Putty security fix was included in 3.6.7 released today.

From CORE-2004-0705 (<invalid hyperlink removed by admin>)

Simon has added his own writeups of the bugs to the wishlist pages:

https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-modpow.html
https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-ssh1-kex.html

Peter

Thanks for the link.

While I do not understand why they mention only PSCP and Putty, when at least PSFTP shares the same code, so it should be vulnerable, I fear that it probably means WinSCP is vulnerable as well. I'm going to release patched version tomorrow, if possible.

From CORE-2004-0705 (<invalid hyperlink removed by admin>)

The vulnerabilities were triggered by modifying the implementation of OpenSSH 3.8.1p1, specifically by modifying the following functions:

packet_put_int
packet_put_string
packet_put_cstring
packet_put_raw
packet_put_bignum
packet_put_bignum2

to send specially crafted packets to the SSH client.

I know all this. But the information is not very useful to find actual cause of the problem. I got latest source code. I have also checked CSV. Unfortunatelly I'm not sure what, if any, changes in the code corresponds to the vulnerability. So either the fix is not publicly available yet. Or the problem was fixed in past, but the Putty author has not realized then that it had so serious consequences. Only now he has realized it and released quickly fixed version with old fix.

Also the chances are the problem maybe in Putty GUI, which is not shared with WinSCP, so may not affect it at all.

Oh, and the previously-linked site has the 0.55 Unix source code up, but I'm not sure if the development snapshot source is for 0.55 or some earlier version.

From here:

2004-08-03 SECURITY HOLE, fixed in PuTTY 0.55

PuTTY 0.55, released today, fixes a serious security hole which may allow a server to execute code of its choice on a PuTTY client connecting to it. In SSH2, the attack can be performed before host key verification, meaning that even if you trust the server you think you are connecting to, a different machine could be impersonating it and could launch the attack before you could tell the difference. We recommend everybody upgrade to 0.55 as soon as possible.

Is WinSCP vulnerable to the security hole found in Putty 0.54 and earlier?

So far I was not able to get any details about the vulnerability. It seems that available Putty source code does not contain the fix, so I cannot check even that way. Or it was fixed long time ago and I have not noticed, but I doubt.

If you have any details, please let me know.

Is WinSCP vulnerable to the security hole found in Putty 0.54 and earlier?