http://www.search-lab.hu/advisories/secadv-20130722 " Description: PuTTY versions 0.62 and earlier - as well as all software that integrates these versions of PuTTY - are vulnerable to an integer overflow leading to heap overflow during the SSH handshake before authentication, caused by improper bounds checking of the length parameter received from the SSH server. This allows remote attackers to cause denial of service, and may have more severe impact on the operation of software that uses PuTTY code. Affected software products: - PuTTY up to and including 0.62 - WinSCP before 5.1.6 - all other software that uses vulnerable (revision 9895 or earlier) PuTTY code Details: A malformed size value in the SSH handshake could cause an integer overflow, as the getstring() function in sshrsa.c and sshdss.c read the handshake message length without checking that it was not a negative number. Specifically, the bignum_from_bytes() function invoked by getstring() received a data buffer along with its length represented by a signed integer (nbytes) and performed the following arithmetical operation before allocating memory to store the buffer: w = (nbytes + BIGNUM_INT_BYTES - 1) / BIGNUM_INT_BYTES; /* bytes->words */ result = newbn(w); If the value of nbytes was -1 (0xffffffff), the value of w would overflow to a very small positive number (depending on the value of BIGNUM_INT_BYTES), causing newbn() to reserve a very small memory area. Then a large number of bytes would be copied into the data buffer afterwards, resulting in a heap overflow. Similarly, if nbytes was chosen so that w would be -1, the newbn() function would allocate zero bytes in memory via snewn() and attempt to write the size of the Bignum (in four bytes) into the allocated zero-byte area, also resulting in a heap overflow. Consequences: In the standalone PuTTY client the attacker does not have precise control over the memory corruption, so this bug can only cause a local denial-of-service (crash). However, in other software that uses PuTTY code, such heap corruption could have more severe effects. Specifically in case of WinSCP, this vulnerability could potentially lead to code execution due to the exception handling employed by the program. Solution: This vulnerability has been fixed in the development version of PuTTY [2]. All developers using PuTTY code are recommended to use revision 9896 or later. The potential code execution vulnerability has been addressed in WinSCP 5.1.6 [3]. Credits: This vulnerability was discovered and researched by Gergely Eberhardt from SEARCH-LAB Ltd. (www.search-lab.hu) References: [1] http://www.search-lab.hu/advisories/secadv-20130722 [2] http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9896 [3] http://winscp.net/tracker/show_bug.cgi?id=1017 " Reproducible: Steps to Reproduce:
Fixed packages has been submitted to all.
CC: (none) => mageiaHardware: i586 => AllVersion: 2 => 3Whiteboard: (none) => MGA3TOO
Sorry, wrong version.
Whiteboard: MGA3TOO => MGA2TOO
And here I thought PuTTY was just a Windows program. Advisory: ======================== Updated putty packages fix security vulnerability: PuTTY versions 0.62 and earlier - as well as all software that integrates these versions of PuTTY - are vulnerable to an integer overflow leading to heap overflow during the SSH handshake before authentication, caused by improper bounds checking of the length parameter received from the SSH server. This allows remote attackers to cause denial of service, and may have more severe impact on the operation of software that uses PuTTY code (CVE-2013-4852). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4852 http://www.search-lab.hu/advisories/secadv-20130722 ======================== Updated packages in core/updates_testing: ======================== putty-0.62-1.1.mga2 putty-0.62-2.1.mga3 from SRPMS: putty-0.62-1.1.mga2.src.rpm putty-0.62-2.1.mga3.src.rpm
CC: (none) => luigiwalserAssignee: bugsquad => qa-bugsSummary: CVE-2013-4852: putty - SSH handshake heap overflow => putty - SSH handshake heap overflow (CVE-2013-4852)
Oden, as you probably saw here, filezilla may also be affected: http://openwall.com/lists/oss-security/2013/08/05/6 Could you patch that package as well if need be?
Advisory 10925.adv uploaded to svn.
CC: (none) => davidwhodgins
http://www.openwall.com/lists/oss-security/2013/08/05/6 filezilla embeds putty, so i just submitted filezilla-3.5.3-1.1.mga2, filezilla-3.6.0.2-2.1.mga3 and filezilla-3.7.1.1-2.mga4.
Thanks Oden! Adding filezilla to the advisory (Dave, please update in SVN). Advisory: ======================== Updated putty and filezilla packages fix security vulnerability: PuTTY versions 0.62 and earlier - as well as all software that integrates these versions of PuTTY - are vulnerable to an integer overflow leading to heap overflow during the SSH handshake before authentication, caused by improper bounds checking of the length parameter received from the SSH server. This allows remote attackers to cause denial of service, and may have more severe impact on the operation of software that uses PuTTY code (CVE-2013-4852). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4852 http://www.search-lab.hu/advisories/secadv-20130722 ======================== Updated packages in core/updates_testing: ======================== putty-0.62-1.1.mga2 filezilla-3.5.3-1.1.mga2 putty-0.62-2.1.mga3 filezilla-3.6.0.2-2.1.mga3 from SRPMS: putty-0.62-1.1.mga2.src.rpm filezilla-3.5.3-1.1.mga2.src.rpm putty-0.62-2.1.mga3.src.rpm filezilla-3.6.0.2-2.1.mga3.src.rpm
Summary: putty - SSH handshake heap overflow (CVE-2013-4852) => putty/filezilla - SSH handshake heap overflow (CVE-2013-4852)
Source RPM: putty => putty, filezilla
There may be some additional fixes needed: http://openwall.com/lists/oss-security/2013/08/06/11
Advisory 10925.adv modified to include filezilla srpms. Adding the feedback whiteboard entry until comment 8 is replied to.
Whiteboard: MGA2TOO => MGA2TOO feedback
Sorry guys, putty has some more issues. I just submitted 0.63 that fixes CVE-2013-4852, CVE-2013-4206, CVE-2013-4207, CVE-2013-4208. Reference: http://www.openwall.com/lists/oss-security/2013/08/06/13
Summary: putty/filezilla - SSH handshake heap overflow (CVE-2013-4852) => putty/filezilla - SSH handshake heap overflow (CVE-2013-4852, CVE-2013-4206, CVE-2013-4207, CVE-2013-4208)
Does filezilla need rebuilding too?
3.7.2 was released yesterday that fixed CVE-2013-4852, so I think they will fix the other ones soon. filezilla uses it's own bundled copy of putty. Will see if I manage to patch the other CVEs there.
Ouch, too painful for me to patch filezilla. Maybe someone else has the time, or we just wait for 3.7.3?
Reported upstream: http://trac.filezilla-project.org/ticket/8826
Damien has built filezilla-3.7.2-1.mga4 for Cauldron. I guess it just needs backported to mga2 and mga3 now.
CC: (none) => mageia
filezilla-3.7.3 has been submitted to all. - 3.7.3 (fixes CVE-2013-4206, CVE-2013-4207, CVE-2013-4208) - 3.7.2 (fixes CVE-2013-4852)
Advisory: ======================== Updated putty and filezilla packages fix security vulnerabilities: PuTTY versions 0.62 and earlier - as well as all software that integrates these versions of PuTTY - are vulnerable to an integer overflow leading to heap overflow during the SSH handshake before authentication, caused by improper bounds checking of the length parameter received from the SSH server. This allows remote attackers to cause denial of service, and may have more severe impact on the operation of software that uses PuTTY code (CVE-2013-4852). PuTTY versions 0.62 and earlier - as well as all software that integrates these versions of PuTTY - are vulnerable to a heap-corrupting buffer underrun bug in the modmul function which performs modular multiplication (CVE-2013-4206). PuTTY versions 0.62 and earlier - as well as all software that integrates these versions of PuTTY - are vulnerable to a buffer overflow vulnerability in the calculation of modular inverses when verifying a DSA signature (CVE-2013-4207). PuTTY versions 0.62 and earlier - as well as all software that integrates these versions of PuTTY - are vulnerable to private keys left in memory after being used by PuTTY tools (CVE-2013-4208). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4206 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4207 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4208 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4852 http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-modmul.html http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-bignum-division-by-zero.html http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped.html http://www.openwall.com/lists/oss-security/2013/08/06/13 http://www.search-lab.hu/advisories/secadv-20130722 ======================== Updated packages in core/updates_testing: ======================== putty-0.63-1.mga2 filezilla-3.7.3-1.mga2 putty-0.63-1.mga3 filezilla-3.7.3-1.mga3 from SRPMS: putty-0.63-1.mga2.src.rpm filezilla-3.7.3-1.mga2.src.rpm putty-0.63-1.mga3.src.rpm filezilla-3.7.3-1.mga3.src.rpm
Whiteboard: MGA2TOO feedback => MGA2TOO
Severity: normal => major
Testing complete mga3_64 for filezilla 3.7.3-1, ok for me nothing to report.
CC: (none) => geiger.david68210
Testing complete mga3_32 for filezilla 3.7.3-1, ok for me nothing to report.
MGA3-32-OK in VirtualBox default install putty-0.62-2.mga3.i586 from core release [root@localhost wilcal]# urpmi putty Package putty-0.62-2.mga3.i586 is already installed default install filezilla-3.6.0.2-2.mga3.i586 from core release [root@localhost wilcal]# urpmi filezilla Package filezilla-3.6.0.2-2.mga3.i586 is already installed Opened Filezilla transferred files from M3 and Rasberry Pi servers on my LAN. Opened Putty, opened terminal and listed files on an M3 and Rasberry Pi servers on my LAN install putty-0.63-1.mga3.i586 from core updates_testing [root@localhost wilcal]# urpmi putty Package putty-0.63-1.mga3.i586 is already installed install filezilla-3.7.3-1.mga3.i586 from core updates_testing [root@localhost wilcal]# urpmi filezilla Package filezilla-3.7.3-1.mga3.i586 is already installed Rerun testing with the same above servers. All successful Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) VirtualBox 4.2.16-1.mga3.x86_64.rpm
CC: (none) => wilcal.int
MGA3-64-OK in VirtualBox default install putty-0.62-2.mga3.x86_64 from core release [root@localhost wilcal]# urpmi putty Package putty-0.62-2.mga3.x86_64 is already installed default install filezilla-3.6.0.2-2.mga3.x86_64 from core release [root@localhost wilcal]# urpmi filezilla Package filezilla-3.6.0.2-2.mga3.x86_64 is already installed Opened Filezilla transferred files from M3 and Rasberry Pi servers on my LAN. Opened Putty, opened terminal and listed files on an M3 and Rasberry Pi servers on my LAN install putty-0.63-1.mga3.x86_64 from core updates_testing [root@localhost wilcal]# urpmi putty Package putty-0.63-1.mga3.x86_64 is already installed install filezilla-3.7.3-1.mga3.x86_64 from core updates_testing [root@localhost wilcal]# urpmi filezilla Package filezilla-3.7.3-1.mga3.x86_64 is already installed Rerun testing with the same above servers. All successful Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) VirtualBox 4.2.16-1.mga3.x86_64.rpm
Whiteboard: MGA2TOO => MGA2TOO MGA3-32-OK MGA3-64-OK
MGA2-32-OK in VirtualBox default install putty-0.62-1.mga2.i586 from core release [root@localhost wilcal]# urpmi putty Package putty-0.62-1.mga2.i586 is already installed default install filezilla-3.5.3-1.mga2.i586 from core release [root@localhost wilcal]# urpmi filezilla Package filezilla-3.5.3-1.mga2.i586 is already installed Opened Filezilla transferred files from M3 and Rasberry Pi servers on my LAN. Opened Putty, opened terminal and listed files on an M3 and Rasberry Pi servers on my LAN install putty-0.63-1.mga2.i586 from core updates_testing [root@localhost wilcal]# urpmi putty Package putty-0.63-1.mga2.i586 is already installed install filezilla-3.7.3-1.mga2.i586 from core updates_testing [root@localhost wilcal]# urpmi filezilla Package filezilla-3.7.3-1.mga2.i586 is already installed Rerun testing with the same above servers. All successful Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) VirtualBox 4.2.16-1.mga3.x86_64.rpm
MGA2-64-OK in VirtualBox default install putty-0.62-1.mga2.x86_64 from core release [root@localhost wilcal]# urpmi putty Package putty-0.62-1.mga2.x86_64 is already installed default install filezilla-3.5.3-1.mga2.x86_64 from core release [root@localhost wilcal]# urpmi filezilla Package filezilla-3.5.3-1.mga2.x86_64 is already installed Opened Filezilla transferred files from M3 and Rasberry Pi servers on my LAN. Opened Putty, opened terminal and listed files on an M3 and Rasberry Pi servers on my LAN install putty-0.63-1.mga2.x86_64 from core updates_testing [root@localhost wilcal]# urpmi putty Package putty-0.63-1.mga2.x86_64 is already installed install filezilla-3.7.3-1.mga2.x86_64 from core updates_testing [root@localhost wilcal]# urpmi filezilla Package filezilla-3.7.3-1.mga2.x86_64 is already installed Rerun testing with the same above servers. All successful Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) VirtualBox 4.2.16-1.mga3.x86_64.rpm
Whiteboard: MGA2TOO MGA3-32-OK MGA3-64-OK => MGA2TOO MGA2-32-OK MGA2-64-OK MGA3-32-OK MGA3-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Validating the update. Could someone from the sysadmin team push 10925.adv to updates.
Advisory 10925.adv updated in svn to reflect comment 17. Please push 10925.adv to updates.
Update pushed: http://advisories.mageia.org/MGASA-2013-0242.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
This also fixes CVE-2011-4607: http://lwn.net/Vulnerabilities/564256/