PuTTY bug trust-sigil-ssh1-rlogin

This is a mirror. Follow this link to find the primary PuTTY web site.

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Pre-release · Snapshot | Docs | Privacy | Changes | Wishlist

summary: Terminal window 'trust sigils' never turned off in SSH-1 or Rlogin
class: bug: This is clearly an actual problem we want fixed.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
present-in: 0.71
fixed-in: 128d001c3eebae15fe97fc18dc48d8939ae72e98 (0.72)

In 0.71, the fix for vuln-auth-prompt-spoofing added 'trust sigils' -- PuTTY icons at the start of locally generated lines -- to distinguish them from data sent by the server.

In both the SSH-1 and Rlogin protocols, these trust sigils were accidentally not turned off at the end of authentication, so that all data throughout the session was tagged with a trust sigil.

As well as removing the useful distinction between trusted and untrusted output, this also meant that 3 columns of the terminal were unusable, which would have caused formatting issues in many applications.

(The commonly used SSH-2 protocol is not affected, only the obsolete SSH-1 protocol that is rarely used. In PuTTY 0.68 and later, we no longer support automatic fallback to SSH-1 from SSH-2, so any saved session configured to the default of SSH-2 will not suffer from this issue.)


If you want to comment on this web site, see the Feedback page.
Audit trail for this bug.
(last revision of this bug record was at 2019-07-20 07:44:55 +0100)