Skip to content
Commits on Feb 29, 2016
  1. @sgtatham

    Fix an out-of-bounds read in fgetline().

    Forgot that a zero-length string might have come back from fgets.
    Thanks to Hanno Böck for spotting this, with the aid of AFL.
    (cherry picked from commit 5815d6a)
    sgtatham committed Nov 10, 2015
  2. @sgtatham

    Fix a segfault in parsing OpenSSH private key files.

    The initial test for a line ending with "PRIVATE KEY-----" failed to
    take into account the possibility that the line might be shorter than
    that. Fixed by introducing a new library function strendswith(), and
    strstartswith() for good measure, and using that.
    Thanks to Hanno Böck for spotting this, with the aid of AFL.
    (cherry picked from commit fa7b23c)
    (cherry-picker's note: the conflicts were only due to other functions
    introduced on trunk just next to the ones introduced by this commit)
    sgtatham committed Feb 25, 2016
  3. @sgtatham

    Rationalise and document log options somewhat.

    TOOLTYPE_NONNETWORK (i.e. pterm) already has "-log" (as does Unix
    PuTTY), so there's no sense suppressing the synonym "-sessionlog".
    Undocumented lacunae that remain:
    plink accepts -sessionlog, but does nothing with it. Arguably it should.
    puttytel accepts -sshlog/-sshrawlog (and happily logs e.g. Telnet
    negotiation, as does PuTTY proper).
    (cherry picked from commit a454399)
    (cherry-picker's notes: the conflict was only contextual, in the Plink
    help output)
    Jacob Nevins committed with sgtatham Nov 8, 2015
  4. @sgtatham

    More post-release checklist updates, and a new script.

    I've added a few sample shell commands in the upload procedure (mostly
    so that I don't have to faff about remembering how rsync trailing
    slashes work every time), and also written a script called
    '', which automates the updating of the version number in
    all the various places it needs to be done and also ensures the PSCP
    and Plink transcripts in the docs will match the release itself.
    (cherry picked from commit f3230c8)
    sgtatham committed Nov 7, 2015
  5. @sgtatham

    One small post-release checklist tweak.

    I spotted that I've been checking that old-style Windows Help files
    were delivered with content-type "application/octet-stream", but not
    also checking the same thing about the marginally newer .CHM ones. (Or
    at least not writing it down in the wishlist; I think I did actually
    check on at least one occasion.)
    (cherry picked from commit 3552f37)
    sgtatham committed Nov 7, 2015
  6. @sgtatham

    Post-0.66 release checklist updates.

    The one-off reminder to finish the key rollover is now done, so I can
    remove it.
    (cherry picked from commit 503061e)
    sgtatham committed Nov 7, 2015
  7. @bjh21 @sgtatham

    bignum_set_bit: Don't abort if asked to clear an inaccessible bit

    All those bits are clear anyway.
    Bug found with the help of afl-fuzz.
    (cherry picked from commit 4f34059)
    bjh21 committed with sgtatham Oct 11, 2015
Commits on Jan 24, 2016
Commits on Jan 23, 2016
Commits on Jan 1, 2016
  1. Merge pull request #231 from vovcacik/master

    Add usage instructions link to the README.
    committed Jan 1, 2016
  2. @vovcacik
Commits on Dec 13, 2015
  1. Merge tag '0.66'

    committed Dec 13, 2015
Commits on Nov 7, 2015
  1. @sgtatham
  2. @sgtatham

    Document the new session-logging command line options.

    If I'm going to announce them as a feature in 0.66, it would be
    embarrassing to forget to mention them in the documentation.
    sgtatham committed Nov 7, 2015
Commits on Oct 29, 2015
  1. PuTTYgen's default hasn't been 1024 bits since 0.63.

    (cherry picked from commit 9f9d72e)
    Jacob Nevins committed Oct 22, 2015
  2. @sgtatham

    Fix winhandl.c's failure to ever free a foreign handle.

    Handles managed by winhandl.c have a 'busy' flag, which is used to
    mean two things: (a) is a subthread currently blocked on this handle
    so various operations in the main thread have to be deferred until it
    finishes? And (b) is this handle currently one that should be returned
    to the main loop to be waited for?
    For HT_INPUT and HT_OUTPUT, those things are either both true or both
    false, so a single flag covering both of them is fine. But HT_FOREIGN
    handles have the property that they should always be waited for in the
    main loop, but no subthread is blocked on them. The latter means that
    operations done on them in the main thread should not be deferred; the
    only such operation is cleaning them up in handle_free().
    handle_free() was failing to spot this, and was deferring freeing
    HT_FOREIGN handles until their subthread terminated - which of course
    never happened. As a result, when a named pipe server was closed, its
    actual Windows event object got destroyed, but winhandl.c still kept
    passing it back to the main thread, leading to a tight loop because
    MsgWaitForMultipleObjects would return ERROR_INVALID_HANDLE and never
    (cherry picked from commit 431f8db)
    sgtatham committed with Jacob Nevins Sep 25, 2015
  3. @sgtatham

    Add a FAQ for 'checksum mismatch' reports.

    The aim is to try to reduce the incidence of the two least helpful
    classes of those reports: the ones which have just got mismatched
    checksum files, and the ones which don't tell us the information that
    would help.
    (cherry picked from commit 8ff3b22)
    sgtatham committed with Jacob Nevins Aug 9, 2015
Commits on Oct 27, 2015
  1. @bjh21

    Check the x argument to check_boundary() more carefully.

    This is a minimal fix for CVE-2015-5309, and while it's probably
    unnecessary now, it seems worth committing for defence in depth and to
    give downstreams something reasonably non-intrusive to cherry-pick.
    bjh21 committed Oct 13, 2015
  2. @bjh21

    More robust control sequence parameter handling.

    Parameters are now accumulated in unsigned integers and carefully checked
    for overflow (which is turned into saturation).  Things that consume them
    now have explicit range checks (again, saturating) to ensure that their
    inputs are sane.  This should make it much harder to cause overflow by
    supplying ludicrously large numbers.
    Fixes two bugs found with the help of afl-fuzz.  One of them may be
    exploitable and is CVE-2015-5309.
    bjh21 committed Oct 7, 2015
Commits on Oct 24, 2015
  1. @bjh21

    Handle packets with no type byte by returning SSH_MSG_UNIMPLEMENTED.

    The previous assertion failure is obviously wrong, but RFC 4253 doesn't
    explicitly declare them to be a protocol error.  Currently, the incoming
    packet isn't logged, which might cause some confusion for log parsers.
    Bug found with the help of afl-fuzz.
    bjh21 committed Oct 17, 2015
  2. @bjh21

    When checking for an existing log, store the FILE * in a local variable.

    It's not used outside logfopen, and leaving an infalid file pointer
    lying around in the log context caused a segfault if the user
    cancelled logging.
    Bug found by afl-fuzz before it had even started fuzzing.
    bjh21 committed Oct 17, 2015
  3. @bjh21

    rsa2_pubkey_bits: Cope correctly with a NULL return from rsa2_newkey()

    Dereferencing it is not correct.
    Bug found with the help of afl-fuzz.
    bjh21 committed Oct 10, 2015
Commits on Oct 17, 2015
  1. @codesquid @sgtatham

    Fix a format string vulnerability if MALLOC_LOG is set.

    (cherry picked from commit e443fd3)
    codesquid committed with sgtatham May 1, 2015
  2. @codesquid @sgtatham

    Fix format string vulnerabilities.

    Reported by Jong-Gwon Kim. Also fixes a few memory leaks in the
    (cherry picked from commit 6a70f94)
    codesquid committed with sgtatham May 1, 2015
  3. @sgtatham

    Sanitise bad characters in log file names.

    On Windows, colons are illegal in filenames, because they're part of
    the path syntax. But colons can appear in automatically constructed
    log file names, if an IPv6 address is expanded from the &H placeholder.
    Now we coerce any such illegal characters to '.', which is a bit of a
    bodge but should at least cause a log file to be generated.
    (cherry picked from commit 64ec5e0)
    sgtatham committed Sep 25, 2015
  4. @sgtatham

    Shout more loudly if we can't open a log file.

    A user points out that logging fopen failures to the Event Log is a
    bit obscure, and it's possible to proceed for months in the assumption
    that your sessions are being correctly logged when in fact the
    partition was full or you were aiming them at the wrong directory. Now
    we produce output visibly in the PuTTY window.
    (cherry picked from commit e162810)
    sgtatham committed Sep 25, 2015
  5. @sgtatham

    Command-line options to log sessions.

    Log files, especially SSH packet logs, are often things you want to
    generate in unusual circumstances, so it's good to have lots of ways
    to ask for them. Particularly, it's especially painful to have to set
    up a custom saved session to get diagnostics out of the command-line
    I've added options '-sessionlog', '-sshlog' and '-sshrawlog', each of
    which takes a filename argument. I think the fourth option (session
    output but filtered down to the printable subset) is not really a
    _debugging_ log in the same sense, so it's not as critical to have an
    option for it.
    (cherry picked from commit 13edf90)
    sgtatham committed Sep 24, 2015
  6. @sgtatham

    Fix spurious EAGAIN in Plink host key (and other) prompts.

    Plink sets standard input into nonblocking mode, meaning that read()
    from fd 0 in an interactive context will typically return -1 EAGAIN.
    But the prompt functions in uxcons.c, used for verifying SSH host keys
    and suchlike, were doing an unguarded read() from fd 0, and then
    panicking and aborting the session when they got EAGAIN.
    Fixed by inventing a wrapper around read(2) which handles EAGAIN but
    passes all other errors back to the caller. (Seemed slightly less
    dangerous than the stateful alternative of temporarily re-blockifying
    the file descriptor.)
    (cherry picked from commit bea758a)
    Cherry-picker's notes: the conflict was a trivial one. The new
    function block_and_read() by this commit appears just before
    verify_ssh_host_key(), which has a new prototype on the source branch,
    close enough to disrupt the patch hunk's context. Easily fixed.
    sgtatham committed Oct 17, 2015
  7. @sgtatham

    Key rollover: fix the .htaccess files built by Buildscr.

    The build script generates the .htaccess files that go in each
    individual build and redirect generic names like 'putty.tar.gz' to the
    real filenames including that build's version number. Those .htaccess
    files redirect the corresponding signatures as well, so they need
    updating now that we're generating signature files with a different
    (cherry picked from commit 6744387)
    sgtatham committed Sep 3, 2015
  8. @sgtatham

    Key rollover: cut and paste errors in pgpkeys.but.

    What should have been links to the old DSA keys were actually a second
    copy of the links to the old RSA ones. Ahem.
    (cherry picked from commit b62af0f)
    sgtatham committed Sep 3, 2015
  9. @sgtatham

    Key rollover: add a checklist item for the Download page.

    Next time I do a release, I'll have to remember to adjust the download
    page links to the GPG signature files.
    (cherry picked from commit 7524da6)
    sgtatham committed Sep 2, 2015
Something went wrong with that request. Please try again.