An integer overflow, leading to heap-based buffer overflow flaw was found in the way DSS and RSA implementation of PuTTY, a SSH, telnet, and rlogin client, used to process certain SSH handshake messages. A rogue SSH server could issue a specially-crafted SSH handshake message that, when processed in PuTTY client would lead to client crash or, potentially, arbitrary code execution with the privileges of the user running the client. References: [1] http://www.search-lab.hu/advisories/secadv-20130722 Upstream bug report: [2] http://winscp.net/tracker/show_bug.cgi?id=1017 Relevant patch: [3] http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9896 Other references: [4] https://bugs.mageia.org/show_bug.cgi?id=10925 [5] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718779
This issue affects the (latest) versions of the putty package, as shipped with Fedora release of 18, 19, Fedora EPEL-5, and Fedora EPEL-6. Please schedule an update.
Created putty tracking bugs for this issue: Affects: fedora-all [bug 993033] Affects: epel-all [bug 993034]
Salvatore Bonaccorso <carnil> reports: Package: filezilla Severity: grave Tags: security patch upstream Hi, the following vulnerability was published for putty, but filezilla embedds putty source: CVE-2013-4852[0]: PuTTY SSH handshake heap overflow See the advisory [1] for details referring to putty commit [2]. AFAICS filezilla embedding putty in vulnerable version is used in build for fzsftp. See [3] for the corresponding bugreport for putty itself. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://security-tracker.debian.org/tracker/CVE-2013-4852 [1] http://www.search-lab.hu/advisories/secadv-20130722 [2] http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9896 [3] http://bugs.debian.org/718779 Please adjust the affected versions in the BTS as needed. Regards, Salvatore http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718800
Created filezilla tracking bugs for this issue: Affects: fedora-all [bug 993346] Affects: epel-6 [bug 993347]
This is fixed in FileZilla 3.7.2: http://svn.filezilla-project.org/filezilla?revision=5158&view=revision Putty 0.6.3 was also released to fix this flaw.
This flaw is documented here: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-signature-stringlen.html However, there are three other flaws without CVE names: * a heap-corrupting buffer underrun bug in the modmul function which performs modular multiplication: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-modmul.html http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9977 * A buffer overflow vulnerability in the calculation of modular inverses when verifying a DSA signature: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-bignum-division-by-zero.html http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9996 * Private keys left in memory after being used by PuTTY tools: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped.html http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9988 These three issues do not, as far as I know yet, have CVE names.
> * a heap-corrupting buffer underrun bug in the modmul function which > performs modular multiplication: > http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-modmul.html > http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9977 CVE-2013-4206 > * A buffer overflow vulnerability in the calculation of modular inverses > when verifying a DSA signature: > http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-bignum- > division-by-zero.html > http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9996 CVE-2013-4207 > * Private keys left in memory after being used by PuTTY tools: > http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not- > wiped.html > http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9988 CVE-2013-4208 Assigned as per: http://www.openwall.com/lists/oss-security/2013/08/06/13
FileZilla 3.7.3 was released which corrects the other three putty flaws.
*** Bug 995610 has been marked as a duplicate of this bug. ***
filezilla-3.7.3-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
putty-0.63-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
putty-0.63-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
filezilla-3.7.3-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
filezilla-3.7.3-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.