PuTTY vulnerability vuln-bracketed-paste-data-outside-brackets

This is a mirror. Follow this link to find the primary PuTTY web site.

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Pre-release · Snapshot | Docs | Privacy | Changes | Wishlist

summary: Vulnerability: bracketed paste data appears outside bracket sequences
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
absent-in: 0.71
present-in: 0.72
fixed-in: 0.73 2c279283cc695ade15bafb418a8207ef0edd89cd

PuTTY 0.72 introduced a bug in the terminal's handling of xterm bracketed paste mode, in which the two bracketing escape sequences could appear together, with the pasted data following them, instead of between them.

This is classed as a vulnerability because it's possible that some terminal applications might have been depending on the bracket sequences identfiying pasted data in order to prevent it from causing particular actions, so that a malicious clipboard writer could not invoke those actions.

However, if the application was only depending on the brackets to provide a hint about the semantics of the data (for example, pasting tab characters physically in an editor instead of treating them as invocations of an auto-indent command) then there need not be any security effect.

This bug was first reported by Axel Sander. It has been assigned CVE-2019-17068.


If you want to comment on this web site, see the Feedback page.
Audit trail for this vulnerability.
(last revision of this bug record was at 2020-01-11 15:06:43 +0000)