Bugzilla – Bug 834202
VUL-0: CVE-2013-4852: filezilla: embedded putty: Integer overflow results heap-based buffer overflow
Last modified: 2014-04-03 10:34:58 UTC
filezilla embeds putty. (Why? Can you use putty as external dependency?)
+++ This bug was initially created as a clone of Bug #833567 +++
"PuTTY versions 0.62 and earlier - as well as all software that
integrates these versions of PuTTY - are vulnerable to an integer overflow
leading to heap overflow during the SSH handshake before authentication,
caused by improper bounds checking of the length parameter received from the
This allows remote attackers to cause denial of service, and may have more
severe impact on the operation of software that uses PuTTY code."
Fix available in the SVN .
Afaik I think it creates some whacked fzputtygen binary that is just somewheat similar to puttygen from putty source.
Some guys tried to get rid of it in Gentoo and it didn't fly, but the reality might have changed a bit (it was around 2k8).
bugbot adjusting priority
openSUSE-SU-2013:1347-1: An update that fixes four vulnerabilities is now available.
Category: security (moderate)
Bug References: 834202
CVE References: CVE-2013-4206,CVE-2013-4207,CVE-2013-4208,CVE-2013-4852
openSUSE 12.3 (src): filezilla-3.7.3-5.4.1
openSUSE 12.2 (src): filezilla-3.7.3-3.4.1
This can be closed I would say :).
True that :)