Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 482672 - <net-ftp/filezilla-3.7.3 : Multiple Vulnerabilities (CVE-2013-{4206,4207,4208})
Summary: <net-ftp/filezilla-3.7.3 : Multiple Vulnerabilities (CVE-2013-{4206,4207,4208})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-08-27 13:54 UTC by Bernard Cafarelli
Modified: 2013-09-15 04:50 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Bernard Cafarelli gentoo-dev 2013-08-27 13:54:21 UTC
After CVE-2013-4852 (bug #479880), a series of vulnerabilities was found and fixed in filezilla 3.7.3 (available in tree)
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-08-28 14:03:35 UTC
CVE-2013-4208 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4208):
  The rsa_verify function in PuTTY before 0.63 (1) does not clear sensitive
  process memory after use and (2) does not free certain structures containing
  sensitive process memory, which might allow local users to discover private
  RSA and DSA keys.

CVE-2013-4207 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4207):
  Buffer overflow in sshbn.c in PuTTY before 0.63 allows remote SSH servers to
  cause a denial of service (crash) via an invalid DSA signature that is not
  properly handled during computation of a modular inverse and triggers the
  overflow during a division by zero by the bignum functionality, a different
  vulnerability than CVE-2013-4206.

CVE-2013-4206 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4206):
  Heap-based buffer underflow in the modmul function in sshbn.c in PuTTY
  before 0.63 allows remote SSH servers to cause a denial of service (crash)
  and possibly trigger memory corruption or code execution via a crafted DSA
  signature, which is not properly handled when performing certain
  bit-shifting operations during modular multiplication.
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-28 14:09:02 UTC
Thank you for the report. Arches, please test and mark stable:
=net-ftp/filezilla-3.7.3
Target arches: amd64 ppc sparc x86
Comment 3 Sergey Popov gentoo-dev 2013-08-29 12:58:06 UTC
amd64/x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-09-01 15:52:00 UTC
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-09-06 10:23:34 UTC
sparc stable
Comment 6 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-11 05:30:49 UTC
Added to GLSA draft. @maintainers: cleanup please.
Comment 7 Bernard Cafarelli gentoo-dev 2013-09-11 08:34:22 UTC
All vulnerable versions removed from tree
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2013-09-15 04:50:39 UTC
This issue was resolved and addressed in
 GLSA 201309-08 at http://security.gentoo.org/glsa/glsa-201309-08.xml
by GLSA coordinator Chris Reffett (creffett).