Bug 833567 - (CVE-2013-4852) VUL-0: CVE-2013-4852: putty: Integer overflow results heap-based buffer overflow
(CVE-2013-4852)
VUL-0: CVE-2013-4852: putty: Integer overflow results heap-based buffer overflow
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Major
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks: 834202
  Show dependency treegraph
 
Reported: 2013-08-06 14:03 UTC by Matthias Weckbecker
Modified: 2015-02-18 22:33 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Weckbecker 2013-08-06 14:03:17 UTC
From [1]:

 "PuTTY versions 0.62 and earlier - as well as all software that
  integrates these versions of PuTTY - are vulnerable to an integer overflow
  leading to heap overflow during the SSH handshake before authentication,
  caused by improper bounds checking of the length parameter received from the
  SSH server.
  This allows  remote attackers to cause denial of service, and may have more
  severe impact on the operation of software that uses PuTTY code."

Fix available in the SVN [2].

[1] http://www.search-lab.hu/advisories/secadv-20130722
[2] http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9896
Comment 1 Andreas Stieger 2013-08-06 19:25:18 UTC
Turns out I am not the maintainer, but here we go.. updated to 0.63 which was released just now:

SR to X11:Utilities https://build.opensuse.org/request/show/186142
MR for 12.3: https://build.opensuse.org/request/show/186144
Comment 2 Jan Engelhardt 2013-08-06 20:03:10 UTC
Not so fast.

MR for 12.3 is now 186147.
Comment 3 Bernhard Wiedemann 2013-08-06 21:00:07 UTC
This is an autogenerated message for OBS integration:
This bug (833567) was mentioned in
https://build.opensuse.org/request/show/186147 Maintenance /
Comment 4 Benjamin Brunner 2013-08-07 09:13:48 UTC
After this fixes an security-issue I changed the needinfo to our security-team.
Comment 5 Marcus Meissner 2013-08-12 13:05:32 UTC
update accepted, waiting in 7 day queue
Comment 6 Swamp Workflow Management 2013-08-19 13:04:19 UTC
openSUSE-SU-2013:1355-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 833567
CVE References: CVE-2013-4852
Sources used:
openSUSE 12.3 (src):    putty-0.63-2.4.1