w3m through 0.5.3 does not properly handle temporary files when the ~/.w3m directory is unwritable, which allows a local attacker to craft a symlink attack to overwrite arbitrary files.
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Name | Vendor | Start Version | End Version |
---|---|---|---|
W3m | Tats | * | 0.5.3 (including) |
W3m | Ubuntu | artful | * |
W3m | Ubuntu | devel | * |
W3m | Ubuntu | trusty | * |
W3m | Ubuntu | upstream | * |
W3m | Ubuntu | xenial | * |