Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 479872 (CVE-2013-4852) - <net-misc/putty-0.63 : SSH Handshake Integer Overflow Vulnerabilities (CVE-2013-4852)
Summary: <net-misc/putty-0.63 : SSH Handshake Integer Overflow Vulnerabilities (CVE-20...
Alias: CVE-2013-4852
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2013-08-05 20:32 UTC by Agostino Sarubbo
Modified: 2013-08-27 16:22 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-08-05 20:32:47 UTC
From ${URL} :


SEARCH-LAB has reported some vulnerabilities in PuTTY, which can be exploited by malicious people 
to potentially compromise a user's system.

The vulnerabilities are caused due to some integer overflow errors when handling the SSH handshake 
and can be exploited to cause heap-based buffer overflows via a negative handshake message length.

Successful exploitation of may allow execution of arbitrary code, but requires tricking the user 
into connecting to a malicious server.

The vulnerabilities are reported in version 0.62. Prior versions may also be affected.

Fixed in the source code repository.

Provided and/or discovered by:
Gergely Eberhardt, SEARCH-LAB.

Original Advisory:

@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2013-08-05 22:02:57 UTC
Arch teams, please test and mark stable:
Stable KEYWORDS : alpha amd64 ppc sparc x86
Comment 2 Agostino Sarubbo gentoo-dev 2013-08-07 13:15:14 UTC
amd64 stable
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2013-08-07 13:50:13 UTC
Upstream have committed to a new release, so let's stabilise that instead. I have carried over the stable amd64 keyword.

Arch teams, please test and mark stable:
Stable KEYWORDS : alpha amd64 hppa ppc sparc x86
Comment 4 Agostino Sarubbo gentoo-dev 2013-08-08 12:29:48 UTC
sparc stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-08-08 12:33:31 UTC
alpha stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-08-08 12:33:40 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-08-08 12:33:49 UTC
x86 stable
Comment 8 Sergey Popov gentoo-dev 2013-08-21 07:13:27 UTC
Thanks for your work.

Added to existing GLSA draft
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2013-08-21 11:58:18 UTC
This issue was resolved and addressed in
 GLSA 201308-01 at
by GLSA coordinator Sergey Popov (pinkbyte).
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2013-08-27 16:22:11 UTC
CVE-2013-4852 (
  Integer overflow in PuTTY 0.62 and earlier, WinSCP before 5.1.6, and other
  products that use PuTTY allows remote SSH servers to cause a denial of
  service (crash) and possibly execute arbitrary code in certain applications
  that use PuTTY via a negative size value in an RSA key signature during the
  SSH handshake, which triggers a heap-based buffer overflow.