Debian Bug report logs -
#400804
putty-tools: puttygen can create world-readable private keys
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Colin Watson <cjwatson@debian.org>
:
Bug#400804
; Package putty-tools
.
(full text, mbox, link).
Acknowledgement sent to Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net>
:
New Bug report received and forwarded. Copy sent to Colin Watson <cjwatson@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: putty-tools
Version: 0.58-5
Severity: normal
When i run puttygen (either to create a new key, or to translate an
openssh-style key), the emitted ppk file (the putty private key) is
created with the standard umask, which by default in debian leaves
things world-readable.
this is in contrast to ssh-keygen from the openssh suite, which
creates private keys with group and other permissions all off, no
matter what the current umask.
I think that ssh-keygen's approach is what people expect and intend
when it comes to public keys, and it's a better idea to make these
things safe-by-default.
Thanks for maintianing the putty tools in debian, by the way. In
addition to the importance of having multiple implementations of
SSHv2, it's very useful to have these cross-platform translation
capabilities available to help our friends who are stuck in windows!
Regards,
--dkg
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable'), (101, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages putty-tools depends on:
ii libc6 2.3.6.ds1-8 GNU C Library: Shared libraries
putty-tools recommends no packages.
-- no debconf information
Tags added: fixed-upstream
Request was from Jacob Nevins <jacobn+debian@chiark.greenend.org.uk>
to control@bugs.debian.org
.
(full text, mbox, link).
Reply sent to Colin Watson <cjwatson@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #14 received at 400804-close@bugs.debian.org (full text, mbox, reply):
Source: putty
Source-Version: 0.59-1
We believe that the bug you reported is fixed in the latest version of
putty, which is due to be installed in the Debian FTP archive:
pterm_0.59-1_powerpc.deb
to pool/main/p/putty/pterm_0.59-1_powerpc.deb
putty-tools_0.59-1_powerpc.deb
to pool/main/p/putty/putty-tools_0.59-1_powerpc.deb
putty_0.59-1.diff.gz
to pool/main/p/putty/putty_0.59-1.diff.gz
putty_0.59-1.dsc
to pool/main/p/putty/putty_0.59-1.dsc
putty_0.59-1_powerpc.deb
to pool/main/p/putty/putty_0.59-1_powerpc.deb
putty_0.59.orig.tar.gz
to pool/main/p/putty/putty_0.59.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 400804@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated putty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 29 Jan 2007 21:38:53 +0000
Source: putty
Binary: pterm putty-tools putty
Architecture: source powerpc
Version: 0.59-1
Distribution: experimental
Urgency: low
Maintainer: Colin Watson <cjwatson@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
pterm - PuTTY terminal emulator
putty - Telnet/SSH client for X
putty-tools - command-line tools for SSH, SCP, and SFTP
Closes: 229232 357520 400804 400806 406090
Changes:
putty (0.59-1) experimental; urgency=low
.
* New upstream release.
- PuTTY can now connect to a local serial port, as an alternative to
making a network connection.
- Support for password expiry in SSH-2.
- Various performance improvements and cryptography upgrades.
- The file transfer utilities PSCP and PSFTP now support files bigger
than 2Gb (provided the underlying operating system does too).
- Numerous other small bug fixes, including:
+ Return a well-formed response containing the empty string by default
in response to a remote window title query (closes: #229232).
+ Remove the loops that close all open fds before running a subprocess.
They were intended to make sure the child process didn't inherit
anything embarrassing or inconvenient from us, such as the master end
of its own pty, but now we instead do this by making sure to set all
our own fds to not-FD_CLOEXEC on creation (closes: #357520).
+ Save private keys and session logs such that they're only readable by
the owner (closes: #400804).
+ psftp: Fix double-free on mkdir (closes: #406090).
* Update debian/copyright.
* Install kh4reg.py in /usr/share/doc/putty-tools/examples
(closes: #400806).
* Install new pterm and putty icons.
* Use transparency for GTK 1 window icons.
Files:
21041e537b055af170ba9aeded77a0cc 602 net optional putty_0.59-1.dsc
2c90f3aecd2e4b41df61fb047a6c8f11 1736071 net optional putty_0.59.orig.tar.gz
142031f4305f3869ce80b8146a579b49 9396 net optional putty_0.59-1.diff.gz
00ab5cff43fe9f037bf4143cab27ddd2 190524 x11 optional pterm_0.59-1_powerpc.deb
8feb837175096cca44b566ac7d57b3f5 322946 net optional putty_0.59-1_powerpc.deb
1f9a9995219619a8e0756f3cb33d8671 792620 net optional putty-tools_0.59-1_powerpc.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFvmvR9t0zAhD6TNERArrsAJ9riRBaWIbiVEczHMgl2krr8pztUwCcCDxa
EXJ2Kl3DLQTCqmhEC6qrkDs=
=PL5D
-----END PGP SIGNATURE-----
Tags added: security
Request was from Stefan Fritsch <sf@sfritsch.de>
to control@bugs.debian.org
.
(full text, mbox, link).
Reply sent to Colin Watson <cjwatson@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #21 received at 400804-close@bugs.debian.org (full text, mbox, reply):
Source: putty
Source-Version: 0.60-1
We believe that the bug you reported is fixed in the latest version of
putty, which is due to be installed in the Debian FTP archive:
pterm_0.60-1_powerpc.deb
to pool/main/p/putty/pterm_0.60-1_powerpc.deb
putty-tools_0.60-1_powerpc.deb
to pool/main/p/putty/putty-tools_0.60-1_powerpc.deb
putty_0.60-1.diff.gz
to pool/main/p/putty/putty_0.60-1.diff.gz
putty_0.60-1.dsc
to pool/main/p/putty/putty_0.60-1.dsc
putty_0.60-1_powerpc.deb
to pool/main/p/putty/putty_0.60-1_powerpc.deb
putty_0.60.orig.tar.gz
to pool/main/p/putty/putty_0.60.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 400804@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated putty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 10 May 2007 10:30:25 +0100
Source: putty
Binary: pterm putty-tools putty
Architecture: source powerpc
Version: 0.60-1
Distribution: unstable
Urgency: low
Maintainer: Colin Watson <cjwatson@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
pterm - PuTTY terminal emulator
putty - Telnet/SSH client for X
putty-tools - command-line tools for SSH, SCP, and SFTP
Closes: 229232 357520 400804 400806 406090 409115 422935
Changes:
putty (0.60-1) unstable; urgency=low
.
* New upstream release (closes: #422935).
- Pressing Ctrl+Break now sends a serial break signal in the serial back
end, and in the SSH and Telnet backends it asks the server to do the
same (if the server supports it). The previous Ctrl+Break behaviour
can still be triggered with Ctrl-C.
- You can now store a host name in the Default Settings.
- In 0.59, it was possible to lock yourself out of the configuration
dialog by configuring a serial connection in Default Settings. This
should no longer be possible.
- We've had reports of the error message `Unable to read from standard
input' in Plink 0.59. We've found and fixed one cause of this message,
and added better diagnostics in case there are others.
- 0.59 could emit malformed SSH-2 packets that upset some servers (such
as Foundry routers). Fixed.
.
putty (0.59-3) experimental; urgency=low
.
* Build-depend on python for icon generation (closes: #409115).
.
putty (0.59-2) experimental; urgency=low
.
* Build-depend on imagemagick for icon generation.
.
putty (0.59-1) experimental; urgency=low
.
* New upstream release.
- PuTTY can now connect to a local serial port, as an alternative to
making a network connection.
- Support for password expiry in SSH-2.
- Various performance improvements and cryptography upgrades.
- The file transfer utilities PSCP and PSFTP now support files bigger
than 2Gb (provided the underlying operating system does too).
- Numerous other small bug fixes, including:
+ Return a well-formed response containing the empty string by default
in response to a remote window title query (closes: #229232).
+ Remove the loops that close all open fds before running a subprocess.
They were intended to make sure the child process didn't inherit
anything embarrassing or inconvenient from us, such as the master end
of its own pty, but now we instead do this by making sure to set all
our own fds to not-FD_CLOEXEC on creation (closes: #357520).
+ Save private keys and session logs such that they're only readable by
the owner (closes: #400804).
+ psftp: Fix double-free on mkdir (closes: #406090).
* Update debian/copyright.
* Install kh4reg.py in /usr/share/doc/putty-tools/examples
(closes: #400806).
* Install new pterm and putty icons.
* Use transparency for GTK 1 window icons.
Files:
9363e9c456bb24f0495a5b38b7ef1bca 623 net optional putty_0.60-1.dsc
07e65fd98b16d115ae38a180bfb242e2 1743711 net optional putty_0.60.orig.tar.gz
48c8cf211bf09178aeb87c84ace44004 9612 net optional putty_0.60-1.diff.gz
e9a94d0aace72d2f0206f35474f6586e 191474 x11 optional pterm_0.60-1_powerpc.deb
1501c765463f6789d6121359498ec481 323906 net optional putty_0.60-1_powerpc.deb
6c7151857551f4c19aee8f0c48b8fa50 793844 net optional putty-tools_0.60-1_powerpc.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFGRCT79t0zAhD6TNERAmH9AKCHqXb7P0DrSWgfeKyx3OzefgpkSQCfYD0/
JNWMeSxSvvlVDGErMO00Qog=
=7GQa
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Colin Watson <cjwatson@debian.org>
:
Bug#400804
; Package putty-tools
.
(full text, mbox, link).
Acknowledgement sent to Jacob Nevins <jacobn+debian@chiark.greenend.org.uk>
:
Extra info received and forwarded to list. Copy sent to Colin Watson <cjwatson@debian.org>
.
(full text, mbox, link).
Message #26 received at 400804@bugs.debian.org (full text, mbox, reply):
This has ended up in the CVE list (CVE-2006-7162) and as a Secunia
advisory <http://secunia.com/advisories/24381>.
Secunia had incorrectly listed both 0.58 and 0.59 as vulnerable (they've
recently corrected this). I suspect that the advisory was derived from
this Debian bug report, and I can see that a casual observer might think
it was only fixed in 0.60; for some reason, there are two "fixed" emails
in this report, and the later one has subject "Bug#400804: fixed in
putty 0.60-1".
For the avoidance of doubt: this was fixed in 0.59, and only affects the
Unix version.
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 30 Jul 2007 07:25:33 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:05:31 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.