Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: rak@debian.org [ Reason ] Disables the ESC G Q escape sequence, which could cause the command '0' to be executed. This addresses: https://security-tracker.debian.org/tracker/CVE-2021-33477 [ Tests ] None. Manually confirmed (against unstable) that the patch works. [ Risks ] Trivial fix cherry-picked from upstream VCS. Original commit from 2019. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] * Add patch to disable ESC G Q * Set the git branch to debian/buster [ Other info ] Cf. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988925 -- |)|/ Ryan Kavanagh | GPG: 4E46 9519 ED67 7734 268F |\|\ https://rak.ac | BD95 8F7B F8FC 4A11 C97A
diff --git c/debian/changelog w/debian/changelog
index 4604560..fd7fd58 100644
--- c/debian/changelog
+++ w/debian/changelog
@@ -1,3 +1,11 @@
+rxvt-unicode (9.22-6+deb10u1) buster; urgency=medium
+
+ * Disable ESC G Q escape sequence, 20_disable_escape_sequence.diff
+ (Closes: #988763, CVE-2021-33477)
+ * Set git branch to debian/buster
+
+ -- Ryan Kavanagh <rak@debian.org> Fri, 21 May 2021 17:18:00 -0400
+
rxvt-unicode (9.22-6) unstable; urgency=medium
* Revert the 24bit colour patch. Though no issues seem to arise when using
diff --git c/debian/control w/debian/control
index 4690df26..c2e9549 100644
--- c/debian/control
+++ w/debian/control
@@ -19,7 +19,7 @@ Build-Depends: debhelper (>= 11),
Rules-Requires-Root: binary-targets
Standards-Version: 4.3.0
Homepage: http://software.schmorp.de/pkg/rxvt-unicode.html
-Vcs-Git: https://salsa.debian.org/debian/rxvt-unicode.git -b debian/sid
+Vcs-Git: https://salsa.debian.org/debian/rxvt-unicode.git -b debian/buster
Vcs-Browser: https://salsa.debian.org/debian/rxvt-unicode
Package: rxvt-unicode
diff --git c/debian/gbp.conf w/debian/gbp.conf
index ae1dc36..6717c9a 100644
--- c/debian/gbp.conf
+++ w/debian/gbp.conf
@@ -1,6 +1,6 @@
[DEFAULT]
upstream-branch = upstream
-debian-branch = master
+debian-branch = debian/buster
upstream-tag = upstream/%(version)s
debian-tag = debian/%(version)s
pristine-tar = True
diff --git c/debian/patches/20_disable_escape_sequence.diff w/debian/patches/20_disable_escape_sequence.diff
new file mode 100644
index 0000000..12245f2
--- /dev/null
+++ w/debian/patches/20_disable_escape_sequence.diff
@@ -0,0 +1,25 @@
+Description: disable ESC G Q escape sequence
+Origin: http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.584&r2=1.585
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988763
+Last-Update: 2021-05-21
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: rxvt-unicode/src/command.C
+===================================================================
+--- rxvt-unicode.orig/src/command.C 2019-02-07 15:12:08.000000000 -0500
++++ rxvt-unicode/src/command.C 2021-05-21 10:45:22.522127101 -0400
+@@ -2722,12 +2722,14 @@
+ }
+ break;
+
++#if 0 // disabled because embedded newlines can make exploits easier
+ /* kidnapped escape sequence: Should be 8.3.48 */
+ case C1_ESA: /* ESC G */
+ // used by original rxvt for rob nations own graphics mode
+ if (cmd_getc () == 'Q')
+ tt_printf ("\033G0\012"); /* query graphics - no graphics */
+ break;
++#endif
+
+ /* 8.3.63: CHARACTER TABULATION SET */
+ case C1_HTS: /* ESC H */
diff --git c/debian/patches/series w/debian/patches/series
index 03471d7..8a2f59f 100644
--- c/debian/patches/series
+++ w/debian/patches/series
@@ -9,3 +9,4 @@
16_no_terminfo.diff
17_unsafe_man.diff
18_expand_urxvt-tabbed.1.diff
+20_disable_escape_sequence.diff
Attachment:
signature.asc
Description: PGP signature