PuTTY vulnerability vuln-terminal-dos-combining-chars

This is a mirror. Follow this link to find the primary PuTTY web site.

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Snapshot | Docs | Changes | Wishlist

summary: DoS if many Unicode combining characters are written to the terminal
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
absent-in: 0.57
fixed-in: da1c8f15b1bc14c855f0027cf06ba7f1a9c36f3c 0.71

Up to and including version 0.70, PuTTY's terminal emulator supports remembering an unlimited number of combining characters in each character cell of the terminal. They may not be displayed very clearly, but PuTTY will at least try to display them, and will remember them for copy and paste purposes.

Unfortunately, this means that sending a long unbroken string of combining characters to the terminal causes it to allocate potentially unlimited amounts of memory. Moreover, the combining characters are stored as a linked list, leading to quadratic-time behaviour, so the terminal will slow down to the point of unusability as well.

In other words, any process that can arrange to write Unicode text output to your terminal – even if it consists of printable characters only – can perform a denial-of-service attack. This could be as simple as leaving a text file somewhere for you to cat.

As of 0.71, this is fixed by limiting each character cell to at most 32 combining characters. After that, the contents of the cell become U+FFFD REPLACEMENT CHARACTER with no combining characters at all.

CVE ID CVE-2019-9897 has been assigned for the collection of terminal DoS attacks fixed in 0.71, including this, vuln-terminal-dos-combining-chars-double-width-gtk and vuln-terminal-dos-one-column-cjk.


If you want to comment on this web site, see the Feedback page.
Audit trail for this vulnerability.
(last revision of this bug record was at 2019-03-24 11:38:13 +0000)