Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 635496 (CVE-2017-13089, CVE-2017-13090) - <net-misc/wget-1.19.1-r2: multiple vulnerabilities (CVE-2017-{13089,13090})
Summary: <net-misc/wget-1.19.1-r2: multiple vulnerabilities (CVE-2017-{13089,13090})
Status: RESOLVED FIXED
Alias: CVE-2017-13089, CVE-2017-13090
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://www.viestintavirasto.fi/en/cy...
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-26 13:09 UTC by Thomas Deutschmann
Modified: 2018-01-08 01:41 UTC (History)
1 user (show)

See Also:
Package list:
net-misc/wget-1.19.1-r2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2017-10-26 13:09:56 UTC
Incoming details.
Comment 1 Thomas Deutschmann gentoo-dev Security 2017-10-26 13:15:44 UTC
CVE-2017-13089: The http.c:skip_short_body() function is called in some
circumstances, such as when processing redirects.  When the response is
sent chunked, the chunk parser uses strtol() to read each chunk's
length, but doesn't check that the chunk length is a non-negative
number. The code then tries to skip the chunk in pieces of 512 bytes by
using the MIN() macro, but ends up passing the negative chunk length to
connect.c:fd_read(). As fd_read() takes an int argument, the high 32
bits of the chunk length are discarded, leaving fd_read() with a
completely attacker controlled length argument.

CVE-2017-13090: The retr.c:fd_read_body() function is called when
processing OK responses. When the response is sent chunked, the chunk
parser uses strtol() to read each chunk's length, but doesn't check that
the chunk length is a non-negative number. The code then tries to read
the chunk in pieces of 8192 bytes by using the MIN() macro, but ends up
passing the negative chunk length to retr.c:fd_read(). As fd_read()
takes an int argument, the high 32 bits of the chunk length are
discarded, leaving fd_read() with a completely attacker controlled
length argument. The attacker can corrupt malloc metadata after the
allocated buffer.
Comment 2 Thomas Deutschmann gentoo-dev Security 2017-10-26 15:07:07 UTC
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c52583a431acfca8fcfc89b3b91dd3078b82b3b3

@ Arches,

please test and mark stable: =net-misc/wget-1.19.1-r2

Target keywords: alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86
Comment 3 Thomas Deutschmann gentoo-dev Security 2017-10-26 15:07:25 UTC
amd64 stable
Comment 4 Thomas Deutschmann gentoo-dev Security 2017-10-26 15:07:42 UTC
x86 stable
Comment 5 Sergei Trofimovich gentoo-dev 2017-10-28 10:11:41 UTC
hppa stable
Comment 6 Sergei Trofimovich gentoo-dev 2017-10-28 20:25:49 UTC
sparc stable (thanks to Rolf Eike Beer)
Comment 7 Sergei Trofimovich gentoo-dev 2017-10-28 20:48:24 UTC
ia64 stable
Comment 8 Sergei Trofimovich gentoo-dev 2017-10-28 20:54:07 UTC
ppc/ppc64 stable
Comment 9 Thomas Deutschmann gentoo-dev Security 2017-10-30 01:13:25 UTC
m68k/s390/sh stable
Comment 10 Tobias Klausmann gentoo-dev 2017-11-08 12:52:48 UTC
Stable on alpha.
Comment 11 Aleksandr Wagner (Kivak) 2017-11-08 17:20:05 UTC
@ Maintainer(s): Stabilization is complete, please clean the vulnerable
versions from the tree.
Comment 12 Thomas Deutschmann gentoo-dev Security 2017-11-08 17:53:54 UTC
While security coverage doesn't include arm architecture at the moment security team can proceed with GLSA handling. But we cannot cleanup without arm so we have to keep this stable request...
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2017-11-11 13:51:19 UTC
This issue was resolved and addressed in
 GLSA 201711-06 at https://security.gentoo.org/glsa/201711-06
by GLSA coordinator Aaron Bauman (b-man).
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-11-11 13:51:58 UTC
Re-opened for cleanup and final arches.
Comment 15 Markus Meier gentoo-dev 2017-11-19 15:11:23 UTC
arm stable
Comment 16 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-01-08 01:41:12 UTC
arm64 done and ald revision is gone.

Should be fine to close this now.