Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible security issue with WinSCP < 5.14 #279

Closed
onyxmaster opened this issue Jan 20, 2019 · 12 comments

Comments

Projects
None yet
5 participants
@0xABD

This comment has been minimized.

Copy link
Contributor

commented Jan 20, 2019

Fixed in original WinSCP source here: https://winscp.net/tracker/1675
Commit of fix in WinSCP: winscp/winscp@49d876f
Seems straightforward to backport

Pull request #280

@VictorVG

This comment has been minimized.

Copy link

commented Jan 21, 2019

0xABD

Can't build than try apply Your patch to Git dbb8ff2 possible is my typo, but if use VC2010/2015 DLL not build .:(

@skipik

This comment has been minimized.

Copy link

commented Jan 21, 2019

@VictorVG

This comment has been minimized.

Copy link

commented Jan 21, 2019

Ok. Only this compiller not't tested - no time...

@VictorVG

This comment has been minimized.

Copy link

commented Jan 22, 2019

Build Ok!, problem's source is my typo. Fixed, but not tested. Build in to VC2010.

P.S.

Как обычно - одновременно делать работу, и писать бумаги - какой злой дух придумал сиё наказание!?:( Да мне легче дивизию чертей наловить, обстричь, рога поотшибать и вместе с шерстью сдать в счёт госпаставок - в Аду тепло, не замёрзнут.:)

@VictorVG

This comment has been minimized.

Copy link

commented Jan 22, 2019

Tested - Ok! Additional test - download FreeBSD 12 STABLE images - it's not so easy to get to them. on the servers of the daemon, a cascade of inter-server symlinks is used - the images lie on a cluster of NFS servers and this is a good test for "have we not broken the work with symlinks and FTP?" and work with complex server systems.

The same cascade, for example, does not allow to see the real size of the file ftp://ftp.freebsd.org/pub/FreeBSD/ports/ports/ports.tar.gz - through the symlink it is addressed ftp://ftp.freebsd.org/pub/ FreeBSD/development/tarballs/ports_current.tar.gz and if you don’t know this, you won’t find the file.

@VictorVG

This comment has been minimized.

Copy link

commented Jan 23, 2019

Whats new?:) If try VC++2010 build and open for update 7-Zip archive in to local FTP have crash in to GetFilesW():

1

and stack:

Исключительная ситуация

0x7FEFD79A06D KERNELBASE.dll!RaiseException
0x00140271B32 Far.exe!<unknown> (get the pdb)
0x001402731AD Far.exe!<unknown> (get the pdb)
0x001400981A0 Far.exe!<unknown> (get the pdb)
0x001402BCEF0 Far.exe!<unknown> (get the pdb)
0x00140273460 Far.exe!<unknown> (get the pdb)
0x00140270A6C Far.exe!<unknown> (get the pdb)
0x00077A8B681 ntdll.dll!RtlRestoreContext
0x00140174716 Far.exe!<unknown> (get the pdb)
0x001401735A9 Far.exe!<unknown> (get the pdb)
0x00140170D55 Far.exe!<unknown> (get the pdb)
0x001401983BB Far.exe!<unknown> (get the pdb)
0x001400C1E5B Far.exe!<unknown> (get the pdb)
0x001400C412A Far.exe!<unknown> (get the pdb)
0x001400E5E60 Far.exe!<unknown> (get the pdb)
0x00140145385 Far.exe!<unknown> (get the pdb)
0x00140144689 Far.exe!<unknown> (get the pdb)
0x001401444E9 Far.exe!<unknown> (get the pdb)
0x0014013DFC1 Far.exe!<unknown> (get the pdb)
0x00140140ECD Far.exe!<unknown> (get the pdb)
0x00140141082 Far.exe!<unknown> (get the pdb)
0x00140141194 Far.exe!<unknown> (get the pdb)
0x001401411C2 Far.exe!<unknown> (get the pdb)
0x0014014114E Far.exe!<unknown> (get the pdb)
0x0014026F3E9 Far.exe!<unknown> (get the pdb)
0x000778359CD kernel32.dll!BaseThreadInitThunk
0x00077A6A561 ntdll.dll!RtlUserThreadStart

OK

(this build not have .PDB removed my toolkit then assembly). I try VC++2015 build and skipik VC++2017 build - possible also my typo? "Minidump" have "small" file size -- only 476 mb (this computer have is 16 Gb physical RAM).

@VictorVG

This comment has been minimized.

Copy link

commented Jan 23, 2019

I find source for problem's - typo in to NetBoxRus.lng::212 - just diff:

--- typo/NetBoxRus.lng	Tue Jan 22 16:56:37 2019
+++ fixed/NetBoxRus.lng	Wed Jan 23 15:25:06 2019
@@ -209,7 +209,7 @@
 "&Имя пользователя:"
 "&Пароль:"
 "Файл с секретным &ключом:"
- Протокол "
+" Протокол "
 "П&ротокол: "
 "SCP"
 "SFTP"
@VictorVG

This comment has been minimized.

Copy link

commented Jan 23, 2019

VC++2010 NetBox v2.4.5.531 Git-a7345ca4f minimal OS required: x86 - WinXP SP3, AMD64 - Vista .

Fix a typo in a failed commit

@0xABD

This comment has been minimized.

Copy link
Contributor

commented Feb 12, 2019

@michaellukashov How can I help further with this issue? Also, how do we include the fix to Far mainline?

@0xABD

This comment has been minimized.

Copy link
Contributor

commented Apr 22, 2019

Reported into Far bug tracker at https://bugs.farmanager.com/view.php?id=3705

@trexinc trexinc closed this May 26, 2019

@trexinc

This comment has been minimized.

Copy link
Collaborator

commented May 26, 2019

merged

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.