oss-sec mailing list archives
Re: CVE Request: PuTTY fails to clear private key information from memory
From: Zubin Mithra <zubin.mithra () gmail com>
Date: Sun, 1 Mar 2015 00:59:18 +0100
Signed PGP part Use CVE-2015-2157. This falls into a narrow set of situations in which a CVE ID can be assigned even though the issue does not cross privilege boundaries. The vendor is specifically announcing this as "This is a security vulnerability." (Also, wiping private-key memory is a conventional behavior seen in many products. It is not the same as wiping any memory block that any researcher may feel is sensitive in some way.)
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped-2.html
However, if you ever told Pageant to delete a key from memory, it would not have properly deleted it: it would still have retained a copy by mistake due to this bug.
Because of the "this bug" wording, a single CVE ID is assigned. However, in general, these two cases could be distinguished: - violating a user's reasonable expectations about what preemptive memory wiping should occur - providing a UI feature advertised as a way to tell a product to wipe a key from memory, accompanied by actual behavior in which no wiping occurs with separate CVE IDs. In other words, there would be two CVE IDs if there were two bugs (one for each case) fixed independently. -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Current thread:
- CVE Request: PuTTY fails to clear private key information from memory Patrick Coleman (Feb 28)
- Re: CVE Request: PuTTY fails to clear private key information from memory cve-assign (Feb 28)
- Re: CVE Request: PuTTY fails to clear private key information from memory Zubin Mithra (Feb 28)