[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#988962: buster-pu: package rxvt-unicode/9.22-6+deb10u1



Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: rak@debian.org

[ Reason ]

Disables the ESC G Q escape sequence, which could cause the command '0'
to be executed. This addresses:

https://security-tracker.debian.org/tracker/CVE-2021-33477

[ Tests ]

None. Manually confirmed (against unstable) that the patch works.

[ Risks ]

Trivial fix cherry-picked from upstream VCS. Original commit from 2019.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

* Add patch to disable ESC G Q
* Set the git branch to debian/buster

[ Other info ]

Cf. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988925

-- 
|)|/  Ryan Kavanagh      | GPG: 4E46 9519 ED67 7734 268F
|\|\  https://rak.ac     |      BD95 8F7B F8FC 4A11 C97A
diff --git c/debian/changelog w/debian/changelog
index 4604560..fd7fd58 100644
--- c/debian/changelog
+++ w/debian/changelog
@@ -1,3 +1,11 @@
+rxvt-unicode (9.22-6+deb10u1) buster; urgency=medium
+
+  * Disable ESC G Q escape sequence, 20_disable_escape_sequence.diff
+    (Closes: #988763, CVE-2021-33477)
+  * Set git branch to debian/buster
+
+ -- Ryan Kavanagh <rak@debian.org>  Fri, 21 May 2021 17:18:00 -0400
+
 rxvt-unicode (9.22-6) unstable; urgency=medium
 
   * Revert the 24bit colour patch. Though no issues seem to arise when using
diff --git c/debian/control w/debian/control
index 4690df26..c2e9549 100644
--- c/debian/control
+++ w/debian/control
@@ -19,7 +19,7 @@ Build-Depends: debhelper (>= 11),
 Rules-Requires-Root: binary-targets
 Standards-Version: 4.3.0
 Homepage: http://software.schmorp.de/pkg/rxvt-unicode.html
-Vcs-Git: https://salsa.debian.org/debian/rxvt-unicode.git -b debian/sid
+Vcs-Git: https://salsa.debian.org/debian/rxvt-unicode.git -b debian/buster
 Vcs-Browser: https://salsa.debian.org/debian/rxvt-unicode
 
 Package: rxvt-unicode
diff --git c/debian/gbp.conf w/debian/gbp.conf
index ae1dc36..6717c9a 100644
--- c/debian/gbp.conf
+++ w/debian/gbp.conf
@@ -1,6 +1,6 @@
 [DEFAULT]
 upstream-branch = upstream
-debian-branch = master
+debian-branch = debian/buster
 upstream-tag = upstream/%(version)s
 debian-tag = debian/%(version)s
 pristine-tar = True
diff --git c/debian/patches/20_disable_escape_sequence.diff w/debian/patches/20_disable_escape_sequence.diff
new file mode 100644
index 0000000..12245f2
--- /dev/null
+++ w/debian/patches/20_disable_escape_sequence.diff
@@ -0,0 +1,25 @@
+Description: disable ESC G Q escape sequence
+Origin: http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.584&r2=1.585
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988763
+Last-Update: 2021-05-21
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: rxvt-unicode/src/command.C
+===================================================================
+--- rxvt-unicode.orig/src/command.C	2019-02-07 15:12:08.000000000 -0500
++++ rxvt-unicode/src/command.C	2021-05-21 10:45:22.522127101 -0400
+@@ -2722,12 +2722,14 @@
+         }
+         break;
+ 
++#if 0 // disabled because embedded newlines can make exploits easier
+         /* kidnapped escape sequence: Should be 8.3.48 */
+       case C1_ESA:		/* ESC G */
+         // used by original rxvt for rob nations own graphics mode
+         if (cmd_getc () == 'Q')
+           tt_printf ("\033G0\012");	/* query graphics - no graphics */
+         break;
++#endif
+ 
+         /* 8.3.63: CHARACTER TABULATION SET */
+       case C1_HTS:		/* ESC H */
diff --git c/debian/patches/series w/debian/patches/series
index 03471d7..8a2f59f 100644
--- c/debian/patches/series
+++ w/debian/patches/series
@@ -9,3 +9,4 @@
 16_no_terminfo.diff
 17_unsafe_man.diff
 18_expand_urxvt-tabbed.1.diff
+20_disable_escape_sequence.diff

Attachment: signature.asc
Description: PGP signature


Reply to: