DescriptionFormat string vulnerability in the inputAnswer function in file.c in w3m before 0.5.2, when run with the dump or backend option, allows remote attackers to execute arbitrary code via format string specifiers in the Common Name (CN) field of an SSL certificate associated with an https URL.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh
Debian Bugs404564

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
w3m (PTS)stretch0.5.3-34+deb9u1fixed
bullseye, sid0.5.3+git20210102-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
w3mmeesource(unstable)(not affected)


- w3mmee <not-affected> (Does not include this format string vuln in the code)
[sarge] - w3m <no-dsa> (Minor issue, only exploitable in dump mode)

Search for package or bug name: Reporting problems