Bug 993031 (CVE-2013-4206, CVE-2013-4207, CVE-2013-4208, CVE-2013-4852)
| Summary: | CVE-2013-4206 CVE-2013-4207 CVE-2013-4208 CVE-2013-4852 putty: Integer overflow, leading to heap-based buffer overflow during SSH handshake | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | drizt72, f802095, fedora, jrusnack, jskarvad, kwizart, tremble |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | putty 0.6.3, filezilla 3.7.3 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-02 18:40:07 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 993033, 993034, 993346, 993347 | ||
| Bug Blocks: | |||
|
Description
Jan Lieskovsky
2013-08-05 12:59:34 UTC
This issue affects the (latest) versions of the putty package, as shipped with Fedora release of 18, 19, Fedora EPEL-5, and Fedora EPEL-6. Please schedule an update. Created putty tracking bugs for this issue: Affects: fedora-all [bug 993033] Affects: epel-all [bug 993034] Salvatore Bonaccorso <carnil> reports: Package: filezilla Severity: grave Tags: security patch upstream Hi, the following vulnerability was published for putty, but filezilla embedds putty source: CVE-2013-4852[0]: PuTTY SSH handshake heap overflow See the advisory [1] for details referring to putty commit [2]. AFAICS filezilla embedding putty in vulnerable version is used in build for fzsftp. See [3] for the corresponding bugreport for putty itself. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://security-tracker.debian.org/tracker/CVE-2013-4852 [1] http://www.search-lab.hu/advisories/secadv-20130722 [2] http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9896 [3] http://bugs.debian.org/718779 Please adjust the affected versions in the BTS as needed. Regards, Salvatore http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718800 Created filezilla tracking bugs for this issue: Affects: fedora-all [bug 993346] Affects: epel-6 [bug 993347] This is fixed in FileZilla 3.7.2: http://svn.filezilla-project.org/filezilla?revision=5158&view=revision Putty 0.6.3 was also released to fix this flaw. This flaw is documented here: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-signature-stringlen.html However, there are three other flaws without CVE names: * a heap-corrupting buffer underrun bug in the modmul function which performs modular multiplication: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-modmul.html http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9977 * A buffer overflow vulnerability in the calculation of modular inverses when verifying a DSA signature: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-bignum-division-by-zero.html http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9996 * Private keys left in memory after being used by PuTTY tools: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped.html http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9988 These three issues do not, as far as I know yet, have CVE names. > * a heap-corrupting buffer underrun bug in the modmul function which > performs modular multiplication: > http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-modmul.html > http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9977 CVE-2013-4206 > * A buffer overflow vulnerability in the calculation of modular inverses > when verifying a DSA signature: > http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-bignum- > division-by-zero.html > http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9996 CVE-2013-4207 > * Private keys left in memory after being used by PuTTY tools: > http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not- > wiped.html > http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9988 CVE-2013-4208 Assigned as per: http://www.openwall.com/lists/oss-security/2013/08/06/13 FileZilla 3.7.3 was released which corrects the other three putty flaws. *** Bug 995610 has been marked as a duplicate of this bug. *** filezilla-3.7.3-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. putty-0.63-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. putty-0.63-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. filezilla-3.7.3-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. filezilla-3.7.3-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. |