Bug 17114

Summary: putty new security issue CVE-2015-5309
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, geiger.david68210, goetz.waschk, sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/664043/
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Source RPM: putty-0.64-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-11-09 14:57:01 CET 
Upstream has issued an advisory on November 7:
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-ech-overflow.html

The issue is fixed upstream in version 0.66.  Götz updated it in Cauldron.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-11-10 16:36:01 CET 
PuTTY 0.66 build uploaded for Mageia 5.

I'm reminded that FileZilla also embeds a PuTTY, so that needs to be updated to a version that has PuTTY 0.66 as well.  It doesn't look like one has been released yet.  I'll clone this bug for filezilla.

Advisory:
========================

Updated putty package fixes security vulnerability:

Versions of PuTTY 0.54 and 0.65 inclusive have a potentially memory-corrupting
integer overflow in the handling of the ECH (erase characters) control
sequence in the terminal emulator (CVE-2015-5309).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5309
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-ech-overflow.html
http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
========================

Updated packages in core/updates_testing:
========================
putty-0.66-1.mga5

from putty-0.66-1.mga5.src.rpm

CC: (none) => geiger.david68210, goetz.waschk
Assignee: goetz.waschk => qa-bugs

Comment 2 William Kenney 2015-11-10 18:33:20 CET 
In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
putty

default install of putty

[root@localhost wilcal]# urpmi putty
Package putty-0.64-1.mga5.i586 is already installed

I can use putty to get into my server at 192.168.1.2
I can use putty to get into my Rasberry Pi at 192.168.1.18

install putty from updates_testing

[root@localhost wilcal]# urpmi putty
Package putty-0.66-1.mga5.i586 is already installed

I can use putty to get into my server at 192.168.1.2
I can use putty to get into my Rasberry Pi at 192.168.1.18

CC: (none) => wilcal.int

William Kenney 2015-11-10 18:34:16 CET

Whiteboard: (none) => MGA5-32-OK

Comment 3 William Kenney 2015-11-10 18:49:02 CET 
In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
putty

default install of putty

[root@localhost wilcal]# urpmi putty
Package putty-0.64-1.mga5.x86_64 is already installed

I can use putty to get into my server at 192.168.1.2
I can use putty to get into my Raspberry Pi at 192.168.1.18

install putty from updates_testing

[root@localhost wilcal]# urpmi putty
Package putty-0.66-1.mga5.x86_64 is already installed

I can use putty to get into my server at 192.168.1.2
I can use putty to get into my Raspberry Pi at 192.168.1.18
Comment 4 William Kenney 2015-11-10 18:49:41 CET 
This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
CC: (none) => sysadmin-bugs

Dave Hodgins 2015-11-10 21:05:22 CET

CC: (none) => davidwhodgins
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory

Comment 5 Mageia Robot 2015-11-10 22:27:36 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0442.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-11-11 19:50:16 CET

URL: (none) => http://lwn.net/Vulnerabilities/664043/