PuTTY vulnerability vuln-terminal-dos-combining-chars-double-width-gtk

This is a mirror. Follow this link to find the primary PuTTY web site.

summary: DoS by terminal output involving combining characters, double-width text, an odd number of terminal columns, and GTK
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
absent-in: 0.57
fixed-in: daf91ef8ae9780bb1dfb534afa79e4babb89ba26 0.71

Up to and including version 0.70, the GTK front end to PuTTY's terminal emulator would fail an assertion in a corner case:

if the terminal width is an odd number of columns
and if you use an escape sequence such as ESC # 6 to make the whole line double-width, leaving an unusable odd character cell at the end of the line
and if you position the cursor on that final odd cell and try to display a Unicode character with at least one combining character.

All the conditions for this failure can be triggered by remote terminal output. (Remote-controlled resizing of the terminal window can be turned off in the Features config panel, but it's on by default.) So, if a malicious process is able to write escape sequences to your terminal, then they can terminate your entire PuTTY session uncleanly, making it impossible for you to even recover any important information from your terminal scrollback.

As of 0.71, this assertion failure is fixed. PuTTY will cleanly handle this case by not trying to display anything that confuses it.

This vulnerability was found by Brian Carpenter, as part of a bug bounty programme run under the auspices of the EU-FOSSA project.

CVE ID CVE-2019-9897 has been assigned for the collection of terminal DoS attacks fixed in 0.71, including this, vuln-terminal-dos-combining-chars and vuln-terminal-dos-one-column-cjk.

If you want to comment on this web site, see the Feedback page.

Audit trail for this vulnerability.

(last revision of this bug record was at 2019-03-25 20:23:34 +0000)