Bug 834202 - VUL-0: CVE-2013-4852: filezilla: embedded putty: Integer overflow results heap-based buffer overflow
VUL-0: CVE-2013-4852: filezilla: embedded putty: Integer overflow results hea...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Tomáš Chvátal
Security Team bot
:
Depends on: CVE-2013-4852
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-09 13:28 UTC by Marcus Meissner
Modified: 2014-04-03 10:34 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-08-09 13:28:36 UTC
filezilla embeds putty. (Why? Can you use putty as external dependency?)

+++ This bug was initially created as a clone of Bug #833567 +++

From [1]:

 "PuTTY versions 0.62 and earlier - as well as all software that
  integrates these versions of PuTTY - are vulnerable to an integer overflow
  leading to heap overflow during the SSH handshake before authentication,
  caused by improper bounds checking of the length parameter received from the
  SSH server.
  This allows  remote attackers to cause denial of service, and may have more
  severe impact on the operation of software that uses PuTTY code."

Fix available in the SVN [2].

[1] http://www.search-lab.hu/advisories/secadv-20130722
[2] http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9896
Comment 1 Tomáš Chvátal 2013-08-09 13:44:27 UTC
Afaik I think it creates some whacked fzputtygen binary that is just somewheat similar to puttygen from putty source.

Some guys tried to get rid of it in Gentoo and it didn't fly, but the reality might have changed a bit (it was around 2k8).
Comment 2 Swamp Workflow Management 2013-08-09 22:00:09 UTC
bugbot adjusting priority
Comment 3 Swamp Workflow Management 2013-08-16 13:04:23 UTC
openSUSE-SU-2013:1347-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 834202
CVE References: CVE-2013-4206,CVE-2013-4207,CVE-2013-4208,CVE-2013-4852
Sources used:
openSUSE 12.3 (src):    filezilla-3.7.3-5.4.1
openSUSE 12.2 (src):    filezilla-3.7.3-3.4.1
Comment 4 Petr Gajdos 2014-04-03 09:52:43 UTC
This can be closed I would say :).
Comment 5 Tomáš Chvátal 2014-04-03 10:34:58 UTC
True that :)