Security vulnerabilities in Putty prior to 0.71

Tried to link CVEs to the bug report but the database hasn't been pulled recently enough. Will try again later today or tomorrow.

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

The launchpad cve integration was a nice idea but never really grew into anything.

The Ubuntu security team tracks CVEs through a different database, eg:

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9898.html

You can see the CVEs that we know about for Putty via:

https://people.canonical.com/~ubuntu-security/cve/pkg/putty.html

If you're in a position to prepare updates for universe, please take into account all the known CVEs, not just the most recent ones.

Thanks

This is in progress - I've been working on getting backports in place in Debian, and Ubuntu should mostly be able to use the same patches.

Though for clarity, we won't be backporting 0.71 wholesale, but rather applying cherry-picked security updates. I've been consulting with upstream on this.

This bug was fixed in the package putty - 0.67-3+deb9u1build0.16.04.1

---------------
putty (0.67-3+deb9u1build0.16.04.1) xenial-security; urgency=medium

  * fake sync from Debian (LP: #1821407)

putty (0.67-3+deb9u1) stretch-security; urgency=high

  * Backport security fixes from 0.71:
    - In random_add_noise, put the hashed noise into the pool, not the raw
      noise.
    - New facility for removing pending toplevel callbacks.
    - CVE-2019-9898: Fix one-byte buffer overrun in random_add_noise().
    - uxnet: clean up callbacks when closing a NetSocket.
    - sk_tcp_close: fix memory leak of output bufchain.
    - Fix handling of bad RSA key with n=p=q=0.
    - Sanity-check the 'Public-Lines' field in ppk files.
    - Introduce an enum of the uxsel / select_result flags.
    - CVE-2019-9895: Switch to using poll(2) in place of select(2).
    - CVE-2019-9894: RSA kex: enforce the minimum key length.
    - CVE-2019-9897: Fix crash on ESC#6 + combining chars + GTK + odd-width
      terminal.
    - CVE-2019-9897: Limit the number of combining chars per terminal cell.
    - minibidi: fix read past end of line in rule W5.
    - CVE-2019-9897: Fix crash printing a width-2 char in a width-1
      terminal.

 -- Steve Beattie <email address hidden> Tue, 21 May 2019 10:43:51 -0700