21947 – wget new security issues CVE-2017-13089 and CVE-2017-13090

Bug 21947 - wget new security issues CVE-2017-13089 and CVE-2017-13090

Summary: wget new security issues CVE-2017-13089 and CVE-2017-13090

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA5TOO MGA6-64-OK MGA5-64-OK MGA5-32-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2017-10-27 12:55 CEST by David Walser
Modified:	2017-10-30 20:24 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	wget-1.19.1-2.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-10-27 12:55:39 CEST

An advisory has been issued on October 26:
https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html

Updated packages uploaded for Mageia 6 and Cauldron (1.19.2).

Patched package uploaded for Mageia 5.

Advisory:
========================

Updated wget package fixes security vulnerabilities:

The http.c:skip_short_body() function is called in some circumstances,
such as when processing redirects. When the response is sent chunked,
the chunk parser uses strtol() to read each chunk's length, but
doesn't check that the chunk length is a non-negative number. The
code then tries to skip the chunk in pieces of 512 bytes by using the
MIN() macro, but ends up passing the negative chunk length to
connect.c:fd_read(). As fd_read() takes an int argument, the high
32 bits of the chunk length are discarded, leaving fd_read() with
a completely attacker controlled length argument (CVE-2017-13089).

The retr.c:fd_read_body() function is called when processing OK
responses. When the response is sent chunked, the chunk parser uses
strtol() to read each chunk's length, but doesn't check that the chunk
length is a non-negative number. The code then tries to read the chunk
in pieces of 8192 bytes by using the MIN() macro, but ends up passing
the negative chunk length to retr.c:fd_read(). As fd_read() takes an
int argument, the high 32 bits of the chunk length are discarded,
leaving fd_read() with a completely attacker controlled length
argument. The attacker can corrupt malloc metadata after the allocated
buffer (CVE-2017-13090).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13089
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13090
https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html
========================

Updated packages in core/updates_testing:
========================
wget-1.15-5.3.mga5
wget-1.19.2-1.mga6

from SRPMS:
wget-1.15-5.3.mga5.src.rpm
wget-1.19.2-1.mga6.src.rpm

David Walser 2017-10-27 12:55:47 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2017-10-27 14:47:38 CEST

RedHat has issued an advisory for this on October 26:
https://access.redhat.com/errata/RHSA-2017:3075

Severity: normal => critical

Comment 2 Len Lawrence 2017-10-28 02:18:25 CEST

mga6::x86_64

Installed the update.  No obvious reproducers for these vulnerabilities.
Not sure what to test this on but downloaded from the first link in the references   and received a readable html file.

Tried another link at random:
$ wget http://www.dd-wrt.com/wiki/index.php/Supported_Devices#Read_Me_First.21
--2017-10-28 01:00:42--  http://www.dd-wrt.com/wiki/index.php/Supported_Devices
Resolving www.dd-wrt.com... 83.141.4.210
Connecting to www.dd-wrt.com|83.141.4.210|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘Supported_Devices’

Supported_Devices       [ <=>                ]  44.04K   265KB/s    in 0.2s    

2017-10-28 01:00:43 (265 KB/s) - ‘Supported_Devices’ saved [432133]

$ file Supported_Devices 
Supported_Devices: HTML document, ASCII text, with very long lines, with CRLF, LF line terminators

$ firefox Supported_Devices
That works fine, hyperlinks and all.

This is good for 64-bits.

CC: (none) => tarazed25

Len Lawrence 2017-10-28 02:18:42 CEST

Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK

Comment 3 PC LX 2017-10-28 13:03:55 CEST

Installed and tested without issues.

Tested with several HTTP, HTTPS and FTP URLs. Tested with and without a HTTP proxy. Tested single and recursive downloads. No issues found.

System: Mageia 5, x86_64, Intel CPU.

$ uname -a
Linux marte 4.4.92-desktop-1.mga5 #1 SMP Thu Oct 12 20:14:45 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q wget
wget-1.15-5.3.mga5

CC: (none) => mageia
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK

Comment 4 Herman Viaene 2017-10-28 14:25:45 CEST

MGA5-32 on Asus A6000VM Xfce
No installation issues
Repeated test as per Comment 2 above with same results. So OK.

CC: (none) => herman.viaene
Whiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK MGA5-32-OK

Lewis Smith 2017-10-29 20:11:06 CET

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Lewis Smith 2017-10-29 20:11:26 CET

CC: lewyssmith => (none)

Comment 5 Mageia Robot 2017-10-30 20:24:18 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0396.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.