Bug 20531

Summary: filezilla new security issue CVE-2017-6542
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: David GEIGER <geiger.david68210>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia
Version: 5   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: filezilla-3.16.1-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-03-19 20:57:42 CET 
+++ This bug was initially created as a clone of Bug #20525 +++

openSUSE has issued an advisory today (March 19):
https://lists.opensuse.org/opensuse-updates/2017-03/msg00055.html

The issue is fixed upstream in PuTTY 0.68.

FileZilla also bundles PuTTY and is most likely affected.

Upstream reference:
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-agent-fwd-overflow.html
Comment 1 David GEIGER 2017-06-04 09:35:08 CEST 
Hmmmm! I tried to compile filezilla 3.25.2 for mga5 but we need to updating also nettle to 3.1 release:

checking for NETTLE... no
configure: error: nettle 3.1 greater was not found. You can get it from https://www.lysator.liu.se/~nisse/nettle/
error: Bad exit status from /home/iurt/rpmbuild/tmp/rpm-tmp.gJSKUH (%build)



Note that filezilla 3.24.1 are now based on PuTTY 0.68 but this one needs also nettle 3.1.
Comment 2 David Walser 2017-06-04 14:06:32 CEST 
Nothing currently uses nettle 3.0 in mga5 (everything uses 2.7), so upgrading the 3.0 to 3.1 wouldn't affect anything.  Go for it.
Comment 3 David Walser 2017-07-09 01:57:00 CEST 
Ping David.
Comment 4 David Walser 2017-07-14 21:39:57 CEST 
David, just a note that the nettle you pushed in updates_testing from this:
http://svnweb.mageia.org/packages?view=revision&revision=1109594

unfixes this:
https://bugs.mageia.org/show_bug.cgi?id=17669
Comment 5 Nicolas Lécureuil 2017-08-11 17:21:58 CEST 
(In reply to David Walser from comment #4)
> David, just a note that the nettle you pushed in updates_testing from this:
> http://svnweb.mageia.org/packages?view=revision&revision=1109594
> 
> unfixes this:
> https://bugs.mageia.org/show_bug.cgi?id=17669


what do you mean by that ?

CC: (none) => mageia

Comment 6 David Walser 2017-08-12 02:16:30 CEST 
(In reply to Nicolas Lécureuil from comment #5)
> (In reply to David Walser from comment #4)
> > David, just a note that the nettle you pushed in updates_testing from this:
> > http://svnweb.mageia.org/packages?view=revision&revision=1109594
> > 
> > unfixes this:
> > https://bugs.mageia.org/show_bug.cgi?id=17669
> 
> 
> what do you mean by that ?

Exactly what I said.  We fixed CVE-2015-880[3-5] previously, but David dropped the patch for that when he updated it, but 3.1 didn't fix those issues, so the patch needs to be re-added.
Comment 7 David Walser 2017-12-27 04:58:48 CET 
David, if you still want to try and fix this, just update nettle to 3.3 (sync with mga6/Cauldron).
Comment 8 David Walser 2017-12-29 18:13:43 CET 
David, if you're still alive and want to take a crack at this, I updated nettle in Mageia 5 SVN to 3.3.
Comment 9 David Walser 2017-12-30 04:01:39 CET 
It looks like this also needs gnutls 3.4.15+, while we have 3.2.21 on Mageia 5, so we can't update this.

Status: NEW => RESOLVED
Resolution: (none) => OLD