Allele Security Alert
Malicious clipboard content injection in bracketed paste mode
PuTTY version 0.72
PuTTY version 0.73
Proof of concept
In the PuTTY terminal, bracketed paste mode was broken in 0.72, in a way that made the pasted data look like manual keyboard input. So any application relying on the bracketing sequences to protect against malicious clipboard contents would have been misled.
The redesign in commit 9fccb065a arranged that all keystroke data goes via term_keyinput_internal(), which calls term_bracketed_paste_stop() just in case the keystroke had interrupted an in-progress paste.
Pasted data also goes via term_keyinput_internal(), and bracketed paste mode certainly should not be terminated before that is sent. It should have conditionalised the call to term_bracketed_paste_stop() on the ‘interactive’ flag parameter, which is precisely there to tell the difference between pastes and true keyboard input.
PuTTY 0.73 is released
Download PuTTY: release 0.73
Don’t call term_bracketed_paste_stop before pasted data.
Rework handling of the SRM escape sequence.
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 6, 2019