Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 675524 - <net-misc/putty-0.71: multiple vulnerabilities (CVE-2019-{6109,6110})
Summary: <net-misc/putty-0.71: multiple vulnerabilities (CVE-2019-{6109,6110})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: 680818 680862
Blocks: CVE-2019-6109, CVE-2019-6110
  Show dependency tree
 
Reported: 2019-01-15 17:53 UTC by GLSAMaker/CVETool Bot
Modified: 2019-04-08 16:12 UTC (History)
2 users (show)

See Also:
Package list:
=net-misc/putty-0.71-r2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-01-15 17:53:55 UTC
CVE-2019-6109 (https://nvd.nist.gov/vuln/detail/CVE-2019-6109):
  scp client spoofing via object name

CVE-2019-6110 (https://nvd.nist.gov/vuln/detail/CVE-2019-6110):
  scp client spoofing via stderr
Comment 1 Larry the Git Cow gentoo-dev 2019-03-17 23:35:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c9f1f0773d84491b9b51c86d1b9e45a8b970bffd

commit c9f1f0773d84491b9b51c86d1b9e45a8b970bffd
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2019-03-17 23:33:27 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2019-03-17 23:35:40 +0000

    net-misc/putty: Version 0.71
    
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=675524
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-misc/putty/Manifest          |  1 +
 net-misc/putty/putty-0.71.ebuild | 90 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 91 insertions(+)
Comment 2 Hanno Böck gentoo-dev 2019-03-18 22:03:37 UTC
Just for completeness, there seem to be many more vuln fixes in this version:
https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html

Security fixes found by an EU-funded bug bounty programme:

    a remotely triggerable memory overwrite in RSA key exchange, which can occur before host key verification
    potential recycling of random numbers used in cryptography
    on Windows, hijacking by a malicious help file in the same directory as the executable
    on Unix, remotely triggerable buffer overflow in any kind of server-to-client forwarding
    multiple denial-of-service attacks that can be triggered by writing to the terminal 

Particularly the first one sounds severe
Comment 3 Agostino Sarubbo gentoo-dev 2019-03-20 13:38:28 UTC
@jer

if it is fine to stabilize, please CC arches. Thanks
Comment 4 Larry the Git Cow gentoo-dev 2019-03-26 07:54:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7b0fab72e164d096b3f5e01dd6a5c4b2affa139

commit f7b0fab72e164d096b3f5e01dd6a5c4b2affa139
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2019-03-26 07:52:57 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2019-03-26 07:54:37 +0000

    net-misc/putty: Replace no-gssapi patch after upstream review
    
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=675524
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=680818
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-misc/putty/files/putty-0.71-no-gssapi.patch    | 190 ++++++++++++---------
 .../{putty-0.71-r1.ebuild => putty-0.71-r2.ebuild} |   0
 2 files changed, 108 insertions(+), 82 deletions(-)
Comment 5 Jeroen Roovers gentoo-dev 2019-03-30 13:15:11 UTC
0.71-r2 should be fine.
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-03-30 17:41:50 UTC
@arches, please stabilize.
Comment 7 Thomas Deutschmann gentoo-dev Security 2019-04-02 01:40:11 UTC
x86 stable
Comment 8 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-02 09:08:45 UTC
amd64 stable
Comment 9 Rolf Eike Beer 2019-04-06 10:21:01 UTC
sparc stable
Comment 10 Sergei Trofimovich gentoo-dev 2019-04-07 21:38:06 UTC
hppa stable
Comment 11 Sergei Trofimovich gentoo-dev 2019-04-07 21:49:29 UTC
ppc64 stable
Comment 12 Sergei Trofimovich gentoo-dev 2019-04-08 06:09:49 UTC
ppc stable
Comment 13 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-08 06:46:22 UTC
alpha stable
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-04-08 13:39:33 UTC
@maintainer, please drop vulnerable.
Comment 15 Larry the Git Cow gentoo-dev 2019-04-08 16:02:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=87550bf16cbadc85e630077e93a72e23e862b911

commit 87550bf16cbadc85e630077e93a72e23e862b911
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2019-04-08 16:02:05 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2019-04-08 16:02:30 +0000

    net-misc/putty: Old
    
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=675524
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-misc/putty/Manifest          |  1 -
 net-misc/putty/putty-0.68.ebuild | 90 ----------------------------------------
 2 files changed, 91 deletions(-)
Comment 16 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-04-08 16:12:35 UTC
(In reply to Larry the Git Cow from comment #15)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=87550bf16cbadc85e630077e93a72e23e862b911
> 
> commit 87550bf16cbadc85e630077e93a72e23e862b911
> Author:     Jeroen Roovers <jer@gentoo.org>
> AuthorDate: 2019-04-08 16:02:05 +0000
> Commit:     Jeroen Roovers <jer@gentoo.org>
> CommitDate: 2019-04-08 16:02:30 +0000
> 
>     net-misc/putty: Old
>     
>     Package-Manager: Portage-2.3.62, Repoman-2.3.12
>     Bug: https://bugs.gentoo.org/show_bug.cgi?id=675524
>     Signed-off-by: Jeroen Roovers <jer@gentoo.org>
> 
>  net-misc/putty/Manifest          |  1 -
>  net-misc/putty/putty-0.68.ebuild | 90
> ----------------------------------------
>  2 files changed, 91 deletions(-)

Thanks!