An advisory has been issued on October 26: https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html Updated packages uploaded for Mageia 6 and Cauldron (1.19.2). Patched package uploaded for Mageia 5. Advisory: ======================== Updated wget package fixes security vulnerabilities: The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. When the response is sent chunked, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to skip the chunk in pieces of 512 bytes by using the MIN() macro, but ends up passing the negative chunk length to connect.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument (CVE-2017-13089). The retr.c:fd_read_body() function is called when processing OK responses. When the response is sent chunked, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to read the chunk in pieces of 8192 bytes by using the MIN() macro, but ends up passing the negative chunk length to retr.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument. The attacker can corrupt malloc metadata after the allocated buffer (CVE-2017-13090). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13089 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13090 https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html ======================== Updated packages in core/updates_testing: ======================== wget-1.15-5.3.mga5 wget-1.19.2-1.mga6 from SRPMS: wget-1.15-5.3.mga5.src.rpm wget-1.19.2-1.mga6.src.rpm
Whiteboard: (none) => MGA5TOO
RedHat has issued an advisory for this on October 26: https://access.redhat.com/errata/RHSA-2017:3075
Severity: normal => critical
mga6::x86_64 Installed the update. No obvious reproducers for these vulnerabilities. Not sure what to test this on but downloaded from the first link in the references and received a readable html file. Tried another link at random: $ wget http://www.dd-wrt.com/wiki/index.php/Supported_Devices#Read_Me_First.21 --2017-10-28 01:00:42-- http://www.dd-wrt.com/wiki/index.php/Supported_Devices Resolving www.dd-wrt.com... 83.141.4.210 Connecting to www.dd-wrt.com|83.141.4.210|:80... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘Supported_Devices’ Supported_Devices [ <=> ] 44.04K 265KB/s in 0.2s 2017-10-28 01:00:43 (265 KB/s) - ‘Supported_Devices’ saved [432133] $ file Supported_Devices Supported_Devices: HTML document, ASCII text, with very long lines, with CRLF, LF line terminators $ firefox Supported_Devices That works fine, hyperlinks and all. This is good for 64-bits.
CC: (none) => tarazed25
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
Installed and tested without issues. Tested with several HTTP, HTTPS and FTP URLs. Tested with and without a HTTP proxy. Tested single and recursive downloads. No issues found. System: Mageia 5, x86_64, Intel CPU. $ uname -a Linux marte 4.4.92-desktop-1.mga5 #1 SMP Thu Oct 12 20:14:45 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q wget wget-1.15-5.3.mga5
CC: (none) => mageiaWhiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK
MGA5-32 on Asus A6000VM Xfce No installation issues Repeated test as per Comment 2 above with same results. So OK.
CC: (none) => herman.viaeneWhiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK MGA5-32-OK
Keywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
CC: lewyssmith => (none)
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0396.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED