Debian Bug report logs -
#816921
putty: CVE-2016-2563: buffer overrun in the old-style SCP protocol
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 6 Mar 2016 18:12:02 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in version putty/0.62-9
Fixed in version putty/0.67-1
Done: Colin Watson <cjwatson@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Colin Watson <cjwatson@debian.org>:
Bug#816921; Package src:putty.
(Sun, 06 Mar 2016 18:12:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Colin Watson <cjwatson@debian.org>.
(Sun, 06 Mar 2016 18:12:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: putty
Version: 0.62-9
Severity: important
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for putty.
CVE-2016-2563[0]:
buffer overrun in the old-style SCP protocol
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-2563
[1] http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html
[2] http://tartarus.org/~simon-git/gitweb/?p=putty.git;a=commitdiff;h=bc6c15ab5f636e05b7e91883f0031a7e06117947
Not sure if this warrants a DSA, since it's in the old-style SCP
protocol only, and furthermore a user must connect to malicious server
where the host key of the server was accepted already.
Regards,
Salvatore
Reply sent
to Colin Watson <cjwatson@debian.org>:
You have taken responsibility.
(Sun, 06 Mar 2016 19:24:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 06 Mar 2016 19:24:08 GMT) (full text, mbox, link).
Message #10 received at 816921-close@bugs.debian.org (full text, mbox, reply):
Source: putty
Source-Version: 0.67-1
We believe that the bug you reported is fixed in the latest version of
putty, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 816921@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated putty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 06 Mar 2016 18:41:16 +0000
Source: putty
Binary: pterm putty putty-tools putty-doc
Architecture: source
Version: 0.67-1
Distribution: unstable
Urgency: high
Maintainer: Colin Watson <cjwatson@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
pterm - PuTTY terminal emulator
putty - Telnet/SSH client for X
putty-doc - PuTTY HTML documentation
putty-tools - command-line tools for SSH, SCP, and SFTP
Closes: 816921
Changes:
putty (0.67-1) unstable; urgency=high
.
* New upstream release.
- CVE-2016-2563: Fix buffer overrun in the old-style SCP protocol
(closes: #816921).
Checksums-Sha1:
38e3a875ba95f7b4d04ed6b3a55832f1ab0ddb00 2128 putty_0.67-1.dsc
132ff74266e590a007f86cbb4bea5642db7bdd76 1955547 putty_0.67.orig.tar.gz
76a83e10a9c8e2039bca95313b09e4ce77c41a6f 15412 putty_0.67-1.debian.tar.xz
Checksums-Sha256:
aab69a206f32bd0736e313a2f8a35d890b367078c92b7e440b891b11cd86fe3b 2128 putty_0.67-1.dsc
80192458e8a46229de512afeca5c757dd8fce09606b3c992fbaeeee29b994a47 1955547 putty_0.67.orig.tar.gz
4b6bb880f71016ed07d8b90c2b846494e96d6a98335f1d50f96621594bf3c211 15412 putty_0.67-1.debian.tar.xz
Files:
2730a9e05960c589fad9d9ec21c7c92d 2128 net optional putty_0.67-1.dsc
8d5d450e8f9a011e2e411e3f30827e9b 1955547 net optional putty_0.67.orig.tar.gz
d1e776480b7aae0ad85ac8dffff3584a 15412 net optional putty_0.67-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer
iQIVAwUBVtx53jk1h9l9hlALAQjD1xAAudBKWLgMmMdc5IdcMyq+yxPVcoDHsCsZ
knn4ZP6E0WOQ9VfAaOwes61FJukTsivtVG3PQtJnxpXPbEX+S5LMuPPm7Ds1aMvq
wtqokM8mAfq1269SwLJKOSwsU99+VtvXg6YGVZyXVMU0s6RyB+dwXUc6zpfbCU0P
WL4g5B0fFw/s7Bl4+YnkUsWHgXNN/nnV07h4QY3Yhc/tSiZLaU9j4SOtPTjaKWj+
Bjb/qXgMX3U+1GGmzhLFZA3eIdQlxkxQoNt4my7vQMByLkrxAf4WGMdaGsnKLmnE
dNRE/pphSeCd05XahTwaDcJ8bV/CbG1trnxTRMbDmEkHm61e05MnjixqWuivmcJY
ONF6cm6G7lZ6zyn9roVopezUNpFqKK/PGsPeOUddwInpVKwUstcNluT+o21wGE0n
n+TEBQfGk+THNb1OTlfsSIVxV7Qft4OawhoZRV5ztRFaNlhgMeqEkwLrLfRBjYa5
+kKwuwNuXEgdNmm19w4MNdNMPMTdw7rbzzO984F8YrODIQqryAB4r4v1/I0PkIrJ
Ywwi31vRuMDdWcGgwVMRDSXAsbNDVGNDVhrwUCzHDSYSgy9b2qvUbCu4YfN17Qsq
DW/JfrcR8K84tG3EB2zGBZjZBDmSbWsleYlUY5D1xb6WiRckYozRFe2RRwAVVTtn
ij2y46qbhwE=
=3ly5
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 21 Apr 2016 07:29:30 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:47:22 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon