CVE-2006-6772

Format string vulnerability in the inputAnswer function in file.c in w3m before 0.5.2, when run with the dump or backend option, allows remote attackers to execute arbitrary code via format string specifiers in the Common Name (CN) field of an SSL certificate associated with an https URL.

Weakness

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

Affected Software

Name	Vendor	Start Version	End Version
W3m	W3m	0.5.1 (including)	0.5.1 (including)
W3m	Ubuntu	dapper	*
W3m	Ubuntu	devel	*
W3m	Ubuntu	edgy	*
W3m	Ubuntu	feisty	*

Potential Mitigations

https://cwe.mitre.org/data/definitions/135.html
https://cwe.mitre.org/data/definitions/67.html

References

http://fedoranews.org/cms/node/2415
http://fedoranews.org/cms/node/2416
http://lists.grok.org.uk/pipermail/full-disclosure/2006-December/051457.html
http://secunia.com/advisories/23492
http://secunia.com/advisories/23588
http://secunia.com/advisories/23717
http://secunia.com/advisories/23773
http://secunia.com/advisories/23792
http://security.gentoo.org/glsa/glsa-200701-06.xml
http://securitytracker.com/id?1017440
http://sourceforge.net/tracker/index.php?func=detail\u0026aid=1612792\u0026group_id=39518\u0026atid=425439
http://w3m.cvs.sourceforge.net/%2Acheckout%2A/w3m/w3m/NEWS?revision=1.79
http://w3m.cvs.sourceforge.net/w3m/w3m/file.c?r1=1.249\u0026r2=1.250
http://w3m.cvs.sourceforge.net/w3m/w3m/file.c?view=log
http://www.novell.com/linux/security/advisories/2007_05_w3m.html
http://www.openpkg.com/security/advisories/OpenPKG-SA-2006.044.html
http://www.securityfocus.com/bid/21735
http://www.securityfocus.com/bid/24332
http://www.ubuntu.com/usn/usn-399-1
http://www.vupen.com/english/advisories/2006/5164
https://exchange.xforce.ibmcloud.com/vulnerabilities/31114
https://exchange.xforce.ibmcloud.com/vulnerabilities/34821
http://fedoranews.org/cms/node/2415
http://fedoranews.org/cms/node/2416
http://lists.grok.org.uk/pipermail/full-disclosure/2006-December/051457.html
http://secunia.com/advisories/23492
http://secunia.com/advisories/23588
http://secunia.com/advisories/23717
http://secunia.com/advisories/23773
http://secunia.com/advisories/23792
http://security.gentoo.org/glsa/glsa-200701-06.xml
http://securitytracker.com/id?1017440
http://sourceforge.net/tracker/index.php?func=detail\u0026aid=1612792\u0026group_id=39518\u0026atid=425439
http://w3m.cvs.sourceforge.net/%2Acheckout%2A/w3m/w3m/NEWS?revision=1.79
http://w3m.cvs.sourceforge.net/w3m/w3m/file.c?r1=1.249\u0026r2=1.250
http://w3m.cvs.sourceforge.net/w3m/w3m/file.c?view=log
http://www.novell.com/linux/security/advisories/2007_05_w3m.html
http://www.openpkg.com/security/advisories/OpenPKG-SA-2006.044.html
http://www.securityfocus.com/bid/21735
http://www.securityfocus.com/bid/24332
http://www.ubuntu.com/usn/usn-399-1
http://www.vupen.com/english/advisories/2006/5164
https://exchange.xforce.ibmcloud.com/vulnerabilities/31114
https://exchange.xforce.ibmcloud.com/vulnerabilities/34821

NVD	https://nvd.nist.gov/vuln/detail/CVE-2006-6772
CWE	https://cwe.mitre.org/data/definitions/134.html

Use of Externally-Controlled Format String

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References