putty-tools: puttygen can create world-readable private keys

Debian Bug report logs - #400804
putty-tools: puttygen can create world-readable private keys

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: putty-tools: puttygen can create world-readable private keys

Date: Tue, 28 Nov 2006 15:14:10 -0500

Package: putty-tools
Version: 0.58-5
Severity: normal


When i run puttygen (either to create a new key, or to translate an
openssh-style key), the emitted ppk file (the putty private key) is
created with the standard umask, which by default in debian leaves
things world-readable.

this is in contrast to ssh-keygen from the openssh suite, which
creates private keys with group and other permissions all off, no
matter what the current umask.

I think that ssh-keygen's approach is what people expect and intend
when it comes to public keys, and it's a better idea to make these
things safe-by-default.

Thanks for maintianing the putty tools in debian, by the way.  In
addition to the importance of having multiple implementations of
SSHv2, it's very useful to have these cross-platform translation
capabilities available to help our friends who are stuck in windows!

Regards,

	--dkg

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (101, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages putty-tools depends on:
ii  libc6                        2.3.6.ds1-8 GNU C Library: Shared libraries

putty-tools recommends no packages.

-- no debconf information

Message #14 received at 400804-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: 400804-close@bugs.debian.org

Subject: Bug#400804: fixed in putty 0.59-1

Date: Mon, 29 Jan 2007 22:02:03 +0000

Source: putty
Source-Version: 0.59-1

We believe that the bug you reported is fixed in the latest version of
putty, which is due to be installed in the Debian FTP archive:

pterm_0.59-1_powerpc.deb
  to pool/main/p/putty/pterm_0.59-1_powerpc.deb
putty-tools_0.59-1_powerpc.deb
  to pool/main/p/putty/putty-tools_0.59-1_powerpc.deb
putty_0.59-1.diff.gz
  to pool/main/p/putty/putty_0.59-1.diff.gz
putty_0.59-1.dsc
  to pool/main/p/putty/putty_0.59-1.dsc
putty_0.59-1_powerpc.deb
  to pool/main/p/putty/putty_0.59-1_powerpc.deb
putty_0.59.orig.tar.gz
  to pool/main/p/putty/putty_0.59.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 400804@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated putty package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 29 Jan 2007 21:38:53 +0000
Source: putty
Binary: pterm putty-tools putty
Architecture: source powerpc
Version: 0.59-1
Distribution: experimental
Urgency: low
Maintainer: Colin Watson <cjwatson@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 pterm      - PuTTY terminal emulator
 putty      - Telnet/SSH client for X
 putty-tools - command-line tools for SSH, SCP, and SFTP
Closes: 229232 357520 400804 400806 406090
Changes: 
 putty (0.59-1) experimental; urgency=low
 .
   * New upstream release.
     - PuTTY can now connect to a local serial port, as an alternative to
       making a network connection.
     - Support for password expiry in SSH-2.
     - Various performance improvements and cryptography upgrades.
     - The file transfer utilities PSCP and PSFTP now support files bigger
       than 2Gb (provided the underlying operating system does too).
     - Numerous other small bug fixes, including:
      + Return a well-formed response containing the empty string by default
        in response to a remote window title query (closes: #229232).
      + Remove the loops that close all open fds before running a subprocess.
        They were intended to make sure the child process didn't inherit
        anything embarrassing or inconvenient from us, such as the master end
        of its own pty, but now we instead do this by making sure to set all
        our own fds to not-FD_CLOEXEC on creation (closes: #357520).
      + Save private keys and session logs such that they're only readable by
        the owner (closes: #400804).
      + psftp: Fix double-free on mkdir (closes: #406090).
   * Update debian/copyright.
   * Install kh4reg.py in /usr/share/doc/putty-tools/examples
     (closes: #400806).
   * Install new pterm and putty icons.
   * Use transparency for GTK 1 window icons.
Files: 
 21041e537b055af170ba9aeded77a0cc 602 net optional putty_0.59-1.dsc
 2c90f3aecd2e4b41df61fb047a6c8f11 1736071 net optional putty_0.59.orig.tar.gz
 142031f4305f3869ce80b8146a579b49 9396 net optional putty_0.59-1.diff.gz
 00ab5cff43fe9f037bf4143cab27ddd2 190524 x11 optional pterm_0.59-1_powerpc.deb
 8feb837175096cca44b566ac7d57b3f5 322946 net optional putty_0.59-1_powerpc.deb
 1f9a9995219619a8e0756f3cb33d8671 792620 net optional putty-tools_0.59-1_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFvmvR9t0zAhD6TNERArrsAJ9riRBaWIbiVEczHMgl2krr8pztUwCcCDxa
EXJ2Kl3DLQTCqmhEC6qrkDs=
=PL5D
-----END PGP SIGNATURE-----

Message #21 received at 400804-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: 400804-close@bugs.debian.org

Subject: Bug#400804: fixed in putty 0.60-1

Date: Fri, 11 May 2007 08:32:07 +0000

Source: putty
Source-Version: 0.60-1

We believe that the bug you reported is fixed in the latest version of
putty, which is due to be installed in the Debian FTP archive:

pterm_0.60-1_powerpc.deb
  to pool/main/p/putty/pterm_0.60-1_powerpc.deb
putty-tools_0.60-1_powerpc.deb
  to pool/main/p/putty/putty-tools_0.60-1_powerpc.deb
putty_0.60-1.diff.gz
  to pool/main/p/putty/putty_0.60-1.diff.gz
putty_0.60-1.dsc
  to pool/main/p/putty/putty_0.60-1.dsc
putty_0.60-1_powerpc.deb
  to pool/main/p/putty/putty_0.60-1_powerpc.deb
putty_0.60.orig.tar.gz
  to pool/main/p/putty/putty_0.60.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 400804@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated putty package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 10 May 2007 10:30:25 +0100
Source: putty
Binary: pterm putty-tools putty
Architecture: source powerpc
Version: 0.60-1
Distribution: unstable
Urgency: low
Maintainer: Colin Watson <cjwatson@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 pterm      - PuTTY terminal emulator
 putty      - Telnet/SSH client for X
 putty-tools - command-line tools for SSH, SCP, and SFTP
Closes: 229232 357520 400804 400806 406090 409115 422935
Changes: 
 putty (0.60-1) unstable; urgency=low
 .
   * New upstream release (closes: #422935).
     - Pressing Ctrl+Break now sends a serial break signal in the serial back
       end, and in the SSH and Telnet backends it asks the server to do the
       same (if the server supports it). The previous Ctrl+Break behaviour
       can still be triggered with Ctrl-C.
     - You can now store a host name in the Default Settings.
     - In 0.59, it was possible to lock yourself out of the configuration
       dialog by configuring a serial connection in Default Settings. This
       should no longer be possible.
     - We've had reports of the error message `Unable to read from standard
       input' in Plink 0.59. We've found and fixed one cause of this message,
       and added better diagnostics in case there are others.
     - 0.59 could emit malformed SSH-2 packets that upset some servers (such
       as Foundry routers). Fixed.
 .
 putty (0.59-3) experimental; urgency=low
 .
   * Build-depend on python for icon generation (closes: #409115).
 .
 putty (0.59-2) experimental; urgency=low
 .
   * Build-depend on imagemagick for icon generation.
 .
 putty (0.59-1) experimental; urgency=low
 .
   * New upstream release.
     - PuTTY can now connect to a local serial port, as an alternative to
       making a network connection.
     - Support for password expiry in SSH-2.
     - Various performance improvements and cryptography upgrades.
     - The file transfer utilities PSCP and PSFTP now support files bigger
       than 2Gb (provided the underlying operating system does too).
     - Numerous other small bug fixes, including:
      + Return a well-formed response containing the empty string by default
        in response to a remote window title query (closes: #229232).
      + Remove the loops that close all open fds before running a subprocess.
        They were intended to make sure the child process didn't inherit
        anything embarrassing or inconvenient from us, such as the master end
        of its own pty, but now we instead do this by making sure to set all
        our own fds to not-FD_CLOEXEC on creation (closes: #357520).
      + Save private keys and session logs such that they're only readable by
        the owner (closes: #400804).
      + psftp: Fix double-free on mkdir (closes: #406090).
   * Update debian/copyright.
   * Install kh4reg.py in /usr/share/doc/putty-tools/examples
     (closes: #400806).
   * Install new pterm and putty icons.
   * Use transparency for GTK 1 window icons.
Files: 
 9363e9c456bb24f0495a5b38b7ef1bca 623 net optional putty_0.60-1.dsc
 07e65fd98b16d115ae38a180bfb242e2 1743711 net optional putty_0.60.orig.tar.gz
 48c8cf211bf09178aeb87c84ace44004 9612 net optional putty_0.60-1.diff.gz
 e9a94d0aace72d2f0206f35474f6586e 191474 x11 optional pterm_0.60-1_powerpc.deb
 1501c765463f6789d6121359498ec481 323906 net optional putty_0.60-1_powerpc.deb
 6c7151857551f4c19aee8f0c48b8fa50 793844 net optional putty-tools_0.60-1_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFGRCT79t0zAhD6TNERAmH9AKCHqXb7P0DrSWgfeKyx3OzefgpkSQCfYD0/
JNWMeSxSvvlVDGErMO00Qog=
=7GQa
-----END PGP SIGNATURE-----

Message #26 received at 400804@bugs.debian.org (full text, mbox, reply):

From: Jacob Nevins <jacobn+debian@chiark.greenend.org.uk>

To: 400804@bugs.debian.org

Subject: Re: putty-tools: puttygen can create world-readable private keys

Date: Sun, 1 Jul 2007 13:02:26 +0100

This has ended up in the CVE list (CVE-2006-7162) and as a Secunia
advisory <http://secunia.com/advisories/24381>.

Secunia had incorrectly listed both 0.58 and 0.59 as vulnerable (they've
recently corrected this). I suspect that the advisory was derived from
this Debian bug report, and I can see that a casual observer might think
it was only fixed in 0.60; for some reason, there are two "fixed" emails
in this report, and the later one has subject "Bug#400804: fixed in
putty 0.60-1".

For the avoidance of doubt: this was fixed in 0.59, and only affects the
Unix version.

Send a report that this bug log contains spam.