Bug 993031 - (CVE-2013-4206, CVE-2013-4207, CVE-2013-4208, CVE-2013-4852) CVE-2013-4206 CVE-2013-4207 CVE-2013-4208 CVE-2013-4852 putty: Integer overflow, leading to heap-based buffer overflow during SSH handshake
CVE-2013-4206 CVE-2013-4207 CVE-2013-4208 CVE-2013-4852 putty: Integer overfl...
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130715,repor...
: Security
Depends On: 993033 993034 993346 993347
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-05 08:59 EDT by Jan Lieskovsky
Modified: 2014-08-15 09:20 EDT (History)
7 users (show)

See Also:
Fixed In Version: putty 0.6.3, filezilla 3.7.3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-02 14:40:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2013-08-05 08:59:34 EDT
An integer overflow, leading to heap-based buffer overflow flaw was found in the way DSS and RSA implementation of PuTTY, a SSH, telnet, and rlogin client, used to process certain SSH handshake messages. A rogue SSH server could issue a specially-crafted SSH handshake message that, when processed in PuTTY client would lead to client crash or, potentially, arbitrary code execution with the privileges of the user running the client.

References:
[1] http://www.search-lab.hu/advisories/secadv-20130722

Upstream bug report:
[2] http://winscp.net/tracker/show_bug.cgi?id=1017

Relevant patch:
[3] http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9896

Other references:
[4] https://bugs.mageia.org/show_bug.cgi?id=10925
[5] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718779
Comment 1 Jan Lieskovsky 2013-08-05 09:01:43 EDT
This issue affects the (latest) versions of the putty package, as shipped with Fedora release of 18, 19, Fedora EPEL-5, and Fedora EPEL-6. Please schedule an update.
Comment 2 Jan Lieskovsky 2013-08-05 09:02:41 EDT
Created putty tracking bugs for this issue:

Affects: fedora-all [bug 993033]
Affects: epel-all [bug 993034]
Comment 3 Kurt Seifried 2013-08-05 16:24:34 EDT
Salvatore Bonaccorso <carnil@debian.org> reports:

Package: filezilla
Severity: grave
Tags: security patch upstream

Hi,

the following vulnerability was published for putty, but filezilla
embedds putty source:

CVE-2013-4852[0]:
PuTTY SSH handshake heap overflow

See the advisory [1] for details referring to putty commit [2].
AFAICS filezilla embedding putty in vulnerable version is used in
build for fzsftp. See [3] for the corresponding bugreport for putty
itself.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://security-tracker.debian.org/tracker/CVE-2013-4852
[1] http://www.search-lab.hu/advisories/secadv-20130722
[2] http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9896
[3] http://bugs.debian.org/718779

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718800
Comment 4 Kurt Seifried 2013-08-05 16:27:13 EDT
Created filezilla tracking bugs for this issue:

Affects: fedora-all [bug 993346]
Affects: epel-6 [bug 993347]
Comment 5 Vincent Danen 2013-08-06 15:43:45 EDT
This is fixed in FileZilla 3.7.2:

http://svn.filezilla-project.org/filezilla?revision=5158&view=revision

Putty 0.6.3 was also released to fix this flaw.
Comment 6 Vincent Danen 2013-08-06 15:48:17 EDT
This flaw is documented here:

http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-signature-stringlen.html

However, there are three other flaws without CVE names:

* a heap-corrupting buffer underrun bug in the modmul function which performs modular multiplication:
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-modmul.html
http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9977

* A buffer overflow vulnerability in the calculation of modular inverses when verifying a DSA signature:
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-bignum-division-by-zero.html
http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9996

* Private keys left in memory after being used by PuTTY tools:
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped.html
http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9988

These three issues do not, as far as I know yet, have CVE names.
Comment 7 Vincent Danen 2013-08-07 14:48:11 EDT
> * a heap-corrupting buffer underrun bug in the modmul function which
> performs modular multiplication:
> http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-modmul.html
> http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9977

CVE-2013-4206
 
> * A buffer overflow vulnerability in the calculation of modular inverses
> when verifying a DSA signature:
> http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-bignum-
> division-by-zero.html
> http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9996

CVE-2013-4207
 
> * Private keys left in memory after being used by PuTTY tools:
> http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-
> wiped.html
> http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9988

CVE-2013-4208

Assigned as per:

http://www.openwall.com/lists/oss-security/2013/08/06/13
Comment 8 Vincent Danen 2013-08-09 10:05:45 EDT
FileZilla 3.7.3 was released which corrects the other three putty flaws.
Comment 9 Richard W.M. Jones 2013-08-09 16:31:02 EDT
*** Bug 995610 has been marked as a duplicate of this bug. ***
Comment 10 Fedora Update System 2013-08-17 20:39:32 EDT
filezilla-3.7.3-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2013-08-20 20:00:57 EDT
putty-0.63-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2013-08-20 20:12:35 EDT
putty-0.63-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2013-09-29 14:14:21 EDT
filezilla-3.7.3-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2013-09-29 20:48:17 EDT
filezilla-3.7.3-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.