Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: rak@debian.org [ Reason ] Disables the ESC G Q escape sequence, which could cause the command '0' to be executed. This addresses: https://security-tracker.debian.org/tracker/CVE-2021-33477 [ Tests ] None. Manually confirmed (against unstable) that the patch works. [ Risks ] Trivial fix cherry-picked from upstream VCS. Original commit from 2019. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] * Add patch to disable ESC G Q * Set the git branch to debian/buster [ Other info ] Cf. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988925 -- |)|/ Ryan Kavanagh | GPG: 4E46 9519 ED67 7734 268F |\|\ https://rak.ac | BD95 8F7B F8FC 4A11 C97A
diff --git c/debian/changelog w/debian/changelog index 4604560..fd7fd58 100644 --- c/debian/changelog +++ w/debian/changelog @@ -1,3 +1,11 @@ +rxvt-unicode (9.22-6+deb10u1) buster; urgency=medium + + * Disable ESC G Q escape sequence, 20_disable_escape_sequence.diff + (Closes: #988763, CVE-2021-33477) + * Set git branch to debian/buster + + -- Ryan Kavanagh <rak@debian.org> Fri, 21 May 2021 17:18:00 -0400 + rxvt-unicode (9.22-6) unstable; urgency=medium * Revert the 24bit colour patch. Though no issues seem to arise when using diff --git c/debian/control w/debian/control index 4690df26..c2e9549 100644 --- c/debian/control +++ w/debian/control @@ -19,7 +19,7 @@ Build-Depends: debhelper (>= 11), Rules-Requires-Root: binary-targets Standards-Version: 4.3.0 Homepage: http://software.schmorp.de/pkg/rxvt-unicode.html -Vcs-Git: https://salsa.debian.org/debian/rxvt-unicode.git -b debian/sid +Vcs-Git: https://salsa.debian.org/debian/rxvt-unicode.git -b debian/buster Vcs-Browser: https://salsa.debian.org/debian/rxvt-unicode Package: rxvt-unicode diff --git c/debian/gbp.conf w/debian/gbp.conf index ae1dc36..6717c9a 100644 --- c/debian/gbp.conf +++ w/debian/gbp.conf @@ -1,6 +1,6 @@ [DEFAULT] upstream-branch = upstream -debian-branch = master +debian-branch = debian/buster upstream-tag = upstream/%(version)s debian-tag = debian/%(version)s pristine-tar = True diff --git c/debian/patches/20_disable_escape_sequence.diff w/debian/patches/20_disable_escape_sequence.diff new file mode 100644 index 0000000..12245f2 --- /dev/null +++ w/debian/patches/20_disable_escape_sequence.diff @@ -0,0 +1,25 @@ +Description: disable ESC G Q escape sequence +Origin: http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.584&r2=1.585 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988763 +Last-Update: 2021-05-21 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: rxvt-unicode/src/command.C +=================================================================== +--- rxvt-unicode.orig/src/command.C 2019-02-07 15:12:08.000000000 -0500 ++++ rxvt-unicode/src/command.C 2021-05-21 10:45:22.522127101 -0400 +@@ -2722,12 +2722,14 @@ + } + break; + ++#if 0 // disabled because embedded newlines can make exploits easier + /* kidnapped escape sequence: Should be 8.3.48 */ + case C1_ESA: /* ESC G */ + // used by original rxvt for rob nations own graphics mode + if (cmd_getc () == 'Q') + tt_printf ("\033G0\012"); /* query graphics - no graphics */ + break; ++#endif + + /* 8.3.63: CHARACTER TABULATION SET */ + case C1_HTS: /* ESC H */ diff --git c/debian/patches/series w/debian/patches/series index 03471d7..8a2f59f 100644 --- c/debian/patches/series +++ w/debian/patches/series @@ -9,3 +9,4 @@ 16_no_terminfo.diff 17_unsafe_man.diff 18_expand_urxvt-tabbed.1.diff +20_disable_escape_sequence.diff
Attachment:
signature.asc
Description: PGP signature