w3m: Format string vulnerability — GLSA 200701-06

w3m does not correctly handle format string specifiers in SSL certificates.

Affected packages

www-client/w3m on all architectures
Affected versions < 0.5.1-r4
Unaffected versions >= 0.5.1-r4

Background

w3m is a multi-platform text-based web browser.

Description

w3m in -dump or -backend mode does not correctly handle printf() format string specifiers in the Common Name (CN) field of an X.509 SSL certificate.

Impact

An attacker could entice a user to visit a malicious website that would load a specially crafted X.509 SSL certificate containing "%n" or other format string specifiers, possibly resulting in the execution of arbitrary code with the rights of the user running w3m.

Workaround

There is no known workaround at this time.

Resolution

All w3m users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=www-client/w3m-0.5.1-r4"

References

Release date
January 12, 2007

Latest revision
January 12, 2007: 01

Severity
normal

Exploitable
remote

Bugzilla entries