed. Category: security (moderate) Bug References: 1213323, 1213324 CVE References: CVE-2023-38252, CVE-2023-38253 Sources used: openSUSE Leap 15.5 (src): w3m-0.5.3+git20230121-150000.3.6.1 Basesystem Module 15-SP4 (src): w3m-0.5.3+git20230121-150000.3.6.1 Basesystem Module 15-SP5 (src): w3m-0.5.3+git20230121-150000.3.6.1 openSUSE Leap 15.4 (src): w3m-0.5.3+git20230121-150000.3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.