[3.0] putty: old-style scp downloads may allow remote code execution (CVE-2016-2563)
Prior to any download in the SCP sink protocol, the server sends a line
of text consisting
of an octal number encoding Unix file permissions, a decimal number
encoding the file size,
and the file name. Since the file size can exceed 232 bytes, and in some
compilation configurations
of PuTTY the host platform’s largest integer type is only 32 bits wide,
PuTTY extracts the decimal
file size into a temporary string variable to send to its own 64-bit
decimal decoding function.
Fixed In Version:
putty 0.67
References:
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2016-2563
http://seclists.org/fulldisclosure/2016/Mar/22
Patch:
(from redmine: issue id 5254, created on 2016-03-10, closed on 2016-03-14)
- Relations:
- parent #5249 (closed)
- Changesets:
- Revision d65dec66 on 2016-03-14T10:26:37Z:
main/putty: security upgrade to 0.67 (CVE-2016-2563). Fixes #5254
(cherry picked from commit 7c18b536e1c1329ab8466eb402c956ebfff315ba)