Bug 17943

Summary: filezilla new security issue CVE-2016-2563
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, geiger.david68210, sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/680462/
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Source RPM: filezilla-3.11.0.2-1.1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-03-10 14:34:34 CET 
+++ This bug was initially created as a clone of Bug #17942 +++

Upstream has issued an advisory on March 5:
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html

The issue is fixed upstream in version 0.67.  Götz updated it in Cauldron.

Updated package checked into Mageia 5 SVN.  It is having a strange build error right now, so we'll have to assign it to QA later when we can get it to build.  Assigning to Götz for now.  Advisory for the update is below.

There will need to be a filezilla update (it bundles putty), but upstream hasn't made an update for this yet.

Advisory:
========================

Updated putty package fixes security vulnerability:

Many versions of PSCP in PuTTY prior to 0.67 have a stack corruption
vulnerability in their treatment of the 'sink' direction (i.e. downloading
from server to client) of the old-style SCP protocol. In order for this
vulnerability to be exploited, the user must connect to a malicious server
and attempt to download any file (CVE-2016-2563).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2563
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html
http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
========================

Updated packages in core/updates_testing:
========================
putty-0.67-1.mga5

from putty-0.67-1.mga5.src.rpm
Comment 1 David Walser 2016-03-17 12:43:13 CET 
This is fixed upstream now in FileZilla 3.16.1.
Comment 2 David GEIGER 2016-03-17 12:59:18 CET 
Yes, and already submitted and uploaded in Cauldron this morning :)
Comment 3 David Walser 2016-03-17 13:00:41 CET 
Yes, I saw.  Now we need it updated for Mageia 5.
Comment 4 David GEIGER 2016-03-17 13:03:59 CET 
If we want to update for mga5 so we have to import libfilezilla.
Comment 5 David Walser 2016-03-17 14:23:12 CET 
Updated packages uploaded by David.  Thanks!

Advisory:
========================

Updated filezilla package fixes security vulnerability:

Many versions of PSCP in PuTTY prior to 0.67 have a stack corruption
vulnerability in their treatment of the 'sink' direction (i.e. downloading
from server to client) of the old-style SCP protocol. In order for this
vulnerability to be exploited, the user must connect to a malicious server
and attempt to download any file (CVE-2016-2563).

FileZilla was vulnerable to this issue as it bundles a copy of PuTTY.  The
filezilla package has been updated to version 3.16.1, which fixes this issue
and has many other fixes and enhancements.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2563
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html
http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
https://filezilla-project.org/
========================

Updated packages in core/updates_testing:
========================
libfilezilla0-0.4.0.1-1.mga5
libfilezilla-devel-0.4.0.1-1.mga5
libpugixml1-1.7-1.mga5
libpugixml-devel-1.7-1.mga5
filezilla-3.16.1-1.mga5

from SRPMS:
libfilezilla-0.4.0.1-1.mga5.src.rpm
pugixml-1.7-1.mga5.src.rpm
filezilla-3.16.1-1.mga5.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Comment 6 claire robinson 2016-03-17 15:01:15 CET 
When testing filezilla, please ensure blender also functions (load/save/etc) with the new pugixml library

$ urpmq --whatrequires lib64pugixml1
lib64OpenImageIO1.2
lib64pugixml-devel
lib64pugixml1

$ urpmq --whatrequires lib64OpenImageIO1.2
blender
lib64OpenImageIO-devel
lib64OpenImageIO1.2
opencolorio
openimageio
David Walser 2016-03-17 16:58:49 CET

URL: (none) => http://lwn.net/Vulnerabilities/680462/

Comment 7 William Kenney 2016-03-17 20:19:03 CET 
In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
filezilla

default filezilla of package

[root@localhost wilcal]# urpmi filezilla
Package filezilla-3.11.0.2-1.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi blender
Package blender-2.73a-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64pugixml1
Package lib64pugixml1-1.4-5.mga5.x86_64 is already installed

I can transfer files to and from an FTP server, local and remote.
I can rename downloaded files.

In Vbox running blender from a terminal results in the following error:

[wilcal@localhost ~]$ blender
libGL error: pci id for fd 8: 80ee:beef, driver (null)
libGL error: core dri or dri2 extension not found
libGL error: failed to load driver: vboxvideo
GLEW Error (0x0001): GLEW_ERROR_NO_GL_VERSION: Missing GL version
Writing: /tmp/blender.crash.txt
Segmentation fault

CC: (none) => wilcal.int

Comment 8 William Kenney 2016-03-18 15:46:38 CET 
On real hardware, M5, KDE, 64-bit

Package(s) under test:
filezilla blender

default filezilla of package

[root@localhost wilcal]# urpmi filezilla
Package filezilla-3.11.0.2-1.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64pugixml1
Package lib64pugixml1-1.4-5.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi blender
Package blender-2.73a-1.mga5.x86_64 is already installed

I can transfer files to and from FTP servers, local and remote.
I can rename downloaded files. Blender creates xxx.blender files.
I can close them, reopen them, edit them and close them.

install filezilla from updates_testing

[root@localhost wilcal]# urpmi filezilla
Package filezilla-3.16.1-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64pugixml1
Package lib64pugixml1-1.7-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi blender
Package blender-2.73a-1.mga5.x86_64 is already installed

I can transfer files to and from FTP servers, local and remote.
I can rename downloaded files. Blender creates xxx.blender files.
I can close them, reopen them, edit them and close them again.
Blender reopens previously created xxx.blender files.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 5 64-bit, Nvidia driver
William Kenney 2016-03-18 15:47:01 CET

Whiteboard: (none) => MGA5-32-OK

Comment 9 William Kenney 2016-03-18 16:22:52 CET 
On real hardware, M5, KDE, 32-bit

Package(s) under test:
filezilla blender

default filezilla of package

[root@localhost wilcal]# urpmi filezilla
Package filezilla-3.11.0.2-1.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libpugixml1
Package libpugixml1-1.4-5.mga5.i586 is already installed
[root@localhost wilcal]# urpmi blender
Package blender-2.73a-1.mga5.i586 is already installed

I can transfer files to and from FTP servers, local and remote.
I can rename downloaded files. Blender creates xxx.blender files.
I can close them, reopen them, edit them and close them.

install filezilla from updates_testing

[root@localhost wilcal]# urpmi filezilla
Package filezilla-3.16.1-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libpugixml1
Package libpugixml1-1.7-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi blender
Package blender-2.73a-1.mga5.x86_64 is already installed

I can transfer files to and from FTP servers, local and remote.
I can rename downloaded files. Blender creates xxx.blender files.
I can close them, reopen them, edit them and close them again.
Blender reopens previously created xxx.blender files.

Test platform:
Intel, P4 530J 3.0 GHz, 800MHz FSB, 1MB L2, LGA 775
GigaByte  GA-81915G Pro F4  i915G  LGA 775  MoBo
 Marvel Yukon 88E8001 Gigabit LAN
 Intel High Def Audio, Azalia (C-Media 9880) (snd-hda-intel)
 Intel Graphics Media Accelerator 900 (Intel 82915G)
Kingston 4GB (2 x 2GB) DDR400 PC-3200
250GB Seagate
Kingwin KF-91-BK SATA Mobile Rack
Kingwin KF-91-T-BK SATA Mobile Rack Tray
Sony CD/DVD-RW DWQ120AB2
Comment 10 William Kenney 2016-03-18 16:23:58 CET 
This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 11 William Kenney 2016-03-18 21:51:54 CET 
(In reply to William Kenney from comment #7)

> In Vbox running blender from a terminal results in the following error:
> 
> [wilcal@localhost ~]$ blender
> libGL error: pci id for fd 8: 80ee:beef, driver (null)
> libGL error: core dri or dri2 extension not found
> libGL error: failed to load driver: vboxvideo
> GLEW Error (0x0001): GLEW_ERROR_NO_GL_VERSION: Missing GL version
> Writing: /tmp/blender.crash.txt
> Segmentation fault

Opened:
Summary: Blender seg faults in a Vbox client
https://bugs.mageia.org/show_bug.cgi?id=18035
Dave Hodgins 2016-03-20 23:57:42 CET

CC: (none) => davidwhodgins
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory

Comment 12 Mageia Robot 2016-03-25 07:39:37 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0118.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED