oss-sec mailing list archives
Re: CVE request: three additional flaws fixed in putty 0.63
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 06 Aug 2013 17:45:13 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/06/2013 01:56 PM, Vincent Danen wrote:
There seem to be some CVEs needed for putty 0.63 due to some other fixes that were fixed alongside CVE-2013-4852: * a heap-corrupting buffer underrun bug in the modmul function which performs modular multiplication: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-modmul.html
http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9977 Please use CVE-2013-4206 for this issue.
* A buffer overflow vulnerability in the calculation of modular inverses when verifying a DSA signature: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-bignum-division-by-zero.html http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9996
Please
use CVE-2013-4207 for this issue.
* Private keys left in memory after being used by PuTTY tools: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped.html http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9988
Please
use CVE-2013-4208 for this issue.
I can't see any CVE references so I suspect there are none.
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJSAYqIAAoJEBYNRVNeJnmT40IQAMf92qB5MISMIwY/d2EKY9Z2 I9eVzuaJWhB6f4s4Lj/zJ+gSQ6ZiGuOWAWE0KXWLP5KbImnZ5cWXG3d1UfmFQb40 UahPLX/FlZ9Ru8TpZA9IBscYchQ7PRCvN7gk2Sr/JTkSLkvVMOZ6xUN7iC30pzlN ibiWAiXmOhbX/G5QwPRoVC66nejdPgYznWGJUrdgAdHTYpdK8/Gny/b06GtDbrYO +SZUEMYRcN1cTg0YxJAht9l03zMe4QX0tvfTRJg7TGqYLpUeMWmZmpY42cL1MH4C XkZOdQ+nLi6IrkTrz+L6X24O0dpaChh9yLi4l27ydvrxIe9T1z1h46kdl0sIQfNx dTfiKR0aHLCcpysIseV081KQAXQy4aFZ7VnT12jQ3/z0G84hqzfcK1E/2nqhMlAv XJX8wa+JIk2SwIRynkBUqhwrTx85g46Xl+E6M0378m/HeUc6kKE9xYW+fAYCGGft aimf5lrES21doSHh4zsQblYHszWXgNIV98HVIMyQT5OtkH1LBxBrOK3nNgG1b2nR 62F05LgXo/HNziDUlfaoCGvBdy0IEi36vAFS6Aa7wJrAr++Aj/F5j1VnWrMW+w7i BAR0dU3LJrkfXJPZt5EXiEkirTcrKQt8o/a7zxDkCRxSKYLZY21079qmIbx8bCym OYySyEcyG8jXIgdvmeza =4Ry2 -----END PGP SIGNATURE-----
Current thread:
- CVE request: three additional flaws fixed in putty 0.63 Vincent Danen (Aug 06)
- Re: CVE request: three additional flaws fixed in putty 0.63 Kurt Seifried (Aug 06)