Debian Bug report logs - #718800
filezilla: CVE-2013-4852: PuTTY SSH handshake heap overflow

version graph

Package: filezilla; Maintainer for filezilla is Adrien Cunin <adri2000@ubuntu.com>; Source for filezilla is src:filezilla.

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Mon, 5 Aug 2013 15:39:01 UTC

Severity: grave

Tags: patch, security, upstream

Fixed in version filezilla/3.7.3-1

Done: Adrien Cunin <adri2000@ubuntu.com>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Adrien Cunin <adri2000@ubuntu.com>:
Bug#718800; Package filezilla. (Mon, 05 Aug 2013 15:39:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Adrien Cunin <adri2000@ubuntu.com>. (Mon, 05 Aug 2013 15:39:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: filezilla: CVE-2013-4852: PuTTY SSH handshake heap overflow
Date: Mon, 05 Aug 2013 17:37:22 +0200
Package: filezilla
Severity: grave
Tags: security patch upstream

Hi,

the following vulnerability was published for putty, but filezilla
embedds putty source:

CVE-2013-4852[0]:
PuTTY SSH handshake heap overflow

See the advisory [1] for details referring to putty commit [2].
AFAICS filezilla embedding putty in vulnerable version is used in
build for fzsftp. See [3] for the corresponding bugreport for putty
itself.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://security-tracker.debian.org/tracker/CVE-2013-4852
[1] http://www.search-lab.hu/advisories/secadv-20130722
[2] http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9896
[3] http://bugs.debian.org/718779

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, Adrien Cunin <adri2000@ubuntu.com>:
Bug#718800; Package filezilla. (Thu, 08 Aug 2013 04:15:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jackson Doak <noskcaj@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Adrien Cunin <adri2000@ubuntu.com>. (Thu, 08 Aug 2013 04:15:04 GMT) Full text and rfc822 format available.

Message #10 received at 718800@bugs.debian.org (full text, mbox):

From: Jackson Doak <noskcaj@ubuntu.com>
To: 718800@bugs.debian.org
Subject: Fixed in upstream
Date: Thu, 8 Aug 2013 14:10:03 +1000
 The bug was fixed in upstream release 3.7.2. 3.7.3 is now out with
more CVE fixes, please update to that following
http://bugs.debian.org/719052



Information forwarded to debian-bugs-dist@lists.debian.org, Adrien Cunin <adri2000@ubuntu.com>:
Bug#718800; Package filezilla. (Sat, 07 Sep 2013 04:57:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Adrien Cunin <adri2000@ubuntu.com>. (Sat, 07 Sep 2013 04:57:04 GMT) Full text and rfc822 format available.

Message #15 received at 718800@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 719070@bugs.debian.org, 718800@bugs.debian.org
Subject: Re: Bug#719070: filezilla: CVE-2013-4206 CVE-2013-4207 CVE-2013-4208
Date: Sat, 7 Sep 2013 06:53:05 +0200
Hi

Any news on #719070 and #718800? Could you prepare new upstream
version for unstable which includes these fixes?

Regards,
Salvatore



Reply sent to Adrien Cunin <adri2000@ubuntu.com>:
You have taken responsibility. (Wed, 11 Sep 2013 10:21:08 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 11 Sep 2013 10:21:08 GMT) Full text and rfc822 format available.

Message #20 received at 718800-close@bugs.debian.org (full text, mbox):

From: Adrien Cunin <adri2000@ubuntu.com>
To: 718800-close@bugs.debian.org
Subject: Bug#718800: fixed in filezilla 3.7.3-1
Date: Wed, 11 Sep 2013 10:18:09 +0000
Source: filezilla
Source-Version: 3.7.3-1

We believe that the bug you reported is fixed in the latest version of
filezilla, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 718800@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrien Cunin <adri2000@ubuntu.com> (supplier of updated filezilla package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 27 Aug 2013 11:47:04 +0200
Source: filezilla
Binary: filezilla filezilla-common
Architecture: source amd64 all
Version: 3.7.3-1
Distribution: unstable
Urgency: low
Maintainer: Adrien Cunin <adri2000@ubuntu.com>
Changed-By: Adrien Cunin <adri2000@ubuntu.com>
Description: 
 filezilla  - Full-featured graphical FTP/FTPS/SFTP client
 filezilla-common - Architecture independent files for filezilla
Closes: 718800 719070
Changes: 
 filezilla (3.7.3-1) unstable; urgency=low
 .
   * New upstream release, fixing the following PuTTY security vulnerabilities:
      - CVE-2013-4852 (Closes: #718800)
      - CVE-2013-4206, CVE-2013-4207, CVE-2013-4208 (Closes: #719070)
Checksums-Sha1: 
 7647d5e805101d5a2605686edc07c6588f1bff3b 2122 filezilla_3.7.3-1.dsc
 34c3dd1943816a916c54e49cbbea51c97ef3f583 3682494 filezilla_3.7.3.orig.tar.bz2
 2d0f04e7d5b4a2a2b143fa0b8e2b5e27661c67d7 8115 filezilla_3.7.3-1.debian.tar.gz
 58dc41e2af68d548c840e209544dbb447d4f85bd 968056 filezilla_3.7.3-1_amd64.deb
 d5df991836a12a895ca1d39249663fac579d7b9b 1824352 filezilla-common_3.7.3-1_all.deb
Checksums-Sha256: 
 4f455193f7304014da921705cef7f1e8ae53217412f55e118ab3976f62f4bdae 2122 filezilla_3.7.3-1.dsc
 2b012970a6033d8ffd4629b1d57b50ace62cd3750efad70001109f25e520c042 3682494 filezilla_3.7.3.orig.tar.bz2
 b58024b61b4423d25d474fcc381fd3ea3875ec26d28a3ea51c3192014c05fcf2 8115 filezilla_3.7.3-1.debian.tar.gz
 78309b61c9fa9808d360ae235c3f8b47205e8f36d840adb20551c0fa334090be 968056 filezilla_3.7.3-1_amd64.deb
 2eceec25d4ae57bd7bd6937b7e091699f56bf57b37fc62d85abbaad8089df134 1824352 filezilla-common_3.7.3-1_all.deb
Files: 
 b14fb3f7177b689800e2e5c391bd1c6a 2122 net optional filezilla_3.7.3-1.dsc
 df7828739a852ac3adbc1c010303115d 3682494 net optional filezilla_3.7.3.orig.tar.bz2
 4098f7e64b5531d519fcdb526e8c1d50 8115 net optional filezilla_3.7.3-1.debian.tar.gz
 a0408323e8b786e6b340464cdbe070a8 968056 net optional filezilla_3.7.3-1_amd64.deb
 5175665e39fbbd6be5f654e94e3f93c0 1824352 net optional filezilla-common_3.7.3-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSMD+1AAoJEGEbqVCLeKXCJbcQAJgUOapktnSUaU/cnXjD0WiX
yBkPYEPxiDr/upqvNg1dGLcR9ISiRi5UVknCDQ+tyDrTAirFN6mTW7MGXFURePcS
2ukf0rmCqfCG7XL3BjLOpRK1IJof5ngSLtnoVg49x88qqVeJorj55O2jsHeX/rej
C4gsjJby7ZBHqQuWLnr6MeD5mb4RKyyal6Gz/MTl/wWnqvBzVuLlJgOAEKxYBMv2
0xQYfNl8bcp4AyrGnr8O5A2IJPmBTcXaimgK+TCSb9VIu6yS61sSnOu+LzVhVPTP
HklGKAsQH7ZUz/WQDMrv9p9oe2wJcupG+/RUgNDND8hzHhHKZoKUoqv6IJO4qB7G
9bSCtP2Y38WWauzvN3DclXKRjSBH+Be36Le63h++SwW/FeCkRXQle4Rd3cm7IhwV
SIddjcIaX62J/slEgSTnjq8i8mgLLBTGwtuxa5wZVAWheBmOIOQgN7m1ajHOqwdJ
KX8qqSxsk1Xp6KdtnASUfiPT6GgaHoJXc7jP91PcqJT/sBN5HhN2Io4CeYfBQegz
EV1TC56N/cUCDlyXY+1cY9wKYN1aEmQZ670e5StlUq/ZF9/v6jiTrSbpVnDd4x4i
cOxrkVDq3lJeks0QwL8fRlI5ZBaMTsYO2mSdjoiHq9Kl19X+e975e1zE/WRhnt5v
J0Saiyu2eb+4IU+Zu0x4
=s38Z
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 06:05:28 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.