Hi Kurt, could you please look into updating filezilla in order to fix PuTTY security issue on leaking information on NIST-P521 elliptic curve (in the SSH/SFTP client) nonces such that ecdsa-sha2-nistp521 PRIVATE keys could be recovered after a few tries? Topic: PuTTY and embedders (f.i., filezilla) -- biased RNG with NIST P521/ecdsa-sha2-nistp521 signatures permits recovering private key Affects: 0.68 <= putty < 0.81 0.68 <= putty-nogtk < 0.81 filezilla < 3.67.0 References: cvename:CVE-2024-31497 url:https://lists.tartarus.org/pipermail/putty-announce/2024/000038.html url:https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html url:https://git.tartarus.org/?h=c193fe9848f50a88a4089aac647fecc31ae96d27&p=simon/putty.git url:https://filezilla-project.org/versions.php url:https://nvd.nist.gov/vuln/detail/CVE-2024-31497 <URL:http://vuxml.freebsd.org/080936ba-fbb7-11ee-abc8-6960f2492b1d.html>
Created attachment 250088 [details] libfilezilla update as requisite to next patch that updates filezilla Attached two patches without Approved: lines in the changelog and for git am (you may need to rebase) to update libfilezilla and filezilla. Note we need to strip out parts of the Impersonation code because it uses shadow.h-related Linuxism. See the patch's commit message for details (inside the attached patch).
Created attachment 250089 [details] filezilla security update fixing the PuTTY NIST-P521 nonce vulnerability
Thanks for the patches, testbuilds@work
Note you will need to do run-time tests especially around user impersonation - that's what I changed, and I haven't run-time tested at all.
(In reply to Matthias Andree from comment #5) All testbuilds of libfilezilla via poudriere seem to fail in a similar fashion: https://people.freebsd.org/~pi/logs/libfilezilla.txt (this one's for 14.0-amd64) -- any idea ?
(In reply to Kurt Jaeger from comment #6) yes, I forgot to commit/send the pkg-plist update for libfilezilla. Fix coming up.
Created attachment 250091 [details] redone ftp/libfilezilla update patch (requisite), now with pkg-plist update included this replaces the older 250088 0001-...patch file - the earlier one missed the pkg-plist update.
Created attachment 250092 [details] filezilla security update fixing the PuTTY NIST-P521 nonce vulnerability exposing ecdsa...nistp521 private keys This one also redone because I generated it with git format-patch, in case the obsoleted one would not apply on top of the redone 0001-*
(In reply to Matthias Andree from comment #9) testbuild on 15 looks ok. 14/13.3/13.2 still ongoing. testruns: I'm no filezilla-user, so I don't know where to look. Btw, thanks for the update, I tried and failed to find a valid patch for the update.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=8f0aec74837272d9888ce5fd220b0454b06f8a17 commit 8f0aec74837272d9888ce5fd220b0454b06f8a17 Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2024-04-20 08:21:02 +0000 Commit: Kurt Jaeger <pi@FreeBSD.org> CommitDate: 2024-04-20 08:24:52 +0000 ftp/filezilla: update 3.55.1 -> 3.67.0, includes security fix - also update ftp/libfilezilla 0.31.1 -> 0.47.0 PR: 278463 Security: CVE-2024-31497 Author: Matthias Andree <mandree@FreeBSD.org> Changes: https://filezilla-project.org/versions.php MFH: 2024Q2 ftp/filezilla/Makefile | 24 +++++++++++------------- ftp/filezilla/distinfo | 6 +++--- ftp/filezilla/pkg-plist | 7 +++---- ftp/libfilezilla/Makefile | 7 ++++--- ftp/libfilezilla/distinfo | 6 +++--- ftp/libfilezilla/pkg-plist | 21 ++++++++++++++++++--- 6 files changed, 42 insertions(+), 29 deletions(-)
A commit in branch 2024Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=65c2ec36654fb4095c74686e82f7d2a85a868622 commit 65c2ec36654fb4095c74686e82f7d2a85a868622 Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2024-04-20 08:21:02 +0000 Commit: Kurt Jaeger <pi@FreeBSD.org> CommitDate: 2024-04-20 08:27:34 +0000 ftp/filezilla: update 3.55.1 -> 3.67.0, includes security fix - also update ftp/libfilezilla 0.31.1 -> 0.47.0 PR: 278463 Security: CVE-2024-31497 Author: Matthias Andree <mandree@FreeBSD.org> Changes: https://filezilla-project.org/versions.php MFH: 2024Q2 (cherry picked from commit 8f0aec74837272d9888ce5fd220b0454b06f8a17) ftp/filezilla/Makefile | 24 +++++++++++------------- ftp/filezilla/distinfo | 6 +++--- ftp/filezilla/pkg-plist | 7 +++---- ftp/libfilezilla/Makefile | 7 ++++--- ftp/libfilezilla/distinfo | 6 +++--- ftp/libfilezilla/pkg-plist | 21 ++++++++++++++++++--- 6 files changed, 42 insertions(+), 29 deletions(-)
Committed, thanks for the patch! TODO: vuxml
Vuxml was already done with the Putty entry. Please check if you want to amend it.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=c392b136785e44d496fb7dc744ee616a9374197e commit c392b136785e44d496fb7dc744ee616a9374197e Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2024-04-21 07:21:14 +0000 Commit: Kurt Jaeger <pi@FreeBSD.org> CommitDate: 2024-04-21 07:21:47 +0000 ftp/libfilezilla: fix build by adding missing patch PR: 278463 .../files/patch-lib_impersonation.cpp (new) | 73 ++++++++++++++++++++++ 1 file changed, 73 insertions(+)
A commit in branch 2024Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=754e77708d675b79550a4c591314df5a60303a21 commit 754e77708d675b79550a4c591314df5a60303a21 Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2024-04-21 07:21:14 +0000 Commit: Kurt Jaeger <pi@FreeBSD.org> CommitDate: 2024-04-21 07:22:50 +0000 ftp/libfilezilla: fix build by adding missing patch PR: 278463 (cherry picked from commit c392b136785e44d496fb7dc744ee616a9374197e) .../files/patch-lib_impersonation.cpp (new) | 73 ++++++++++++++++++++++ 1 file changed, 73 insertions(+)