Comment 1 Thomas Deutschmann (RETIRED) 2017-10-26 13:15:44 UTC

CVE-2017-13089: The http.c:skip_short_body() function is called in some
circumstances, such as when processing redirects.  When the response is
sent chunked, the chunk parser uses strtol() to read each chunk's
length, but doesn't check that the chunk length is a non-negative
number. The code then tries to skip the chunk in pieces of 512 bytes by
using the MIN() macro, but ends up passing the negative chunk length to
connect.c:fd_read(). As fd_read() takes an int argument, the high 32
bits of the chunk length are discarded, leaving fd_read() with a
completely attacker controlled length argument.

CVE-2017-13090: The retr.c:fd_read_body() function is called when
processing OK responses. When the response is sent chunked, the chunk
parser uses strtol() to read each chunk's length, but doesn't check that
the chunk length is a non-negative number. The code then tries to read
the chunk in pieces of 8192 bytes by using the MIN() macro, but ends up
passing the negative chunk length to retr.c:fd_read(). As fd_read()
takes an int argument, the high 32 bits of the chunk length are
discarded, leaving fd_read() with a completely attacker controlled
length argument. The attacker can corrupt malloc metadata after the
allocated buffer.

Comment 2 Thomas Deutschmann (RETIRED) 2017-10-26 15:07:07 UTC

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c52583a431acfca8fcfc89b3b91dd3078b82b3b3

@ Arches,

please test and mark stable: =net-misc/wget-1.19.1-r2

Target keywords: alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86

Comment 3 Thomas Deutschmann (RETIRED) 2017-10-26 15:07:25 UTC

amd64 stable

Comment 4 Thomas Deutschmann (RETIRED) 2017-10-26 15:07:42 UTC

x86 stable

Comment 5 Sergei Trofimovich (RETIRED) 2017-10-28 10:11:41 UTC

hppa stable

Comment 6 Sergei Trofimovich (RETIRED) 2017-10-28 20:25:49 UTC

sparc stable (thanks to Rolf Eike Beer)

Comment 7 Sergei Trofimovich (RETIRED) 2017-10-28 20:48:24 UTC

ia64 stable

Comment 8 Sergei Trofimovich (RETIRED) 2017-10-28 20:54:07 UTC

ppc/ppc64 stable

Comment 9 Thomas Deutschmann (RETIRED) 2017-10-30 01:13:25 UTC

m68k/s390/sh stable

Comment 10 Tobias Klausmann (RETIRED) 2017-11-08 12:52:48 UTC

Stable on alpha.

@ Maintainer(s): Stabilization is complete, please clean the vulnerable
versions from the tree.

Comment 12 Thomas Deutschmann (RETIRED) 2017-11-08 17:53:54 UTC

While security coverage doesn't include arm architecture at the moment security team can proceed with GLSA handling. But we cannot cleanup without arm so we have to keep this stable request...

Comment 13 GLSAMaker/CVETool Bot 2017-11-11 13:51:19 UTC

This issue was resolved and addressed in
 GLSA 201711-06 at https://security.gentoo.org/glsa/201711-06
by GLSA coordinator Aaron Bauman (b-man).

Comment 14 Aaron Bauman (RETIRED) 2017-11-11 13:51:58 UTC

Re-opened for cleanup and final arches.

Comment 15 Markus Meier 2017-11-19 15:11:23 UTC

arm stable

Comment 16 Mikle Kolyada (RETIRED) 2018-01-08 01:41:12 UTC

arm64 done and ald revision is gone.

Should be fine to close this now.