is WinSCP ok? 2005-02-20 SECURITY HOLE, fixed in PuTTY 0.57

from https://www.chiark.greenend.org.uk/~sgtatham/putty/
2005-02-20 SECURITY HOLE, fixed in PuTTY 0.57

PuTTY 0.57, released today, fixes two security holes which can allow a malicious SFTP server to execute code of its choice on a PSCP or PSFTP client connecting to it. We recommend everybody upgrade to 0.57 as soon as possible.


https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-sftp-readdir.html
PuTTY vulnerability vuln-sftp-readdir
summary: Vulnerability: crafted SFTP FXP_READDIR reply may allow remote code execution
present-in: 0.56
difficulty: fun: Just needs tuits, and not many of them.
class: vulnerability: This is a security vulnerability.
fixed-in: 0.57
priority: high: This should be fixed in the next release.


https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-sftp-string.html
PuTTY vulnerability vuln-sftp-string
summary: Vulnerability: crafted SFTP string may allow remote code execution
present-in: 0.56
difficulty: fun: Just needs tuits, and not many of them.
class: vulnerability: This is a security vulnerability.
fixed-in: 0.57
priority: high: This should be fixed in the next release.


best bob

Here (<invalid hyperlink removed by admin>) is the official iDEFENSE advisory with some code details...

I am the one who packages UCamSRCF-SSHTools (<invalid hyperlink removed by admin>). It is a package contains various Win32 SSH clients: putty/pscp/psftp, winscp, iXplorer.

I also look forward to an updated version of winscp to fix this vulneriability so I can re-packege UCamSRCf-SSHTools.

A couple of days ago (right before putty v0.57 was released) I checked the change history at https://winscp.net/eng/docs/history and I remember the version 3.7.4 uses the CVS putty. However, the about box still says it is based on putty v0.56. I am not sure if winscp v3.7.4 patches the hole or not.

PS: the change history was blanked yesterday. The page says:

history.txt · Last modified: 23 Feb 2005 23:32 by 64.107.94.21

Thanks

After a bit search, I found the archive of the changelogs in this site,
https://winscp.net/eng/docs/history?rev=1108793832

It turns out the the SSH core is based on the development snapshot of Putty 2005-01-28 (since version 3.7.2). Does this mean version 3.7.4 is vulnerible?

Martin, would you please confirm? Sorry if I sound too aggresive. It just pity to exclude this nice product out of UCamSRCF-SSHTools. After all, we are indebt to you for your great contribution.

Thanks,

https://winscp.net/forum/viewtopic.php?p=6640#6640

I was away for week, that's why I'm replying so late. WinSCP does not share the SFTP code with Putty. So it is not vulnerable. Well at least not with the described vulnerability :-)

Thanks for confirming this, Martin. I'll update SRCF page about this.

Which version of putty has newer code base, the stable v0.57 or the CVS snapshot on 2005-01-28? You must know the detail. If v0.57 includes everything in 2005-01-28 snapshot, it may be good to upgrade the ssh core asap.

Thanks again

KB wrote:

Which version of putty has newer code base, the stable v0.57 or the CVS snapshot on 2005-01-28? You must know the detail. If v0.57 includes everything in 2005-01-28 snapshot, it may be good to upgrade the ssh core asap.

0.57 is the same as 0.56, it just solves the security issue and few other bugs. 2005-01-28 includes much more changes (for example KEX panel).