Bug 278463 - ftp/filezilla: needs update to 3.67.0 to fix PuTTY bug leaking info on NIST-P521 based private keys [CVE-2024-31497]
Summary: ftp/filezilla: needs update to 3.67.0 to fix PuTTY bug leaking info on NIST-P...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Kurt Jaeger
URL: https://filezilla-project.org/version...
Keywords: security
Depends on:
Blocks:
 
Reported: 2024-04-19 15:10 UTC by Matthias Andree
Modified: 2024-05-29 20:29 UTC (History)
2 users (show)

See Also:
pi: maintainer-feedback+
pi: merge-quarterly+


Attachments
libfilezilla update as requisite to next patch that updates filezilla (4.11 KB, patch)
2024-04-19 16:42 UTC, Matthias Andree
no flags Details | Diff
filezilla security update fixing the PuTTY NIST-P521 nonce vulnerability (3.90 KB, patch)
2024-04-19 16:43 UTC, Matthias Andree
no flags Details | Diff
redone ftp/libfilezilla update patch (requisite), now with pkg-plist update included (6.20 KB, patch)
2024-04-19 19:19 UTC, Matthias Andree
no flags Details | Diff
filezilla security update fixing the PuTTY NIST-P521 nonce vulnerability exposing ecdsa...nistp521 private keys (3.90 KB, patch)
2024-04-19 19:24 UTC, Matthias Andree
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Andree freebsd_committer freebsd_triage 2024-04-19 15:10:47 UTC

    
Comment 1 Matthias Andree freebsd_committer freebsd_triage 2024-04-19 15:13:09 UTC
Hi Kurt, could you please look into updating filezilla in order to fix PuTTY security issue on leaking information on NIST-P521 elliptic curve (in the SSH/SFTP client) nonces such that ecdsa-sha2-nistp521 PRIVATE keys could be recovered after a few tries?

Topic: PuTTY and embedders (f.i., filezilla) -- biased RNG with NIST P521/ecdsa-sha2-nistp521 signatures permits recovering private key
Affects:
    0.68 <= putty < 0.81
    0.68 <= putty-nogtk < 0.81
    filezilla < 3.67.0
References:
    cvename:CVE-2024-31497
    url:https://lists.tartarus.org/pipermail/putty-announce/2024/000038.html
    url:https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html
    url:https://git.tartarus.org/?h=c193fe9848f50a88a4089aac647fecc31ae96d27&p=simon/putty.git
    url:https://filezilla-project.org/versions.php
    url:https://nvd.nist.gov/vuln/detail/CVE-2024-31497
<URL:http://vuxml.freebsd.org/080936ba-fbb7-11ee-abc8-6960f2492b1d.html>
Comment 2 Matthias Andree freebsd_committer freebsd_triage 2024-04-19 16:42:30 UTC
Created attachment 250088 [details]
libfilezilla update as requisite to next patch that updates filezilla

Attached two patches without Approved: lines in the changelog and for git am (you may need to rebase) to update libfilezilla and filezilla.

Note we need to strip out parts of the Impersonation code because it uses shadow.h-related Linuxism. See the patch's commit message for details (inside the attached patch).
Comment 3 Matthias Andree freebsd_committer freebsd_triage 2024-04-19 16:43:10 UTC
Created attachment 250089 [details]
filezilla security update fixing the PuTTY NIST-P521 nonce vulnerability
Comment 4 Kurt Jaeger freebsd_committer freebsd_triage 2024-04-19 17:49:42 UTC
Thanks for the patches, testbuilds@work
Comment 5 Matthias Andree freebsd_committer freebsd_triage 2024-04-19 18:08:57 UTC
Note you will need to do run-time tests especially around user impersonation - that's what I changed, and I haven't run-time tested at all.
Comment 6 Kurt Jaeger freebsd_committer freebsd_triage 2024-04-19 18:48:08 UTC
(In reply to Matthias Andree from comment #5)
All testbuilds of libfilezilla via poudriere seem to fail in a similar fashion:

https://people.freebsd.org/~pi/logs/libfilezilla.txt

(this one's for 14.0-amd64) -- any idea ?
Comment 7 Matthias Andree freebsd_committer freebsd_triage 2024-04-19 19:16:40 UTC
(In reply to Kurt Jaeger from comment #6)
yes, I forgot to commit/send the pkg-plist update for libfilezilla. Fix coming up.
Comment 8 Matthias Andree freebsd_committer freebsd_triage 2024-04-19 19:19:28 UTC
Created attachment 250091 [details]
redone ftp/libfilezilla update patch (requisite), now with pkg-plist update included

this replaces the older 250088 0001-...patch file - the earlier one missed the pkg-plist update.
Comment 9 Matthias Andree freebsd_committer freebsd_triage 2024-04-19 19:24:02 UTC
Created attachment 250092 [details]
filezilla security update fixing the PuTTY NIST-P521 nonce vulnerability exposing ecdsa...nistp521 private keys

This one also redone because I generated it with git format-patch, in case the obsoleted one would not apply on top of the redone 0001-*
Comment 10 Kurt Jaeger freebsd_committer freebsd_triage 2024-04-20 06:21:21 UTC
(In reply to Matthias Andree from comment #9)
testbuild on 15 looks ok. 14/13.3/13.2 still ongoing.
testruns: I'm no filezilla-user, so I don't know where to look. Btw, thanks for the update, I tried and failed to find a valid patch for the update.
Comment 11 commit-hook freebsd_committer freebsd_triage 2024-04-20 08:27:54 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=8f0aec74837272d9888ce5fd220b0454b06f8a17

commit 8f0aec74837272d9888ce5fd220b0454b06f8a17
Author:     Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2024-04-20 08:21:02 +0000
Commit:     Kurt Jaeger <pi@FreeBSD.org>
CommitDate: 2024-04-20 08:24:52 +0000

    ftp/filezilla: update 3.55.1 -> 3.67.0, includes security fix

    - also update ftp/libfilezilla 0.31.1 -> 0.47.0

    PR:             278463
    Security:       CVE-2024-31497
    Author:         Matthias Andree <mandree@FreeBSD.org>
    Changes:        https://filezilla-project.org/versions.php
    MFH:            2024Q2

 ftp/filezilla/Makefile     | 24 +++++++++++-------------
 ftp/filezilla/distinfo     |  6 +++---
 ftp/filezilla/pkg-plist    |  7 +++----
 ftp/libfilezilla/Makefile  |  7 ++++---
 ftp/libfilezilla/distinfo  |  6 +++---
 ftp/libfilezilla/pkg-plist | 21 ++++++++++++++++++---
 6 files changed, 42 insertions(+), 29 deletions(-)
Comment 12 commit-hook freebsd_committer freebsd_triage 2024-04-20 08:28:56 UTC
A commit in branch 2024Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=65c2ec36654fb4095c74686e82f7d2a85a868622

commit 65c2ec36654fb4095c74686e82f7d2a85a868622
Author:     Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2024-04-20 08:21:02 +0000
Commit:     Kurt Jaeger <pi@FreeBSD.org>
CommitDate: 2024-04-20 08:27:34 +0000

    ftp/filezilla: update 3.55.1 -> 3.67.0, includes security fix

    - also update ftp/libfilezilla 0.31.1 -> 0.47.0

    PR:             278463
    Security:       CVE-2024-31497
    Author:         Matthias Andree <mandree@FreeBSD.org>
    Changes:        https://filezilla-project.org/versions.php
    MFH:            2024Q2
    (cherry picked from commit 8f0aec74837272d9888ce5fd220b0454b06f8a17)

 ftp/filezilla/Makefile     | 24 +++++++++++-------------
 ftp/filezilla/distinfo     |  6 +++---
 ftp/filezilla/pkg-plist    |  7 +++----
 ftp/libfilezilla/Makefile  |  7 ++++---
 ftp/libfilezilla/distinfo  |  6 +++---
 ftp/libfilezilla/pkg-plist | 21 ++++++++++++++++++---
 6 files changed, 42 insertions(+), 29 deletions(-)
Comment 13 Kurt Jaeger freebsd_committer freebsd_triage 2024-04-20 10:09:04 UTC
Committed, thanks for the patch! TODO: vuxml
Comment 14 Matthias Andree freebsd_committer freebsd_triage 2024-04-20 10:28:43 UTC
Vuxml was already done with the Putty entry. Please check if you want to amend it.
Comment 15 commit-hook freebsd_committer freebsd_triage 2024-04-21 07:22:16 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=c392b136785e44d496fb7dc744ee616a9374197e

commit c392b136785e44d496fb7dc744ee616a9374197e
Author:     Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2024-04-21 07:21:14 +0000
Commit:     Kurt Jaeger <pi@FreeBSD.org>
CommitDate: 2024-04-21 07:21:47 +0000

    ftp/libfilezilla: fix build by adding missing patch

    PR:     278463

 .../files/patch-lib_impersonation.cpp (new)        | 73 ++++++++++++++++++++++
 1 file changed, 73 insertions(+)
Comment 16 commit-hook freebsd_committer freebsd_triage 2024-04-21 07:23:17 UTC
A commit in branch 2024Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=754e77708d675b79550a4c591314df5a60303a21

commit 754e77708d675b79550a4c591314df5a60303a21
Author:     Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2024-04-21 07:21:14 +0000
Commit:     Kurt Jaeger <pi@FreeBSD.org>
CommitDate: 2024-04-21 07:22:50 +0000

    ftp/libfilezilla: fix build by adding missing patch

    PR:     278463
    (cherry picked from commit c392b136785e44d496fb7dc744ee616a9374197e)

 .../files/patch-lib_impersonation.cpp (new)        | 73 ++++++++++++++++++++++
 1 file changed, 73 insertions(+)