PuTTY vulnerability vuln-terminal-dos-one-column-cjk

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Snapshot | Docs | Changes | Wishlist

summary: DoS by terminal output if a CJK wide character is written to a 1-column-wide terminal
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
fixed-in: 03777723e553024e94d8bfcf182f3a2e92ffb914 0.71

Up to and including version 0.70, PuTTY's terminal emulator would fail an assertion if the terminal is exactly one column wide and the terminal output stream tries to print a width-2 character of the kind used by Chinese, Japanese and Korean.

Both of the conditions for this failure can be triggered by remote terminal output. (Remote-controlled resizing of the terminal window can be turned off in the Features config panel, but it's on by default.) So, if a malicious process is able to write escape sequences to your terminal, then they can terminate your entire PuTTY session uncleanly, making it impossible for you to even recover any important information from your terminal scrollback.

As of 0.71, this assertion failure is fixed. If you ask PuTTY to display a width-2 character in a width-1 terminal, it will substitute a width-1 U+FFFD REPLACEMENT CHARACTER instead of getting confused.

This vulnerability was found by Brian Carpenter, as part of a bug bounty programme run under the auspices of the EU-FOSSA project.

CVE ID CVE-2019-9897 has been assigned for the collection of terminal DoS attacks fixed in 0.71, including this, vuln-terminal-dos-combining-chars and vuln-terminal-dos-combining-chars-double-width-gtk.


If you want to comment on this web site, see the Feedback page.
Audit trail for this vulnerability.
(last revision of this bug record was at 2019-03-25 20:23:34 +0000)