Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 576524 (CVE-2016-2563) - <net-misc/putty-0.67 buffer overrun in the old-style SCP protocol (CVE-2016-2563)
Summary: <net-misc/putty-0.67 buffer overrun in the old-style SCP protocol (CVE-2016-...
Status: RESOLVED FIXED
Alias: CVE-2016-2563
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: C2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-03-05 15:27 UTC by Frank Krömmelbein
Modified: 2016-06-05 17:24 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Frank Krömmelbein 2016-03-05 15:27:15 UTC
http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
These features are new in beta 0.67 (released 2016-03-05):

- Security fix: a buffer overrun in the old-style SCP protocol when receiving the header of each file downloaded from the server is fixed. 
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2563

- Windows PuTTY now sets its process ACL more restrictively, in an attempt to defend against malicious other processes reading sensitive data out of its memory.
- Assorted other robustness fixes for crashes and memory leaks.
- We have started using Authenticode to sign our Windows executables and installer.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2016-03-06 18:11:02 UTC
Arch teams, please test and mark stable:
=net-misc/putty-0.67
Targeted stable KEYWORDS : alpha amd64 hppa ppc ppc64 sparc x86
Comment 2 Agostino Sarubbo gentoo-dev 2016-03-07 08:05:02 UTC
amd64 stable
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2016-03-08 13:41:55 UTC
Stable for HPPA PPC64.
Comment 4 Agostino Sarubbo gentoo-dev 2016-03-15 16:43:50 UTC
x86 stable
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2016-03-16 09:25:49 UTC
Stable on alpha.
Comment 6 Agostino Sarubbo gentoo-dev 2016-03-16 12:08:17 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-03-19 11:40:20 UTC
sparc stable.

Maintainer(s), please cleanup.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2016-04-05 03:08:10 UTC
Arches and Maintainer(s), Thank you for your work.
New GLSA Request filed.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2016-04-05 08:13:38 UTC
CVE-2016-2563 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2563):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.
  //** TEMPORARY **//
  A buffer overrun in Putty in the old-style SCP protocol when receiving the
  header of each file downloaded from the server is fixed.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2016-06-05 17:24:50 UTC
This issue was resolved and addressed in
 GLSA 201606-01 at https://security.gentoo.org/glsa/201606-01
by GLSA coordinator Yury German (BlueKnight)