Bug 954191 - (CVE-2015-5309) VUL-0: CVE-2015-5309: putty: integer overflow and buffer underrun in terminal emulator's ECH handling
VUL-0: CVE-2015-5309: putty: integer overflow and buffer underrun in terminal...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other openSUSE 42.1
: P5 - None : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2015-11-09 07:29 UTC by Andreas Stieger
Modified: 2015-11-18 13:16 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-11-09 07:29:19 UTC

summary: Vulnerability: integer overflow and buffer underrun in terminal emulator's ECH handling
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
absent-in: 0.53b r2425 ea5be2db381206798f688cf2bac464a24a2856d9
present-in: 8de5682450393513f25d1a231677f7d866c8d9d4 r2426 0.54 0.65
fixed-in: 6056396f77cafc7e40da4d09f1d6212408dcb065 e3fe709a8f6a633647088e9ed7264be5fb740426 2015-11-08 0.66

Versions of PuTTY and pterm between 0.54 and 0.65 inclusive have a potentially memory-corrupting integer overflow in the handling of the ECH (erase characters) control sequence in the terminal emulator.

To exploit a vulnerability in the terminal emulator, an attacker must be able to insert a carefully crafted escape sequence into the terminal stream. For a PuTTY SSH session, this must be before encryption, so the attacker likely needs access to the server you're connecting to. For instance, an attacker on a multi-user machine that you connect to could trick you into running cat on a file they control containing a malicious escape sequence. (Unix write(1) is not a vector for this, if implemented correctly.)

Only PuTTY, PuTTYtel, and pterm are affected; other PuTTY tools do not include the terminal emulator, so cannot be exploited this way.

The purpose of ECH is to erase multiple characters within a single line. To this end, it includes a numeric parameter to specify the number of characters to be erased. PuTTY accumulates this one digit at a time in an integer variable. As part of the processing of ECH, the check_boundary function checks whether the start or end of the erased range falls in the middle of a double-width character (such as a kanji ideograph) so that it can ensure that the whole character is erased. Each character cell in the live terminal is held as a structure containing among other things the character code and a word of attributes. A double-width character is recorded by having a special value called UCSWIDE as the character code in the second cell, and when check_boundary detects that value, it resets the character code of both cells to a fixed value and copies the attributes from the left one to the right one.

The vulnerability arises because PuTTY uses signed integer variables to hold the number of characters to be erased and doesn't adequately check for overflow. This means that by passing a very large parameter to ECH, an attacker could cause check_boundary to inspect memory outside the terminal buffer. Were it to find UCSWIDE there, it would corrupt some nearby memory. This might be exploitable if the attacker could arrange for UCSWIDE to be in memory somewhere near a sensitive data structure.

This bug was found with the help of American Fuzzy Lop and has been assigned CVE ID CVE-2015-5309. 

From X11:Utilities/putty,
Affects openSUSE 13.1, 13.2 and Leap 42.1
Comment 1 Bernhard Wiedemann 2015-11-09 10:00:21 UTC
This is an autogenerated message for OBS integration:
This bug (954191) was mentioned in
https://build.opensuse.org/request/show/343110 Factory / putty
Comment 2 Bernhard Wiedemann 2015-11-09 17:00:09 UTC
This is an autogenerated message for OBS integration:
This bug (954191) was mentioned in
https://build.opensuse.org/request/show/343236 13.1+13.2+Leap:42.1 / putty.openSUSE_Leap_42.1_Update+putty
Comment 3 Benjamin Brunner 2015-11-18 12:14:40 UTC
Update released for 13.1, 13.2 and Leap 42.1. Also checked in into Factory.

Resolved fixed.
Comment 4 Swamp Workflow Management 2015-11-18 13:16:57 UTC
openSUSE-SU-2015:2023-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 954191
CVE References: CVE-2015-5309
Sources used:
openSUSE Leap 42.1 (src):    putty-0.66-6.1
openSUSE 13.2 (src):    putty-0.66-4.7.1
openSUSE 13.1 (src):    putty-0.66-2.7.1