Package: putty / 0.62-9+deb7u3

vuln-signature-stringlen.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
Description: CVE-2013-4852
 Negative string length in public-key signatures could cause integer
 overflow and overwrite all of memory.
Origin: upstream, http://svn.tartarus.org/sgt?view=rev&revision=9896
Origin: upstream, http://svn.tartarus.org/sgt?view=rev&revision=9978
Bug: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-signature-stringlen.html
Bug-Debian: http://bugs.debian.org/718779
Forwarded: not-needed
Last-Update: 2013-08-07

Index: b/import.c
===================================================================
--- a/import.c
+++ b/import.c
@@ -290,7 +290,7 @@
     if (len < 4)
         goto error;
     bytes = GET_32BIT(d);
-    if (len < 4+bytes)
+    if (bytes < 0 || len-4 < bytes)
         goto error;
 
     ret->start = d + 4;
Index: b/sshdss.c
===================================================================
--- a/sshdss.c
+++ b/sshdss.c
@@ -43,6 +43,8 @@
     if (*datalen < 4)
 	return;
     *length = GET_32BIT(*data);
+    if (*length < 0)
+        return;
     *datalen -= 4;
     *data += 4;
     if (*datalen < *length)
@@ -70,6 +72,9 @@
 {
     Bignum b;
 
+    if (*datalen < 20)
+        return NULL;
+
     b = bignum_from_bytes((unsigned char *)*data, 20);
     *data += 20;
     *datalen -= 20;
@@ -98,7 +103,7 @@
     }
 #endif
 
-    if (!p || memcmp(p, "ssh-dss", 7)) {
+    if (!p || slen != 7 || memcmp(p, "ssh-dss", 7)) {
 	sfree(dss);
 	return NULL;
     }
Index: b/sshrsa.c
===================================================================
--- a/sshrsa.c
+++ b/sshrsa.c
@@ -526,6 +526,8 @@
     if (*datalen < 4)
 	return;
     *length = GET_32BIT(*data);
+    if (*length < 0)
+        return;
     *datalen -= 4;
     *data += 4;
     if (*datalen < *length)
@@ -838,6 +840,8 @@
 	return 0;
     }
     in = getmp(&sig, &siglen);
+    if (!in)
+        return 0;
     out = modpow(in, rsa->exponent, rsa->modulus);
     freebn(in);