Bug 993031 (CVE-2013-4206, CVE-2013-4207, CVE-2013-4208, CVE-2013-4852) - CVE-2013-4206 CVE-2013-4207 CVE-2013-4208 CVE-2013-4852 putty: Integer overflow, leading to heap-based buffer overflow during SSH handshake
Summary: CVE-2013-4206 CVE-2013-4207 CVE-2013-4208 CVE-2013-4852 putty: Integer overfl...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2013-4206, CVE-2013-4207, CVE-2013-4208, CVE-2013-4852
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20130715,repor...
Depends On: 993033 993034 993346 993347
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-08-05 12:59 UTC by Jan Lieskovsky
Modified: 2019-06-08 19:40 UTC (History)
7 users (show)

Fixed In Version: putty 0.6.3, filezilla 3.7.3
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-02 18:40:07 UTC


Attachments (Terms of Use)

Description Jan Lieskovsky 2013-08-05 12:59:34 UTC
An integer overflow, leading to heap-based buffer overflow flaw was found in the way DSS and RSA implementation of PuTTY, a SSH, telnet, and rlogin client, used to process certain SSH handshake messages. A rogue SSH server could issue a specially-crafted SSH handshake message that, when processed in PuTTY client would lead to client crash or, potentially, arbitrary code execution with the privileges of the user running the client.

References:
[1] http://www.search-lab.hu/advisories/secadv-20130722

Upstream bug report:
[2] http://winscp.net/tracker/show_bug.cgi?id=1017

Relevant patch:
[3] http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9896

Other references:
[4] https://bugs.mageia.org/show_bug.cgi?id=10925
[5] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718779

Comment 1 Jan Lieskovsky 2013-08-05 13:01:43 UTC
This issue affects the (latest) versions of the putty package, as shipped with Fedora release of 18, 19, Fedora EPEL-5, and Fedora EPEL-6. Please schedule an update.

Comment 2 Jan Lieskovsky 2013-08-05 13:02:41 UTC
Created putty tracking bugs for this issue:

Affects: fedora-all [bug 993033]
Affects: epel-all [bug 993034]

Comment 3 Kurt Seifried 2013-08-05 20:24:34 UTC
Salvatore Bonaccorso <carnil@debian.org> reports:

Package: filezilla
Severity: grave
Tags: security patch upstream

Hi,

the following vulnerability was published for putty, but filezilla
embedds putty source:

CVE-2013-4852[0]:
PuTTY SSH handshake heap overflow

See the advisory [1] for details referring to putty commit [2].
AFAICS filezilla embedding putty in vulnerable version is used in
build for fzsftp. See [3] for the corresponding bugreport for putty
itself.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://security-tracker.debian.org/tracker/CVE-2013-4852
[1] http://www.search-lab.hu/advisories/secadv-20130722
[2] http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9896
[3] http://bugs.debian.org/718779

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718800

Comment 4 Kurt Seifried 2013-08-05 20:27:13 UTC
Created filezilla tracking bugs for this issue:

Affects: fedora-all [bug 993346]
Affects: epel-6 [bug 993347]

Comment 5 Vincent Danen 2013-08-06 19:43:45 UTC
This is fixed in FileZilla 3.7.2:

http://svn.filezilla-project.org/filezilla?revision=5158&view=revision

Putty 0.6.3 was also released to fix this flaw.

Comment 6 Vincent Danen 2013-08-06 19:48:17 UTC
This flaw is documented here:

http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-signature-stringlen.html

However, there are three other flaws without CVE names:

* a heap-corrupting buffer underrun bug in the modmul function which performs modular multiplication:
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-modmul.html
http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9977

* A buffer overflow vulnerability in the calculation of modular inverses when verifying a DSA signature:
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-bignum-division-by-zero.html
http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9996

* Private keys left in memory after being used by PuTTY tools:
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped.html
http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9988

These three issues do not, as far as I know yet, have CVE names.

Comment 7 Vincent Danen 2013-08-07 18:48:11 UTC
> * a heap-corrupting buffer underrun bug in the modmul function which
> performs modular multiplication:
> http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-modmul.html
> http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9977

CVE-2013-4206
 
> * A buffer overflow vulnerability in the calculation of modular inverses
> when verifying a DSA signature:
> http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-bignum-
> division-by-zero.html
> http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9996

CVE-2013-4207
 
> * Private keys left in memory after being used by PuTTY tools:
> http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-
> wiped.html
> http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9988

CVE-2013-4208

Assigned as per:

http://www.openwall.com/lists/oss-security/2013/08/06/13

Comment 8 Vincent Danen 2013-08-09 14:05:45 UTC
FileZilla 3.7.3 was released which corrects the other three putty flaws.

Comment 9 Richard W.M. Jones 2013-08-09 20:31:02 UTC
*** Bug 995610 has been marked as a duplicate of this bug. ***

Comment 10 Fedora Update System 2013-08-18 00:39:32 UTC
filezilla-3.7.3-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2013-08-21 00:00:57 UTC
putty-0.63-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2013-08-21 00:12:35 UTC
putty-0.63-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2013-09-29 18:14:21 UTC
filezilla-3.7.3-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2013-09-30 00:48:17 UTC
filezilla-3.7.3-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.