PuTTY bug ssh1-disconnect-use-after-free

This is a mirror. Follow this link to find the primary PuTTY web site.

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Snapshot | Docs | Changes | Wishlist

summary: Use-after-free bug when processing SSH-1 disconnect message
class: bug: This is clearly an actual problem we want fixed.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
present-in: 0.72
fixed-in: 0.73 69201ad8936fe0ff1b8723b7a43accb5e9f1c888

If an SSH-1 server sends PuTTY a disconnection message (that is, message type 1, SSH_MSG_DISCONNECT), PuTTY would access an already-freed pointer to a linked list of packets in the course of handling it.

We don't know if this memory fault had any exploitable security impact. It has been assigned CVE-2019-17069. It is fixed in 0.73.


If you want to comment on this web site, see the Feedback page.
Audit trail for this bug.
(last revision of this bug record was at 2020-01-11 15:06:43 +0000)