Bug 794508 (CVE-2021-33500)

Summary:	<net-misc/putty-0.75: potential GUI DoS with rapid title changes (CVE-2021-33500)
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	polynomial-c
Priority:	Normal	Flags:	nattka: sanity-check-
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://docs.ssh-mitm.at/puttydos.html
Whiteboard:	B3 [noglsa]
Package list:	net-misc/putty-0.75	Runtime testing required:	---

Description John Helmert III archtester

2021-06-06 04:06:21 UTC

CVE-2021-33500:

PuTTY before 0.75 on Windows allows remote servers to cause a denial of service (Windows GUI hang) by telling the PuTTY window to change its title repeatedly at high speed, which results in many SetWindowTextA or SetWindowTextW calls. NOTE: the same attack methodology may affect some OS-level GUIs on Linux or other platforms for similar reasons.


Bit of a silly vulnerability but we might as well stable in a few days anyway.

Comment 1 Sam James archtester

2021-06-06 23:18:23 UTC

amd64 done

Comment 2 Sam James archtester

2021-06-06 23:18:55 UTC

x86 done

Comment 3 Agostino Sarubbo gentoo-dev

2021-06-07 13:19:49 UTC

sparc stable

Comment 4 Agostino Sarubbo gentoo-dev

2021-06-08 06:59:27 UTC

ppc stable

Comment 5 Agostino Sarubbo gentoo-dev

2021-06-09 06:24:45 UTC

ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 6 NATTkA bot gentoo-dev

2021-07-26 07:00:26 UTC

Unable to check for sanity:

> no match for package: net-misc/putty-0.75

Comment 7 John Helmert III archtester

2021-08-08 01:50:57 UTC

As I said, silly vulnerability, no need for a GLSA, closing.