PuTTY bug ssh1-disconnect-use-after-free

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Snapshot | Docs | Changes | Wishlist

summary: Use-after-free bug when processing SSH-1 disconnect message
class: bug: This is clearly an actual problem we want fixed.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
present-in: 0.72
fixed-in: 0.73 69201ad8936fe0ff1b8723b7a43accb5e9f1c888

If an SSH-1 server sends PuTTY a disconnection message (that is, message type 1, SSH_MSG_DISCONNECT), PuTTY would access an already-freed pointer to a linked list of packets in the course of handling it.

We don't know if this memory fault had any exploitable security impact. It is fixed in 0.73.

If you want to comment on this web site, see the Feedback page.
Audit trail for this bug.
(last revision of this bug record was at 2019-09-29 14:15:26 +0100)