930082 – (CVE-2024-31497) <net-misc/putty-0.81: unsafe key generation

Bug 930082 (CVE-2024-31497) - <net-misc/putty-0.81: unsafe key generation

Summary: <net-misc/putty-0.81: unsafe key generation

Status:	CONFIRMED

Alias:	CVE-2024-31497

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Security

URL:	https://www.chiark.greenend.org.uk/~s...
Whiteboard:	C1 [glsa]
Keywords:

Depends on:	930083
Blocks:
	Show dependency tree

Reported:	2024-04-15 20:51 UTC by Matthew Smith
Modified:	2024-04-18 16:42 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthew Smith gentoo-dev

2024-04-15 20:51:23 UTC

"Every version of the PuTTY tools from 0.68 to 0.80 inclusive has a critical vulnerability in the code that generates signatures from ECDSA private keys which use the NIST P521 curve. (PuTTY, or Pageant, generates a signature from a key when using it to authenticate you to an SSH server.)"

Comment 1 Larry the Git Cow gentoo-dev

2024-04-15 20:54:15 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bd80e49457a8d2ae823f8c1fd9329733cfdf7c6e

commit bd80e49457a8d2ae823f8c1fd9329733cfdf7c6e
Author:     Matthew Smith <matthew@gentoo.org>
AuthorDate: 2024-04-15 20:53:51 +0000
Commit:     Matthew Smith <matthew@gentoo.org>
CommitDate: 2024-04-15 20:54:06 +0000

    net-misc/putty: add 0.81
    
    Bug: https://bugs.gentoo.org/930082
    Signed-off-by: Matthew Smith <matthew@gentoo.org>

 net-misc/putty/Manifest          |  1 +
 net-misc/putty/putty-0.81.ebuild | 92 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 93 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2024-04-18 07:27:32 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4de767ddd30d85aac883649f2af1cf40546ccb46

commit 4de767ddd30d85aac883649f2af1cf40546ccb46
Author:     Matthew Smith <matthew@gentoo.org>
AuthorDate: 2024-04-18 07:27:16 +0000
Commit:     Matthew Smith <matthew@gentoo.org>
CommitDate: 2024-04-18 07:27:16 +0000

    net-misc/putty: drop 0.81 (security cleanup)
    
    Bug: https://bugs.gentoo.org/930082
    Signed-off-by: Matthew Smith <matthew@gentoo.org>

 net-misc/putty/Manifest          |  1 -
 net-misc/putty/putty-0.81.ebuild | 92 ----------------------------------------
 2 files changed, 93 deletions(-)

Comment 3 Per Pomsel 2024-04-18 08:01:35 UTC

... you dropped the wrong version!

Comment 4 Larry the Git Cow gentoo-dev

2024-04-18 16:42:37 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d7c3ef126895c8dd48ac1458c0ded96bd4b7bba4

commit d7c3ef126895c8dd48ac1458c0ded96bd4b7bba4
Author:     Matthew Smith <matthew@gentoo.org>
AuthorDate: 2024-04-18 16:41:35 +0000
Commit:     Matthew Smith <matthew@gentoo.org>
CommitDate: 2024-04-18 16:42:33 +0000

    net-misc/putty: drop 0.80 (security cleanup)
    
    Drop the vulnerable version, not the new fixed version.
    
    Bug: https://bugs.gentoo.org/930082
    Signed-off-by: Matthew Smith <matthew@gentoo.org>

 net-misc/putty/Manifest          |  1 -
 net-misc/putty/putty-0.80.ebuild | 92 ----------------------------------------
 2 files changed, 93 deletions(-)