1974192 – (CVE-2017-20005) CVE-2017-20005 nginx: buffer overflow in ngx_gmtime() triggered by 5 digit years

Bug 1974192 (CVE-2017-20005) - CVE-2017-20005 nginx: buffer overflow in ngx_gmtime() triggered by 5 digit years

Summary: CVE-2017-20005 nginx: buffer overflow in ngx_gmtime() triggered by 5 digit years

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2017-20005
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1974193
TreeView+	depends on / blocked

Reported:	2021-06-21 06:18 UTC by Marian Rehak
Modified:	2021-06-21 15:04 UTC (History)
CC List:	26 users (show)
Fixed In Version:	nginx 1.13.6
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in nginx. When a date exists earlier than the standard epoch, as demonstrated by a file with a modification date in 1969 that causes a negative number to be treated as an unsigned integer, the year field becomes five characters long, larger than is allocated for, leading to a buffer overflow. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed:	2021-06-21 15:04:29 UTC
Embargoed:

Attachments	(Terms of Use)

Description Marian Rehak 2021-06-21 06:18:23 UTC

NGINX before 1.13.6 has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module.

External reference:

https://trac.nginx.org/nginx/ticket/1368

Comment 1 Riccardo Schirone 2021-06-21 13:24:58 UTC

Upstream patches:
http://hg.nginx.org/nginx/rev/cdbcb73239ee
http://hg.nginx.org/nginx/rev/644d0457782a

Comment 2 Riccardo Schirone 2021-06-21 13:30:02 UTC

RHEL 8 versions and RHSCL-3 versions of NGINX markes as notaffected based on reported affected version and manual review of the code. The patch is already applied in those versions.

Comment 3 Product Security DevOps Team 2021-06-21 15:04:29 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2017-20005

Note You need to log in before you can comment on or make changes to this bug.

bcoca
chousekn
cmeyers
davidn
felix
gblomqui
hhorak
jcammara
jeremy
jhardy
jkaluza
jobarker
jorton
luhliari
mabashia
notting
ollie.yeoh
osapryki
pavel.lisy
peter.borsa
relrod
rpetrell
sdoran
smcdonal
tkuratom
wtogami