Bug 1974192 (CVE-2017-20005) - CVE-2017-20005 nginx: buffer overflow in ngx_gmtime() triggered by 5 digit years
Summary: CVE-2017-20005 nginx: buffer overflow in ngx_gmtime() triggered by 5 digit years
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2017-20005
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1974193
TreeView+ depends on / blocked
 
Reported: 2021-06-21 06:18 UTC by Marian Rehak
Modified: 2021-06-21 15:04 UTC (History)
26 users (show)

Fixed In Version: nginx 1.13.6
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nginx. When a date exists earlier than the standard epoch, as demonstrated by a file with a modification date in 1969 that causes a negative number to be treated as an unsigned integer, the year field becomes five characters long, larger than is allocated for, leading to a buffer overflow. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-06-21 15:04:29 UTC


Attachments (Terms of Use)

Description Marian Rehak 2021-06-21 06:18:23 UTC
NGINX before 1.13.6 has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module.

External reference:

https://trac.nginx.org/nginx/ticket/1368

Comment 1 Riccardo Schirone 2021-06-21 13:24:58 UTC
Upstream patches:
http://hg.nginx.org/nginx/rev/cdbcb73239ee
http://hg.nginx.org/nginx/rev/644d0457782a

Comment 2 Riccardo Schirone 2021-06-21 13:30:02 UTC
RHEL 8 versions and RHSCL-3 versions of NGINX markes as notaffected based on reported affected version and manual review of the code. The patch is already applied in those versions.

Comment 3 Product Security DevOps Team 2021-06-21 15:04:29 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2017-20005


Note You need to log in before you can comment on or make changes to this bug.