Alpine: multiple w3m packages: security update to 0.5.3-r2

critical Tenable Self-Hosted Container Security Plugin ID 435807

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Integer overflow vulnerability in bdwgc before 2016-09-27 allows attackers to cause client of bdwgc denial
of service (heap buffer overflow crash) and possibly execute arbitrary code via huge allocation.
(CVE-2016-9427)

- An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31. The feed_table_tag function in
w3m doesn't properly validate the value of table span, which allows remote attackers to cause a denial of
service (stack and/or heap buffer overflow) and possibly execute arbitrary code via a crafted HTML page.
(CVE-2016-9422)

- An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31. Heap-based buffer overflow in
w3m allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a
crafted HTML page. (CVE-2016-9423)

- An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31. w3m doesn't properly validate
the value of tag attribute, which allows remote attackers to cause a denial of service (heap buffer
overflow crash) and possibly execute arbitrary code via a crafted HTML page. (CVE-2016-9424)

- An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31. Heap-based buffer overflow in
the addMultirowsForm function in w3m allows remote attackers to cause a denial of service (crash) and
possibly execute arbitrary code via a crafted HTML page. (CVE-2016-9425)

See Also

https://git.alpinelinux.org/aports/commit/?id=3eca8a6ac59d3c27af76c7823868221204af1054

https://git.alpinelinux.org/aports/commit/?id=4d4d5bc002981d8d33111bba7a132970f9368464

Plugin Details

Severity: Critical

ID: 435807

Version: Revision 1.2

Type: Local

Published: 10/28/2025

Updated: 11/4/2025

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2016-9427

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 11/28/2016

Vulnerability Publication Date: 11/3/2016

Reference Information

CVE: CVE-2016-9422, CVE-2016-9423, CVE-2016-9424, CVE-2016-9425, CVE-2016-9426, CVE-2016-9427, CVE-2016-9428, CVE-2016-9429, CVE-2016-9430, CVE-2016-9431, CVE-2016-9432, CVE-2016-9433, CVE-2016-9434, CVE-2016-9435, CVE-2016-9436, CVE-2016-9437, CVE-2016-9438, CVE-2016-9439, CVE-2016-9440, CVE-2016-9441, CVE-2016-9442, CVE-2016-9443, CVE-2016-9622, CVE-2016-9623, CVE-2016-9624, CVE-2016-9625, CVE-2016-9626, CVE-2016-9627, CVE-2016-9628, CVE-2016-9629, CVE-2016-9630, CVE-2016-9631, CVE-2016-9632, CVE-2016-9633

BID: 94407, 94464