Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#8826 closed Bug report (fixed)

More security issues in putty (CVE-2013-4206, CVE-2013-4207, CVE-2013-4208)

Reported by: oden Owned by:
Priority: high Component: FileZilla Client
Keywords: Cc:
Component version: Operating system type: Linux
Operating system version:

Description

Reference: http://www.openwall.com/lists/oss-security/2013/08/06/13

"On 08/06/2013 01:56 PM, Vincent Danen wrote:

There seem to be some CVEs needed for putty 0.63 due to some other
fixes that were fixed alongside CVE-2013-4852:

  • a heap-corrupting buffer underrun bug in the modmul function

which performs modular multiplication:
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-modmul.html

http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9977

Please use CVE-2013-4206 for this issue.

  • A buffer overflow vulnerability in the calculation of modular

inverses when verifying a DSA signature:
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-bignum-division-by-zero.html


http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9996

Please

use CVE-2013-4207 for this issue.

  • Private keys left in memory after being used by PuTTY tools:

http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped.html


http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9988

Please

use CVE-2013-4208 for this issue."

Change History (1)

comment:1 by oden, 7 years ago

Resolution: fixed
Status: newclosed

Fixed with 3.7.3

Note: See TracTickets for help on using tickets.