Possible security issue with WinSCP < 5.14

[onyxmaster]

https://www.zdnet.com/article/scp-implementations-impacted-by-36-years-old-security-flaws/

[ghost]

Fixed in original WinSCP source here: https://winscp.net/tracker/1675 Commit of fix in WinSCP: https://github.com/winscp/winscp/commit/49d876f2c5fc00bcedaa986a7cf6dedd6bf16f54 Seems straightforward to backport

Pull request #280

[VictorVG]

0xABD

Can't build than try apply Your patch to Git dbb8ff2 possible is my typo, but if use VC2010/2015 DLL not build .:(

[skipik]

I built it including those fixes without any problem. I used VS2017 though. https://www.upload.ee/files/9454385/FarNetBox-2.4.5.531_Far3_x86.7z.html https://www.upload.ee/files/9454390/FarNetBox-2.4.5.531_Far3_x64.7z.html

[VictorVG]

Ok. Only this compiller not't tested - no time...

[VictorVG]

Build Ok!, problem's source is my typo. Fixed, but not tested. Build in to VC2010.

P.S.

Как обычно - одновременно делать работу, и писать бумаги - какой злой дух придумал сиё наказание!?:( Да мне легче дивизию чертей наловить, обстричь, рога поотшибать и вместе с шерстью сдать в счёт госпаставок - в Аду тепло, не замёрзнут.:)

[VictorVG]

Tested - Ok! Additional test - download FreeBSD 12 STABLE images - it's not so easy to get to them. on the servers of the daemon, a cascade of inter-server symlinks is used - the images lie on a cluster of NFS servers and this is a good test for "have we not broken the work with symlinks and FTP?" and work with complex server systems.

The same cascade, for example, does not allow to see the real size of the file ftp://ftp.freebsd.org/pub/FreeBSD/ports/ports/ports.tar.gz - through the symlink it is addressed ftp://ftp.freebsd.org/pub/ FreeBSD/development/tarballs/ports_current.tar.gz and if you don’t know this, you won’t find the file.

[VictorVG]

Whats new?:) If try VC++2010 build and open for update 7-Zip archive in to local FTP have crash in to GetFilesW():

and stack:

Исключительная ситуация

0x7FEFD79A06D KERNELBASE.dll!RaiseException
0x00140271B32 Far.exe!<unknown> (get the pdb)
0x001402731AD Far.exe!<unknown> (get the pdb)
0x001400981A0 Far.exe!<unknown> (get the pdb)
0x001402BCEF0 Far.exe!<unknown> (get the pdb)
0x00140273460 Far.exe!<unknown> (get the pdb)
0x00140270A6C Far.exe!<unknown> (get the pdb)
0x00077A8B681 ntdll.dll!RtlRestoreContext
0x00140174716 Far.exe!<unknown> (get the pdb)
0x001401735A9 Far.exe!<unknown> (get the pdb)
0x00140170D55 Far.exe!<unknown> (get the pdb)
0x001401983BB Far.exe!<unknown> (get the pdb)
0x001400C1E5B Far.exe!<unknown> (get the pdb)
0x001400C412A Far.exe!<unknown> (get the pdb)
0x001400E5E60 Far.exe!<unknown> (get the pdb)
0x00140145385 Far.exe!<unknown> (get the pdb)
0x00140144689 Far.exe!<unknown> (get the pdb)
0x001401444E9 Far.exe!<unknown> (get the pdb)
0x0014013DFC1 Far.exe!<unknown> (get the pdb)
0x00140140ECD Far.exe!<unknown> (get the pdb)
0x00140141082 Far.exe!<unknown> (get the pdb)
0x00140141194 Far.exe!<unknown> (get the pdb)
0x001401411C2 Far.exe!<unknown> (get the pdb)
0x0014014114E Far.exe!<unknown> (get the pdb)
0x0014026F3E9 Far.exe!<unknown> (get the pdb)
0x000778359CD kernel32.dll!BaseThreadInitThunk
0x00077A6A561 ntdll.dll!RtlUserThreadStart

OK

(this build not have .PDB removed my toolkit then assembly). I try VC++2015 build and skipik VC++2017 build - possible also my typo? "Minidump" have "small" file size -- only 476 mb (this computer have is 16 Gb physical RAM).

[VictorVG]

I find source for problem's - typo in to NetBoxRus.lng::212 - just diff:

--- typo/NetBoxRus.lng  Tue Jan 22 16:56:37 2019
+++ fixed/NetBoxRus.lng Wed Jan 23 15:25:06 2019
@@ -209,7 +209,7 @@
 "&Имя пользователя:"
 "&Пароль:"
 "Файл с секретным &ключом:"
- Протокол "
+" Протокол "
 "П&ротокол: "
 "SCP"
 "SFTP"

[VictorVG]

VC++2010 NetBox v2.4.5.531 Git-a7345ca4f minimal OS required: x86 - WinXP SP3, AMD64 - Vista .

Fix a typo in a failed commit

[ghost]

@michaellukashov How can I help further with this issue? Also, how do we include the fix to Far mainline?

[ghost]

Reported into Far bug tracker at https://bugs.farmanager.com/view.php?id=3705

[trexinc]

merged