-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2016.0022
                 PuTTY vulnerability vuln-pscp-sink-sscanf
                               7 March 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              PuTTY
Operating System:     Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2016-2563  
Member content until: Wednesday, April  6 2016

OVERVIEW

        A vulnerability has been identified in PuTTY prior to version 0.67.
        [1]


IMPACT

        The vendor has provided the following details regarding the 
        vulnerability:
        
        "Prior to any download in the SCP sink protocol, the server sends a
        line of text consisting of an octal number encoding Unix file 
        permissions, a decimal number encoding the file size, and the file 
        name. Since the file size can exceed 232 bytes, and in some 
        compilation configurations of PuTTY the host platform's largest 
        integer type is only 32 bits wide, PuTTY extracts the decimal file 
        size into a temporary string variable to send to its own 64-bit 
        decimal decoding function. Unfortunately, that extraction was done 
        carelessly, using a sscanf with no length limit, permitting a buffer
        overrun." [1]


MITIGATION

        The vendor advises updating to the latest version will fix this 
        issue. [1]


REFERENCES

        [1] PuTTY vulnerability vuln-pscp-sink-sscanf
            http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVtzVFn6ZAP0PgtI9AQL6DA/9HiDPsrGT5+YMkemUOuKWL12UArcl4wQu
/tAZP0wpdiPoMqeeZBGAkge73PFYW/BADzzdCJdknO2+Sum/POifpOiS+A5Rgl0O
mYRZkJzWj0ihgdmtO9/M6QUKMwzFqvPy2sUocTkmcNsD8uiPcUGexXeIdybv466v
bSm6Qvj4etSOIwtspHAClGRchlbgvCS1/PEgmpbNe8zUqLb/fDSmtw41iltfEkfO
kLPlgCZM9/wiuGCepD2iuzWlbbd8qqy2TAnlhbrRCCPS4ku7HlX/ldH735YBXMtG
bk1ZOnuUFLLwu/V0dMMqzp41qP/KwSgGAODxuTtXETQlxHiHDQE92hC7lhE2Odws
m7XFxF7QYs1ylXfXV2mQm8LCv2DERgyYrfzPtvyJSNqmo5e+EMTlUM8pOC43akBh
h+NSbhhi5XNXRvUyIZQD7hY1hoUNV+7XVncngAkcIdLQrXkL/3dLNtypDZmoN9cC
JIyLVWsAhTP0n2TvHgLwDyqxPW2M8kdt7xWrOw4r0/Obc7yinyzqQjnXZpZHfJig
CDeXteZm/XRHwMrOyIE2AZdqI177Jx3d7+6gRDmX391cYmex8uFOmJusuE7H0RgN
YGozEF0EK/mrI0iye4vWmJ+A0XNl4jQp6mRcPL8cQ8fA+7/i+31Late18JlwaSeB
QA7WyZqSGKQ=
=mLiK
-----END PGP SIGNATURE-----