Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 479872 (CVE-2013-4852)

Summary: <net-misc/putty-0.63 : SSH Handshake Integer Overflow Vulnerabilities (CVE-2013-4852)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: jer
Priority: Normal Keywords: STABLEREQ
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/54354/
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-08-05 20:32:47 UTC
From ${URL} :

Description

SEARCH-LAB has reported some vulnerabilities in PuTTY, which can be exploited by malicious people 
to potentially compromise a user's system.

The vulnerabilities are caused due to some integer overflow errors when handling the SSH handshake 
and can be exploited to cause heap-based buffer overflows via a negative handshake message length.

Successful exploitation of may allow execution of arbitrary code, but requires tricking the user 
into connecting to a malicious server.

The vulnerabilities are reported in version 0.62. Prior versions may also be affected.


Solution:
Fixed in the source code repository.

Provided and/or discovered by:
Gergely Eberhardt, SEARCH-LAB.

Original Advisory:
PuTTY SVN:
http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9896



@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2013-08-05 22:02:57 UTC
Arch teams, please test and mark stable:
=net-misc/putty-0.62.20130805
Stable KEYWORDS : alpha amd64 ppc sparc x86
Comment 2 Agostino Sarubbo gentoo-dev 2013-08-07 13:15:14 UTC
amd64 stable
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2013-08-07 13:50:13 UTC
Upstream have committed to a new release, so let's stabilise that instead. I have carried over the stable amd64 keyword.

Arch teams, please test and mark stable:
=net-misc/putty-0.63
Stable KEYWORDS : alpha amd64 hppa ppc sparc x86
Comment 4 Agostino Sarubbo gentoo-dev 2013-08-08 12:29:48 UTC
sparc stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-08-08 12:33:31 UTC
alpha stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-08-08 12:33:40 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-08-08 12:33:49 UTC
x86 stable
Comment 8 Sergey Popov gentoo-dev 2013-08-21 07:13:27 UTC
Thanks for your work.

Added to existing GLSA draft
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2013-08-21 11:58:18 UTC
This issue was resolved and addressed in
 GLSA 201308-01 at http://security.gentoo.org/glsa/glsa-201308-01.xml
by GLSA coordinator Sergey Popov (pinkbyte).
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2013-08-27 16:22:11 UTC
CVE-2013-4852 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4852):
  Integer overflow in PuTTY 0.62 and earlier, WinSCP before 5.1.6, and other
  products that use PuTTY allows remote SSH servers to cause a denial of
  service (crash) and possibly execute arbitrary code in certain applications
  that use PuTTY via a negative size value in an RSA key signature during the
  SSH handshake, which triggers a heap-based buffer overflow.