#8826 closed Bug report (fixed)
More security issues in putty (CVE-2013-4206, CVE-2013-4207, CVE-2013-4208)
Reported by: | oden | Owned by: | |
---|---|---|---|
Priority: | high | Component: | FileZilla Client |
Keywords: | Cc: | ||
Component version: | Operating system type: | Linux | |
Operating system version: |
Description
Reference: http://www.openwall.com/lists/oss-security/2013/08/06/13
"On 08/06/2013 01:56 PM, Vincent Danen wrote:
There seem to be some CVEs needed for putty 0.63 due to some other
fixes that were fixed alongside CVE-2013-4852:
- a heap-corrupting buffer underrun bug in the modmul function
which performs modular multiplication:
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-modmul.html
http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9977
Please use CVE-2013-4206 for this issue.
- A buffer overflow vulnerability in the calculation of modular
inverses when verifying a DSA signature:
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-bignum-division-by-zero.html
http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9996
Please
use CVE-2013-4207 for this issue.
- Private keys left in memory after being used by PuTTY tools:
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped.html
http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9988
Please
use CVE-2013-4208 for this issue."
Fixed with 3.7.3