Bug 1974192 (CVE-2017-20005)

Summary: CVE-2017-20005 nginx: buffer overflow in ngx_gmtime() triggered by 5 digit years
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bcoca, chousekn, cmeyers, davidn, felix, gblomqui, hhorak, jcammara, jeremy, jhardy, jkaluza, jobarker, jorton, luhliari, mabashia, notting, ollie.yeoh, osapryki, pavel.lisy, peter.borsa, relrod, rpetrell, sdoran, smcdonal, tkuratom, wtogami
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nginx 1.13.6 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nginx. When a date exists earlier than the standard epoch, as demonstrated by a file with a modification date in 1969 that causes a negative number to be treated as an unsigned integer, the year field becomes five characters long, larger than is allocated for, leading to a buffer overflow. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-21 15:04:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1974193    

Description Marian Rehak 2021-06-21 06:18:23 UTC
NGINX before 1.13.6 has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module.

External reference:

https://trac.nginx.org/nginx/ticket/1368

Comment 1 Riccardo Schirone 2021-06-21 13:24:58 UTC
Upstream patches:
http://hg.nginx.org/nginx/rev/cdbcb73239ee
http://hg.nginx.org/nginx/rev/644d0457782a

Comment 2 Riccardo Schirone 2021-06-21 13:30:02 UTC
RHEL 8 versions and RHSCL-3 versions of NGINX markes as notaffected based on reported affected version and manual review of the code. The patch is already applied in those versions.

Comment 3 Product Security DevOps Team 2021-06-21 15:04:29 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2017-20005