Bug 21947

Summary: wget new security issues CVE-2017-13089 and CVE-2017-13090
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: herman.viaene, mageia, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK MGA5-32-OK
Source RPM: wget-1.19.1-2.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-10-27 12:55:39 CEST 
An advisory has been issued on October 26:
https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html

Updated packages uploaded for Mageia 6 and Cauldron (1.19.2).

Patched package uploaded for Mageia 5.

Advisory:
========================

Updated wget package fixes security vulnerabilities:

The http.c:skip_short_body() function is called in some circumstances,
such as when processing redirects. When the response is sent chunked,
the chunk parser uses strtol() to read each chunk's length, but
doesn't check that the chunk length is a non-negative number. The
code then tries to skip the chunk in pieces of 512 bytes by using the
MIN() macro, but ends up passing the negative chunk length to
connect.c:fd_read(). As fd_read() takes an int argument, the high
32 bits of the chunk length are discarded, leaving fd_read() with
a completely attacker controlled length argument (CVE-2017-13089).

The retr.c:fd_read_body() function is called when processing OK
responses. When the response is sent chunked, the chunk parser uses
strtol() to read each chunk's length, but doesn't check that the chunk
length is a non-negative number. The code then tries to read the chunk
in pieces of 8192 bytes by using the MIN() macro, but ends up passing
the negative chunk length to retr.c:fd_read(). As fd_read() takes an
int argument, the high 32 bits of the chunk length are discarded,
leaving fd_read() with a completely attacker controlled length
argument. The attacker can corrupt malloc metadata after the allocated
buffer (CVE-2017-13090).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13089
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13090
https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html
========================

Updated packages in core/updates_testing:
========================
wget-1.15-5.3.mga5
wget-1.19.2-1.mga6

from SRPMS:
wget-1.15-5.3.mga5.src.rpm
wget-1.19.2-1.mga6.src.rpm
David Walser 2017-10-27 12:55:47 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2017-10-27 14:47:38 CEST 
RedHat has issued an advisory for this on October 26:
https://access.redhat.com/errata/RHSA-2017:3075

Severity: normal => critical

Comment 2 Len Lawrence 2017-10-28 02:18:25 CEST 
mga6::x86_64

Installed the update.  No obvious reproducers for these vulnerabilities.
Not sure what to test this on but downloaded from the first link in the references   and received a readable html file.

Tried another link at random:
$ wget http://www.dd-wrt.com/wiki/index.php/Supported_Devices#Read_Me_First.21
--2017-10-28 01:00:42--  http://www.dd-wrt.com/wiki/index.php/Supported_Devices
Resolving www.dd-wrt.com... 83.141.4.210
Connecting to www.dd-wrt.com|83.141.4.210|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘Supported_Devices’

Supported_Devices       [ <=>                ]  44.04K   265KB/s    in 0.2s    

2017-10-28 01:00:43 (265 KB/s) - ‘Supported_Devices’ saved [432133]

$ file Supported_Devices 
Supported_Devices: HTML document, ASCII text, with very long lines, with CRLF, LF line terminators

$ firefox Supported_Devices
That works fine, hyperlinks and all.

This is good for 64-bits.

CC: (none) => tarazed25

Len Lawrence 2017-10-28 02:18:42 CEST

Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK

Comment 3 PC LX 2017-10-28 13:03:55 CEST 
Installed and tested without issues.

Tested with several HTTP, HTTPS and FTP URLs. Tested with and without a HTTP proxy. Tested single and recursive downloads. No issues found.

System: Mageia 5, x86_64, Intel CPU.

$ uname -a
Linux marte 4.4.92-desktop-1.mga5 #1 SMP Thu Oct 12 20:14:45 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q wget
wget-1.15-5.3.mga5

CC: (none) => mageia
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK

Comment 4 Herman Viaene 2017-10-28 14:25:45 CEST 
MGA5-32 on Asus A6000VM Xfce
No installation issues
Repeated test as per Comment 2 above with same results. So OK.

CC: (none) => herman.viaene
Whiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK MGA5-32-OK

Lewis Smith 2017-10-29 20:11:06 CET

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Lewis Smith 2017-10-29 20:11:26 CET

CC: lewyssmith => (none)

Comment 5 Mageia Robot 2017-10-30 20:24:18 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0396.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED