Bug 17942

Summary: putty new security issue CVE-2016-2563
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/680462/
Whiteboard: advisory MGA5-32-OK MGA5-64-OK
Source RPM: putty-0.66-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-03-10 14:32:31 CET 
Upstream has issued an advisory on March 5:
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html

The issue is fixed upstream in version 0.67.  Götz updated it in Cauldron.

Updated package checked into Mageia 5 SVN.  It is having a strange build error right now, so we'll have to assign it to QA later when we can get it to build.  Assigning to Götz for now.  Advisory for the update is below.

There will need to be a filezilla update (it bundles putty), but upstream hasn't made an update for this yet.

Advisory:
========================

Updated putty package fixes security vulnerability:

Many versions of PSCP in PuTTY prior to 0.67 have a stack corruption
vulnerability in their treatment of the 'sink' direction (i.e. downloading
from server to client) of the old-style SCP protocol. In order for this
vulnerability to be exploited, the user must connect to a malicious server
and attempt to download any file (CVE-2016-2563).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2563
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html
http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
========================

Updated packages in core/updates_testing:
========================
putty-0.67-1.mga5

from putty-0.67-1.mga5.src.rpm
Comment 1 Götz Waschk 2016-03-10 14:53:51 CET 
It triggers a bug in halibut, so we can either backport halibut 1.1 with this update or don't build the docs in the mga5 update.
Comment 2 David Walser 2016-03-10 15:22:25 CET 
Thanks!  Updating halibut is fine, I'll do that.
Comment 3 David Walser 2016-03-10 15:30:08 CET 
Advisory:
========================

Updated putty package fixes security vulnerability:

Many versions of PSCP in PuTTY prior to 0.67 have a stack corruption
vulnerability in their treatment of the 'sink' direction (i.e. downloading
from server to client) of the old-style SCP protocol. In order for this
vulnerability to be exploited, the user must connect to a malicious server
and attempt to download any file (CVE-2016-2563).

The putty package has been updated to version 0.67 to fix this issue and a
few other bugs.  The halibut package has been updated to version 1.1 to build
the documentation.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2563
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html
http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
========================

Updated packages in core/updates_testing:
========================
halibut-1.1-2.mga5
vim-halibut-1.1-2.mga5
putty-0.67-1.mga5

from SRPMS:
halibut-1.1-2.mga5.src.rpm
putty-0.67-1.mga5.src.rpm

Assignee: goetz.waschk => qa-bugs

Comment 4 William Kenney 2016-03-14 16:09:43 CET 
In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
putty

default install of putty

[root@localhost wilcal]# urpmi putty
Package putty-0.66-1.mga5.i586 is already installed

I can use putty to get into my server at 192.168.1.2
I can use putty to get into my Rasberry Pi at 192.168.1.18

install putty from updates_testing

[root@localhost wilcal]# urpmi putty
Package putty-0.67-1.mga5.i586 is already installed

I can use putty to get into my server at 192.168.1.2
I can use putty to get into my Rasberry Pi at 192.168.1.18

CC: (none) => wilcal.int
Whiteboard: (none) => MGA5-32-OK

Comment 5 William Kenney 2016-03-14 16:19:43 CET 
In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
putty

default install of putty

[root@localhost wilcal]# urpmi putty
Package putty-0.66-1.mga5.x86_64 is already installed

I can use putty to get into my server at 192.168.1.2
I can use putty to get into my Raspberry Pi at 192.168.1.18

install putty from updates_testing

[root@localhost wilcal]# urpmi putty
Package putty-0.67-1.mga5.x86_64 is already installed

I can use putty to get into my server at 192.168.1.2
I can use putty to get into my Raspberry Pi at 192.168.1.18
William Kenney 2016-03-14 16:20:01 CET

Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK

Comment 6 William Kenney 2016-03-14 16:20:35 CET 
This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 claire robinson 2016-03-15 19:58:02 CET 
Well done Bill. Advisory uploaded.

Whiteboard: MGA5-32-OK MGA5-64-OK => advisory MGA5-32-OK MGA5-64-OK

Comment 8 Mageia Robot 2016-03-16 19:08:12 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0112.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-03-17 16:58:37 CET

URL: (none) => http://lwn.net/Vulnerabilities/680462/