Arch Linux Security Advisory ASA-201503-1 ========================================= Severity: Medium Date : 2015-03-02 CVE-ID : CVE-2015-2157 Package : putty Type : information disclosure Remote : No Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package putty before version 0.64-1 is vulnerable to information disclosure of SSH-2 private key information. Resolution ========== Upgrade to 0.64-1. # pacman -Syu "putty>=0.64-1" The problem has been fixed upstream in version 0.64. Workaround ========== None. Description =========== When PuTTY has sensitive data in memory and has no further need for it, it should wipe the data out of its memory, in case malware later gains access to the PuTTY process or the memory is swapped out to disk or written into a crash dump file. An obvious example of this is the password typed during SSH login; other examples include obsolete session keys, public-key passphrases, and the private halves of public keys. After loading a private key from a disk file, PuTTY mistakenly leak a memory buffer containing a copy of the private key, in the function ssh2_load_userkey. The companion function ssh2_save_userkey (only called by PuTTYgen) can also leak a copy, but only in the case where the file it tried to save to could not be created. This applies to SSH-2 private keys only. It affects all tools in the PuTTY suite which load or save private keys: PuTTY, Plink, PSCP, PSFTP, Pageant and PuTTYgen. If any of those programs loads a private key directly (rather than getting a signature from an SSH agent such as Pageant) then they will have left information equivalent to the private key in memory for their entire run. Impact ====== A local attacker is able to retrieve SSH-2 private key information from memory after loading and saving key files to disk as a result of inappropriate wipe. References ========== http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-w... https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2157