CVE-2015-2157 - SSH2 Private Keys Not Properly Wiped from Memory

This is a DebDiff for Ubuntu Trusty. This contains the patch that was included in Debian (http://anonscm.debian.org/cgit/pkg-ssh/putty.git/tree/debian/patches/private-key-not-wiped-2.patch?id=5137922dc35f49f0b8573995420b24c1fe6ff826) which was included in Vivid.

This is a DebDiff for Ubuntu Utopic. This contains the patch that was included in Debian (http://anonscm.debian.org/cgit/pkg-ssh/putty.git/tree/debian/patches/private-key-not-wiped-2.patch?id=5137922dc35f49f0b8573995420b24c1fe6ff826) which was included in Vivid.

Wily is not affected, and has the fix because 0.64-1.

I forgot to include the Bug number in the debdiffs, my apologies.

This is a DebDiff for Ubuntu Precise. This contains the patch that was included in Debian (http://anonscm.debian.org/cgit/pkg-ssh/putty.git/tree/debian/patches/private-key-not-wiped-2.patch?id=5137922dc35f49f0b8573995420b24c1fe6ff826) which was included in Vivid.

***This needs additional review by the Security Team comparing the debdiff changes to the original Debian patch. This extra code review is necessary because to make the patch apply in Precise, the original patch needed to be re-engineered, applying the changes manually by hand, in order to provide for a patch import failure due to the code offsets not working for Precise. Before accepting this debdiff, please review it more thoroughly than the others.***

ACK on the trusty and utopic debdiffs. Packages are compiling now and will be released shortly.

NACK on the precise debdiff. It doesn't compile. If you want it to work, you are going to have to backport the smemclr() function from a more recent version of putty into misc.c and misc.h.

Actually, the precise package probably needs this whole fix:

http://tartarus.org/~simon-git/gitweb/?p=putty.git;a=commit;h=aa5bae89

See the following debian bug for more info:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=789686

@Marc ACK on the build failures and what else needs backported. I'll look into backporting that to make it available. (Precise debdiff removed). If I don't happen to get to it, then someone else in the community can look at it.

This bug was fixed in the package putty - 0.63-4ubuntu0.1

---------------
putty (0.63-4ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: PuTTY did not properly wipe SSH-2 Private Keys from
    system memory, which can allow local users to obtain sensitive information
    by reading the memory. (LP: #1467631)
    - debian/patches/private-key-not-wiped-2.patch: Add in fix patch from
      Debian 0.63-10 packaging. Thanks to Patrick Coleman for the original
      patch.
    - CVE-2015-2157

 -- Thomas Ward <email address hidden> Mon, 22 Jun 2015 14:07:28 -0400

This bug was fixed in the package putty - 0.63-8ubuntu0.1

---------------
putty (0.63-8ubuntu0.1) utopic-security; urgency=medium

  * SECURITY UPDATE: PuTTY did not properly wipe SSH-2 Private Keys from
    system memory, which can allow local users to obtain sensitive information
    by reading the memory. (LP: #1467631)
    - debian/patches/private-key-not-wiped-2.patch: Add in fix patch from
      Debian 0.63-10 packaging. Thanks to Patrick Coleman for the original
      patch.
    - CVE-2015-2157

 -- Thomas Ward <email address hidden> Mon, 22 Jun 2015 14:12:25 -0400

Add

Revert vandalism.

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release