Another Serious Security Hole in PuTTY, Fixed

Markaci writes "You may recall recently upgrading PuTTY. There is a new version, released 2004-10-26, which fixes a very similar security hole. The bug can allow servers that you think you can trust to execute code on the PuTTY client, even before you verify the hosts key while connecting using SSH2. You can be attacked before you know that you have connected to the wrong machine. Upgrade to version 0.56 now."

A silly explanation

[BortQ]

The exploit works like this:

When putty goes out over the web, if an attacker can find it then they can press a piece of newsprint against it. Putty will come away from this with some arbitrary instructions left inside. Scary.

The solution is to always keep your putty inside it's protective egg when in unknown territory.

Re:Amazing

[kayen_telva]

he has a PHD in first posts

Re:Amazing

[Anonymous Coward]

More likely the Dr. Frankenfurter / Rocky Horror Picture Show way.

Re:Amazing

[Simon Tatham]

Sorry about that. I've found your patch in my mail archives (although I only see two copies of it, not five!). As far as I can tell, both times it turned up when I had so much mail to read that I simply didn't have time to read it all.

Delegation of work would be nice, but it's very difficult to find anyone competent to vet patches the same way we do, with full appreciation of issues such as portability. At the end of the day, the core PuTTY team need to personally check anything that goes into the code base, to prevent obvious security holes (although this isn't a great time to mention that, I know :-) and to ensure the long-term health and maintainability of the code. Even the very best patches I've received still need work before they're usable.

Your patches look mostly sensible. I'll respond in detail by email.