Ubuntu
putty package

CVE-2015-2157 - SSH2 Private Keys Not Properly Wiped from Memory

Bug #1467631 reported by Thomas Ward on 2015-06-22
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
putty (Ubuntu)
Fix Released
Low
Unassigned
Precise
Confirmed
Low
Unassigned
Trusty
Fix Released
Low
Unassigned
Utopic
Fix Released
Low
Unassigned
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

It was found that:

The (1) ssh2_load_userkey and (2) ssh2_save_userkey functions in PuTTY 0.51 through 0.63 do not properly wipe SSH-2 private keys from memory, which allows local users to obtain sensitive information by reading the memory.

(This information is from the Ubuntu CVE Tracker at http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-2157.html)

------

This CVE has been fixed with Upstream 0.64.

This issue does not affect Vivid or Wily.

This issue affects Precise, Trusty, and Utopic.

------

This bug is being created in order to track fix status in Ubuntu packages. "Low" severity was set based on the CVE severity. "Confirmed" status was set because this is a publicly confirmed bug thanks to the CVE.

See original description
Thomas Ward (teward) wrote :

This is a DebDiff for Ubuntu Trusty. This contains the patch that was included in Debian (http://anonscm.debian.org/cgit/pkg-ssh/putty.git/tree/debian/patches/private-key-not-wiped-2.patch?id=5137922dc35f49f0b8573995420b24c1fe6ff826) which was included in Vivid.

Thomas Ward (teward) wrote :

This is a DebDiff for Ubuntu Utopic. This contains the patch that was included in Debian (http://anonscm.debian.org/cgit/pkg-ssh/putty.git/tree/debian/patches/private-key-not-wiped-2.patch?id=5137922dc35f49f0b8573995420b24c1fe6ff826) which was included in Vivid.

description: updated
Thomas Ward (teward) on 2015-06-22
description: updated
Changed in putty (Ubuntu Precise):
status: New → Confirmed
Changed in putty (Ubuntu Trusty):
status: New → Confirmed
Changed in putty (Ubuntu Utopic):
status: New → Confirmed
Changed in putty (Ubuntu Precise):
importance: Undecided → Low
Changed in putty (Ubuntu Utopic):
importance: Undecided → Low
Changed in putty (Ubuntu Trusty):
importance: Undecided → Low
Thomas Ward (teward) wrote :

Wily is not affected, and has the fix because 0.64-1.

Changed in putty (Ubuntu):
status: Confirmed → Fix Released
Thomas Ward (teward) wrote :

I forgot to include the Bug number in the debdiffs, my apologies.

Thomas Ward (teward) wrote :

This is a DebDiff for Ubuntu Precise. This contains the patch that was included in Debian (http://anonscm.debian.org/cgit/pkg-ssh/putty.git/tree/debian/patches/private-key-not-wiped-2.patch?id=5137922dc35f49f0b8573995420b24c1fe6ff826) which was included in Vivid.

***This needs additional review by the Security Team comparing the debdiff changes to the original Debian patch. This extra code review is necessary because to make the patch apply in Precise, the original patch needed to be re-engineered, applying the changes manually by hand, in order to provide for a patch import failure due to the code offsets not working for Precise. Before accepting this debdiff, please review it more thoroughly than the others.***

Marc Deslauriers (mdeslaur) wrote :

ACK on the trusty and utopic debdiffs. Packages are compiling now and will be released shortly.

NACK on the precise debdiff. It doesn't compile. If you want it to work, you are going to have to backport the smemclr() function from a more recent version of putty into misc.c and misc.h.

Changed in putty (Ubuntu Trusty):
status: Confirmed → Fix Committed
Changed in putty (Ubuntu Utopic):
status: Confirmed → Fix Committed
Marc Deslauriers (mdeslaur) wrote :

Actually, the precise package probably needs this whole fix:

http://tartarus.org/~simon-git/gitweb/?p=putty.git;a=commit;h=aa5bae89

See the following debian bug for more info:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=789686

Thomas Ward (teward) wrote :

@Marc ACK on the build failures and what else needs backported. I'll look into backporting that to make it available. (Precise debdiff removed). If I don't happen to get to it, then someone else in the community can look at it.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package putty - 0.63-4ubuntu0.1

---------------
putty (0.63-4ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: PuTTY did not properly wipe SSH-2 Private Keys from
    system memory, which can allow local users to obtain sensitive information
    by reading the memory. (LP: #1467631)
    - debian/patches/private-key-not-wiped-2.patch: Add in fix patch from
      Debian 0.63-10 packaging. Thanks to Patrick Coleman for the original
      patch.
    - CVE-2015-2157

 -- Thomas Ward <email address hidden> Mon, 22 Jun 2015 14:07:28 -0400

Changed in putty (Ubuntu Trusty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package putty - 0.63-8ubuntu0.1

---------------
putty (0.63-8ubuntu0.1) utopic-security; urgency=medium

  * SECURITY UPDATE: PuTTY did not properly wipe SSH-2 Private Keys from
    system memory, which can allow local users to obtain sensitive information
    by reading the memory. (LP: #1467631)
    - debian/patches/private-key-not-wiped-2.patch: Add in fix patch from
      Debian 0.63-10 packaging. Thanks to Patrick Coleman for the original
      patch.
    - CVE-2015-2157

 -- Thomas Ward <email address hidden> Mon, 22 Jun 2015 14:12:25 -0400

Changed in putty (Ubuntu Utopic):
status: Fix Committed → Fix Released
jorge (polymex07) wrote :

Add

Changed in putty (Ubuntu Precise):
status: Confirmed → Fix Committed
status: Fix Committed → Fix Released
Colin Watson (cjwatson) wrote :

Revert vandalism.

Changed in putty (Ubuntu Precise):
status: Fix Released → Confirmed
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.