Bug 15394 - putty new security issues MATTA-2015-002 and CVE-2015-2157
Summary: putty new security issues MATTA-2015-002 and CVE-2015-2157
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/635992/
Whiteboard: advisory MGA4-64-OK MGA4-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-03-02 00:39 CET by David Walser
Modified: 2015-03-09 22:20 CET (History)
5 users (show)

See Also:
Source RPM: putty-0.63-4.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-03-02 00:39:10 CET
Two security issues have been fixed upstream in PuTTY 0.64:
http://openwall.com/lists/oss-security/2015/02/27/4
http://openwall.com/lists/oss-security/2015/02/28/4

CVE-2015-2157 has been assigned for the second issue:
http://openwall.com/lists/oss-security/2015/02/28/5

Mageia 4 and Mageia 5 are affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-03-02 00:39:17 CET

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 Oden Eriksson 2015-03-03 16:33:46 CET
submitted for mga4 and committed for cauldron.

CC: (none) => oe

Comment 2 David Walser 2015-03-03 16:36:56 CET
Thanks Oden.  I sent a freeze push request.
Comment 3 Oden Eriksson 2015-03-03 16:46:34 CET
Note. putty is also in filezilla. looking at that now.
Comment 4 David Walser 2015-03-03 16:48:55 CET
Indeed.  Thanks Oden.
Comment 5 Oden Eriksson 2015-03-03 17:06:27 CET
FileZilla_3.10.2 has putty 0.64

FYI.

The devs at #filezilla said you can verify that in the src/putty/MERGEREVISION file in the repository.

I have no idea how CVE-2015-2157 may or may not affect filezilla. Anyways, I bumped to FileZilla_3.10.2 for mg4 and cauldron.

Cheers.
Comment 6 Oden Eriksson 2015-03-03 17:07:23 CET
Argh. On mga4 I get:

checking for wxWidgets version >= 3.0.2 (--unicode=yes --universal=no)... no (version 2.8.12 is not new enough)
Comment 7 Oden Eriksson 2015-03-03 17:17:32 CET
Used plan B. and took putty 0.64 from FileZilla_3.10.2 to replace the one in FileZilla_3.7.3.
Comment 8 Oden Eriksson 2015-03-03 17:19:13 CET
filezilla-3.7.3-2.1.mga4 built fine.
Comment 9 David Walser 2015-03-03 18:49:12 CET
Filezilla 3.10.2 also didn't build in Cauldron because we don't have wxgtk 3.0.2 there yet (we have 3.0.1).  3.0.2 is a bugfix release, so we could update it, or you could update the bundled PuTTY in the existing Filezilla version like you did for the Mageia 4 update.
Comment 10 Oden Eriksson 2015-03-04 07:39:29 CET
Filezilla 3.10.2 now builds for mga4 and cauldron.

Someone has to submit filezilla for cauldron.
Comment 11 Olivier Delaune 2015-03-04 08:10:23 CET
Tested filezilla-3.7.3-2.1 on Mageia 4 64-bits. I do not know whether I am supposed to test something specific. If not, up to now, everything works fine.

CC: (none) => olivier.delaune

Comment 12 Oden Eriksson 2015-03-04 08:44:38 CET
(In reply to Olivier Delaune from comment #11)
> Tested filezilla-3.7.3-2.1 on Mageia 4 64-bits. I do not know whether I am
> supposed to test something specific. If not, up to now, everything works
> fine.

One of the filezilla developers said I could not do as I did in filezilla-3.7.3-2.1, so I fixed so that filezilla-3.10.2 builds for mga4. Please test that version instead.
Comment 13 David Walser 2015-03-04 15:54:25 CET
wxgtk 3.0.2 update for Cauldron committed in SVN.  Freeze push requests sent for wxgtk and filezilla.
Comment 14 Olivier Delaune 2015-03-04 18:11:51 CET
I installed and tested filezilla-3.10.2-1. Everything works fine up to now.
Comment 15 Olivier Delaune 2015-03-04 18:13:10 CET
Oops, forgot to mention that I tested on Mageia 4 64-bits.
Comment 16 David Walser 2015-03-05 21:26:45 CET
Updates pushed for Cauldron.

Oliver, have you tested the putty update in Mageia 4 updates_testing?

Version: Cauldron => 4
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 17 David Walser 2015-03-05 21:27:56 CET
Updated packages to test are:
putty-0.64-1.mga4
filezilla-3.10.2-1.mga4

Advisory to come...

CC: (none) => mageia
Assignee: mageia => qa-bugs

Comment 18 Olivier Delaune 2015-03-05 21:34:22 CET
(In reply to David Walser from comment #16)
> Updates pushed for Cauldron.
> 
> Oliver, have you tested the putty update in Mageia 4 updates_testing?

No I did not. I do not putty so I do not know how to test it. I only tested filezilla.
Comment 19 David Walser 2015-03-05 21:39:26 CET
Upstream has argued that MATTA-2015-002 isn't a security issue, but they fixed it anyway:
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/diffie-hellman-range-check.html

Advisory:
========================

Updated putty and filezilla packages fix security vulnerability:

PuTTY suite versions 0.51 to 0.63 fail to clear SSH-2 private key
information from memory when loading and saving key files to disk,
leading to potential disclosure. The issue affects keys stored on disk
in encrypted and unencrypted form, and is present in PuTTY, Plink,
PSCP, PSFTP, Pageant and PuTTYgen (CVE-2015-2157).

The putty package has been updated to version 0.64, fixing this and other
issues.  The filezilla package, which contains a bundled version of PuTTY,
has also been updated, to version 3.10.2.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2157
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped-2.html
http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
http://openwall.com/lists/oss-security/2015/02/28/4
https://filezilla-project.org/newsfeed.php
Comment 20 David Walser 2015-03-05 21:39:55 CET
(In reply to Olivier Delaune from comment #18)
> (In reply to David Walser from comment #16)
> > Updates pushed for Cauldron.
> > 
> > Oliver, have you tested the putty update in Mageia 4 updates_testing?
> 
> No I did not. I do not putty so I do not know how to test it. I only tested
> filezilla.

PuTTY is just a graphical SSH client, it's easy to test if you're willing to give it a go...
Comment 21 David GEIGER 2015-03-06 07:34:22 CET
Tested mga4_64,

Testing complete for putty-0.64-1.mga4 and filezilla-3.10.2-1.mga4, all seems to work properly. No regression found.

CC: (none) => geiger.david68210

David Walser 2015-03-06 13:39:37 CET

Whiteboard: (none) => MGA4-64-OK

Comment 22 David GEIGER 2015-03-06 14:53:39 CET
Tested mga4_32,

Testing complete for putty-0.64-1.mga4 and filezilla-3.10.2-1.mga4, all seems to work properly. No regression found.

Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK

Comment 23 claire robinson 2015-03-06 17:57:31 CET
Validating. Advisory uploaded from comment 19 with srpms from comment 17

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK MGA4-32-OK => advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 24 Mageia Robot 2015-03-06 19:09:41 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0098.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-03-09 22:20:37 CET

URL: (none) => http://lwn.net/Vulnerabilities/635992/


Note You need to log in before you can comment on or make changes to this bug.