oss-sec mailing list archives
Update for CVE-2013-4852: PuTTY SSH handshake heap overflow (FileZilla reportedly embeds a copy)
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 05 Aug 2013 14:41:50 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718800 From: Salvatore Bonaccorso <carnil () debian org> To: Debian Bug Tracking System <submit () bugs debian org> Subject: filezilla: CVE-2013-4852: PuTTY SSH handshake heap overflow Date: Mon, 05 Aug 2013 17:37:22 +0200 Package: filezilla Severity: grave Tags: security patch upstream Hi, the following vulnerability was published for putty, but filezilla embedds putty source: CVE-2013-4852[0]: PuTTY SSH handshake heap overflow See the advisory [1] for details referring to putty commit [2]. AFAICS filezilla embedding putty in vulnerable version is used in build for fzsftp. See [3] for the corresponding bugreport for putty itself. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://security-tracker.debian.org/tracker/CVE-2013-4852 [1] http://www.search-lab.hu/advisories/secadv-20130722 [2] http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9896 [3] http://bugs.debian.org/718779 Please adjust the affected versions in the BTS as needed. Regards, Salvatore ============== Personal comment: it would be great if software embedded other software/code (e.g. libxml2/expat are common ones, as is zlib and other compressors) could be listed in a semi standard fashion in the source code (e.g. maybe an "EMBEDDED.txt" or something?) along with the date/version that was embedded. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJSAA4NAAoJEBYNRVNeJnmTZqgP/iwh6pswIFAHbu6aw8XFWAms k5JC/7YHMkK+YqVIGHLdxAvjJ/uHRpg6wzTF86t3BbtcPSCugqU6ON6LT8wfZO13 n2jd4CQfSKMKTNyTH2PDZGVBUy6zy1DrUF309wHsQ+visVMQRxvU0mKNNDOQnYET CypSrt3D5NdTk5s764PEz/vIBoghX1utJh5NGt9OQLmgObsmDvKZJ6mFmuwvxDVb hszA+7Z96q4qISoQGicoMWETCbMdwlVnRBBMlpZOjj39uW+IbfYwpgRl79l3Gl+J PyAJ8fIKLL26rHLInITtgbaHGf3WCUr/qY3wEZNTibTsUqPnyM0RsscbINWIxcfJ VhwjzbZLGxZ996k3aGyTB36gBFU0/lWMHUC1DPrBgjGKdZci4F95zPP9zfLRf4Gg yLaRSsCF0U/TZYXUeOeuUTwKyQlXsAXgHmyGkvWKmXMt244k6L+Wwu/lvmrHoMx+ Ud5N2ho1kwCWNWZNLznHkdKECRYXB/2Eyaym/sVZ71FfCuKB4SSY89btSAlRriai CSa06w1P/0mNBWPFymn9dWnUthMcENWqa3r57CH2kAeCF3VukMGh6razWoWlnRAf 4kSsvggR5sU2HJCMtaUWoZUKRCpoAy6eS97T1GbHlQNtEeyePAALAAIUiHoHkezb TZnDaBnvH7vTW4d6xJJ8 =LlIe -----END PGP SIGNATURE-----
Current thread:
- Update for CVE-2013-4852: PuTTY SSH handshake heap overflow (FileZilla reportedly embeds a copy) Kurt Seifried (Aug 05)