w3m in Alpine Linux 3.22

[mbentley]

IDs

CVE-2018-6196, CVE-2018-6197, CVE-2022-38223, CVE-2018-6198, CVE-2023-38252, CVE-2023-38253

Description

When scanning an Alpine Linux 3.22.0 image that has the w3m package installed, the version is not detected properly due to what I am fairly certain is git being added to the version string. In 3.22, 0.5.3_git20250505-r0 is the version number and in 3.21, it was 0.5.3.20230718-r2

Reproduction Steps

1. A simple image with just w3m works like `mbentley/w3m`
   FROM alpine:3.22
   RUN apk add --no-cache w3m
2. Run a scan
3. See the vulnerability that isn't applicable show up

Target

Container Image

Scanner

Vulnerability

Target OS

Alpine Linux 3.22

Debug Output

$ docker run --rm \
  aquasec/trivy \
  image \
  --format table \
  --scanners vuln \
  --server "http://<my-local-trivy>:4954" \
  --severity "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" \
  --token <token> \
  --pkg-types "os" \
  --ignore-unfixed \
  --debug \
  mbentley/w3m:latest
2025-06-03T14:04:05Z    DEBUG   No plugins loaded
2025-06-03T14:04:05Z    DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-06-03T14:04:05Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-06-03T14:04:05Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-06-03T14:04:05Z    DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-06-03T14:04:05Z    DEBUG   Ignore statuses statuses=[0 1 2 4 5 6 7]
2025-06-03T14:04:05Z    DEBUG   [pkg] Package types     types=[os]
2025-06-03T14:04:05Z    DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2025-06-03T14:04:05Z    INFO    [vuln] Vulnerability scanning is enabled
2025-06-03T14:04:05Z    DEBUG   [notification] Running version check
2025-06-03T14:04:05Z    DEBUG   [notification] Version check completed  latest_version="0.63.0"
2025-06-03T14:04:06Z    DEBUG   [image] Detected image ID       image_id="sha256:a0c00ca9b931ca6d7fac18179cb909994885f4a9412e6daba9c53268d83059a8"
2025-06-03T14:04:06Z    DEBUG   [image] Detected diff ID        diff_ids=[sha256:fd2758d7a50e2b78d275ee7d1c218489f2439084449d895fa17eede6c61ab2c4 sha256:b28528e227da0e46e9112ef9421e72aeb04eb26809fb908273714fdbb04dd659]
2025-06-03T14:04:06Z    DEBUG   [image] Detected base layers    diff_ids=[sha256:fd2758d7a50e2b78d275ee7d1c218489f2439084449d895fa17eede6c61ab2c4]
2025-06-03T14:04:06Z    DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-06-03T14:04:06Z    DEBUG   [vex] VEX filtering is disabled
2025-06-03T14:04:06Z    DEBUG   [notification] Printing notices

Report Summary

┌─────────────────────────────────────┬────────┬─────────────────┐
│               Target                │  Type  │ Vulnerabilities │
├─────────────────────────────────────┼────────┼─────────────────┤
│ mbentley/w3m:latest (alpine 3.22.0) │ alpine │        6        │
└─────────────────────────────────────┴────────┴─────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


mbentley/w3m:latest (alpine 3.22.0)
===================================
Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 3, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬──────────────────────┬───────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │  Installed Version   │   Fixed Version   │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼──────────────────────┼───────────────────┼──────────────────────────────────────────────────────────────┤
│ w3m     │ CVE-2018-6196  │ HIGH     │ fixed  │ 0.5.3_git20250505-r0 │ 0.5.3.20180125-r0 │ w3m: Infinite recursion in HTMLlineproc0                     │
│         │                │          │        │                      │                   │ https://avd.aquasec.com/nvd/cve-2018-6196                    │
│         ├────────────────┤          │        │                      │                   ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2018-6197  │          │        │                      │                   │ w3m: Null pointer dereference in formUpdateBuffer in form.c  │
│         │                │          │        │                      │                   │ https://avd.aquasec.com/nvd/cve-2018-6197                    │
│         ├────────────────┤          │        │                      ├───────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2022-38223 │          │        │                      │ 0.5.3.20230121-r0 │ w3m: an out-of-bounds write in checkType located in etc.c in │
│         │                │          │        │                      │                   │ w3m                                                          │
│         │                │          │        │                      │                   │ https://avd.aquasec.com/nvd/cve-2022-38223                   │
│         ├────────────────┼──────────┤        │                      ├───────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2018-6198  │ MEDIUM   │        │                      │ 0.5.3.20180125-r0 │ w3m: insecure temporary files creation when ~/.w3m is        │
│         │                │          │        │                      │                   │ unwritable                                                   │
│         │                │          │        │                      │                   │ https://avd.aquasec.com/nvd/cve-2018-6198                    │
│         ├────────────────┤          │        │                      ├───────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-38252 │          │        │                      │ 0.5.3.20230718-r0 │ w3m: Out of bounds read in Strnew_size() at w3m/Str.c        │
│         │                │          │        │                      │                   │ https://avd.aquasec.com/nvd/cve-2023-38252                   │
│         ├────────────────┤          │        │                      │                   ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-38253 │          │        │                      │                   │ w3m: Out of bounds read in growbuf_to_Str() at w3m/indep.c   │
│         │                │          │        │                      │                   │ https://avd.aquasec.com/nvd/cve-2023-38253                   │

Version

$ docker run --rm aquasec/trivy --version
Version: 0.63.0

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[knqyf263]

I tested how Alpine's apk compares these versions using Alpine Linux 3.20:

$ docker run --rm alpine:3.20 apk version -t 0.5.3_git20250505-r0 0.5.3.20180125-r0
<
$ docker run --rm alpine:3.20 apk version -t 0.5.3.20180125-r0 0.5.3_git20250505-r0
>

According to Alpine's version comparison logic (found in apk-tools source code), 0.5.3_git20250505-r0 is considered less than 0.5.3.20180125-r0.

This is because:

• 0.5.3.20180125-r0 is treated as a stable release version
• 0.5.3_git20250505-r0 has a _git suffix, which marks it as a development/pre-release version
• Pre-release versions (with suffixes like _git, _alpha, _beta, etc.) are considered lower priority than stable versions with the same base version

So go-apk-version correctly considers the git version as older/lower than the stable version, which explains why these CVEs are flagged by Trivy.

[mbentley]

That certainly makes sense, I wasn't sure where/how exact the version comparison was being made. So I take it this is something that should be reported to the package maintainer for w3m then, yeah? I'm happy to do so if that's the case.

[knqyf263]

So I take it this is something that should be reported to the package maintainer for w3m then, yeah?

Yes, we can ask the maintainer if it is intended or a mistake. If I understand correctly, the _git suffix is a pre-release version.

[mbentley]

Thanks, I filed an issue over in the aports repo as I didn't find any other specific forums to reach out for similar packaging issues.