simon-git: putty-wishlist (main): Simon Tatham

Commits to Tartarus hosted VCS tartarus-commits at lists.tartarus.org
Fri May 22 11:23:56 BST 2026 

TL;DR:
  eac76a1 Write up the ECDSA assertion failure 'vulnerability'.
  7433278 Retrospectively call proxied-Telnet trust sigil bug a vuln.
  4a3d1a4 Write up rsakex-double-free.

Repository:     https://git.tartarus.org/simon/putty-wishlist.git
On the web:     https://git.tartarus.org/?p=simon/putty-wishlist.git
Branch updated: main
Committer:      Simon Tatham <anakin at pobox.com>
Date:           2026-05-22 11:23:56

commit eac76a1a5b284defa8c6303fd339ad5f2110c067
web diff https://git.tartarus.org/?p=simon/putty-wishlist.git;a=commitdiff;h=eac76a1a5b284defa8c6303fd339ad5f2110c067;hp=fccd6e3a4909f96122029f662256a6a7fd76c2f8
Author: Simon Tatham <anakin at pobox.com>
Date:   Fri Apr 17 14:08:37 2026 +0100

    Write up the ECDSA assertion failure 'vulnerability'.
    
    It was tempting to classify this as another 'not really a vuln',
    because the impact is so minor. But due to the outside chance of
    losing scrollback, and the fact that it can be triggered on purpose by
    someone who isn't either of the legitimate parties to the connection,
    I think I have to count it as 'yes a vuln, but a very very small one'.

 data/ecdsa-remotely-triggerable-assertion | 56 +++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)

commit 74332785aa520c4b5cbf9342393bfa5541d1831c
web diff https://git.tartarus.org/?p=simon/putty-wishlist.git;a=commitdiff;h=74332785aa520c4b5cbf9342393bfa5541d1831c;hp=eac76a1a5b284defa8c6303fd339ad5f2110c067
Author: Simon Tatham <anakin at pobox.com>
Date:   Sat Apr 18 10:16:12 2026 +0100

    Retrospectively call proxied-Telnet trust sigil bug a vuln.
    
    Going through the git log between 0.83 and 0.84, I found this one
    again, and decided that if ecdsa-remotely-triggerable-assertion counts
    as a vuln, then this does too. This is apparently going to be a
    release that fixes nugatory vulnerabilities, and now we have two of
    them.

 data/telnet-trust-sigil | 55 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)

commit 4a3d1a45f620a30c5613946f8963ada797985e78
web diff https://git.tartarus.org/?p=simon/putty-wishlist.git;a=commitdiff;h=4a3d1a45f620a30c5613946f8963ada797985e78;hp=74332785aa520c4b5cbf9342393bfa5541d1831c
Author: Simon Tatham <anakin at pobox.com>
Date:   Fri May 22 10:26:40 2026 +0100

    Write up rsakex-double-free.

 data/rsakex-double-free | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

More information about the tartarus-commits mailing list