Bug 675524

Summary:	<net-misc/putty-0.71: multiple vulnerabilities (CVE-2019-{6109,6110})
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	jer, moonlapse81
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [noglsa cve]
Package list:	=net-misc/putty-0.71-r2	Runtime testing required:	---
Bug Depends on:	680818, 680862
Bug Blocks:	675526

Description GLSAMaker/CVETool Bot gentoo-dev

2019-01-15 17:53:55 UTC

CVE-2019-6109 (https://nvd.nist.gov/vuln/detail/CVE-2019-6109):
  scp client spoofing via object name

CVE-2019-6110 (https://nvd.nist.gov/vuln/detail/CVE-2019-6110):
  scp client spoofing via stderr

Comment 1 Larry the Git Cow gentoo-dev

2019-03-17 23:35:45 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c9f1f0773d84491b9b51c86d1b9e45a8b970bffd

commit c9f1f0773d84491b9b51c86d1b9e45a8b970bffd
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2019-03-17 23:33:27 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2019-03-17 23:35:40 +0000

    net-misc/putty: Version 0.71
    
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=675524
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-misc/putty/Manifest          |  1 +
 net-misc/putty/putty-0.71.ebuild | 90 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 91 insertions(+)

Comment 2 Hanno Böck gentoo-dev

2019-03-18 22:03:37 UTC

Just for completeness, there seem to be many more vuln fixes in this version:
https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html

Security fixes found by an EU-funded bug bounty programme:

    a remotely triggerable memory overwrite in RSA key exchange, which can occur before host key verification
    potential recycling of random numbers used in cryptography
    on Windows, hijacking by a malicious help file in the same directory as the executable
    on Unix, remotely triggerable buffer overflow in any kind of server-to-client forwarding
    multiple denial-of-service attacks that can be triggered by writing to the terminal 

Particularly the first one sounds severe

Comment 3 Agostino Sarubbo gentoo-dev

2019-03-20 13:38:28 UTC

@jer

if it is fine to stabilize, please CC arches. Thanks

Comment 4 Larry the Git Cow gentoo-dev

2019-03-26 07:54:44 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7b0fab72e164d096b3f5e01dd6a5c4b2affa139

commit f7b0fab72e164d096b3f5e01dd6a5c4b2affa139
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2019-03-26 07:52:57 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2019-03-26 07:54:37 +0000

    net-misc/putty: Replace no-gssapi patch after upstream review
    
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=675524
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=680818
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-misc/putty/files/putty-0.71-no-gssapi.patch    | 190 ++++++++++++---------
 .../{putty-0.71-r1.ebuild => putty-0.71-r2.ebuild} |   0
 2 files changed, 108 insertions(+), 82 deletions(-)

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev

2019-03-30 13:15:11 UTC

0.71-r2 should be fine.

Comment 6 Aaron Bauman (RETIRED) gentoo-dev

2019-03-30 17:41:50 UTC

@arches, please stabilize.

Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev

2019-04-02 01:40:11 UTC

x86 stable

Comment 8 Mikle Kolyada (RETIRED) archtester

2019-04-02 09:08:45 UTC

amd64 stable

Comment 9 Rolf Eike Beer archtester

2019-04-06 10:21:01 UTC

sparc stable

Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev

2019-04-07 21:38:06 UTC

hppa stable

Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev

2019-04-07 21:49:29 UTC

ppc64 stable

Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev

2019-04-08 06:09:49 UTC

ppc stable

Comment 13 Mikle Kolyada (RETIRED) archtester

2019-04-08 06:46:22 UTC

alpha stable

Comment 14 Aaron Bauman (RETIRED) gentoo-dev

2019-04-08 13:39:33 UTC

@maintainer, please drop vulnerable.

Comment 15 Larry the Git Cow gentoo-dev

2019-04-08 16:02:35 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=87550bf16cbadc85e630077e93a72e23e862b911

commit 87550bf16cbadc85e630077e93a72e23e862b911
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2019-04-08 16:02:05 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2019-04-08 16:02:30 +0000

    net-misc/putty: Old
    
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=675524
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-misc/putty/Manifest          |  1 -
 net-misc/putty/putty-0.68.ebuild | 90 ----------------------------------------
 2 files changed, 91 deletions(-)

Comment 16 Aaron Bauman (RETIRED) gentoo-dev

2019-04-08 16:12:35 UTC

(In reply to Larry the Git Cow from comment #15)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=87550bf16cbadc85e630077e93a72e23e862b911
> 
> commit 87550bf16cbadc85e630077e93a72e23e862b911
> Author:     Jeroen Roovers <jer@gentoo.org>
> AuthorDate: 2019-04-08 16:02:05 +0000
> Commit:     Jeroen Roovers <jer@gentoo.org>
> CommitDate: 2019-04-08 16:02:30 +0000
> 
>     net-misc/putty: Old
>     
>     Package-Manager: Portage-2.3.62, Repoman-2.3.12
>     Bug: https://bugs.gentoo.org/show_bug.cgi?id=675524
>     Signed-off-by: Jeroen Roovers <jer@gentoo.org>
> 
>  net-misc/putty/Manifest          |  1 -
>  net-misc/putty/putty-0.68.ebuild | 90
> ----------------------------------------
>  2 files changed, 91 deletions(-)

Thanks!