[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#988962: marked as done (buster-pu: package rxvt-unicode/9.22-6+deb10u1)

Your message dated Sat, 19 Jun 2021 10:56:39 +0100
with message-id <5c65c3ad2ac9b1b1f78bf73b1cf073041e619b51.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 10.10 point release
has caused the Debian Bug report #988962,
regarding buster-pu: package rxvt-unicode/9.22-6+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
988962: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988962
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: rak@debian.org

[ Reason ]

Disables the ESC G Q escape sequence, which could cause the command '0'
to be executed. This addresses:

https://security-tracker.debian.org/tracker/CVE-2021-33477

[ Tests ]

None. Manually confirmed (against unstable) that the patch works.

[ Risks ]

Trivial fix cherry-picked from upstream VCS. Original commit from 2019.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

* Add patch to disable ESC G Q
* Set the git branch to debian/buster

[ Other info ]

Cf. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988925

-- 
|)|/  Ryan Kavanagh      | GPG: 4E46 9519 ED67 7734 268F
|\|\  https://rak.ac     |      BD95 8F7B F8FC 4A11 C97A

diff --git c/debian/changelog w/debian/changelog
index 4604560..fd7fd58 100644
--- c/debian/changelog
+++ w/debian/changelog
@@ -1,3 +1,11 @@
+rxvt-unicode (9.22-6+deb10u1) buster; urgency=medium
+
+  * Disable ESC G Q escape sequence, 20_disable_escape_sequence.diff
+    (Closes: #988763, CVE-2021-33477)
+  * Set git branch to debian/buster
+
+ -- Ryan Kavanagh <rak@debian.org>  Fri, 21 May 2021 17:18:00 -0400
+
 rxvt-unicode (9.22-6) unstable; urgency=medium
 
   * Revert the 24bit colour patch. Though no issues seem to arise when using
diff --git c/debian/control w/debian/control
index 4690df26..c2e9549 100644
--- c/debian/control
+++ w/debian/control
@@ -19,7 +19,7 @@ Build-Depends: debhelper (>= 11),
 Rules-Requires-Root: binary-targets
 Standards-Version: 4.3.0
 Homepage: http://software.schmorp.de/pkg/rxvt-unicode.html
-Vcs-Git: https://salsa.debian.org/debian/rxvt-unicode.git -b debian/sid
+Vcs-Git: https://salsa.debian.org/debian/rxvt-unicode.git -b debian/buster
 Vcs-Browser: https://salsa.debian.org/debian/rxvt-unicode
 
 Package: rxvt-unicode
diff --git c/debian/gbp.conf w/debian/gbp.conf
index ae1dc36..6717c9a 100644
--- c/debian/gbp.conf
+++ w/debian/gbp.conf
@@ -1,6 +1,6 @@
 [DEFAULT]
 upstream-branch = upstream
-debian-branch = master
+debian-branch = debian/buster
 upstream-tag = upstream/%(version)s
 debian-tag = debian/%(version)s
 pristine-tar = True
diff --git c/debian/patches/20_disable_escape_sequence.diff w/debian/patches/20_disable_escape_sequence.diff
new file mode 100644
index 0000000..12245f2
--- /dev/null
+++ w/debian/patches/20_disable_escape_sequence.diff
@@ -0,0 +1,25 @@
+Description: disable ESC G Q escape sequence
+Origin: http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.584&r2=1.585
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988763
+Last-Update: 2021-05-21
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: rxvt-unicode/src/command.C
+===================================================================
+--- rxvt-unicode.orig/src/command.C	2019-02-07 15:12:08.000000000 -0500
++++ rxvt-unicode/src/command.C	2021-05-21 10:45:22.522127101 -0400
+@@ -2722,12 +2722,14 @@
+         }
+         break;
+ 
++#if 0 // disabled because embedded newlines can make exploits easier
+         /* kidnapped escape sequence: Should be 8.3.48 */
+       case C1_ESA:		/* ESC G */
+         // used by original rxvt for rob nations own graphics mode
+         if (cmd_getc () == 'Q')
+           tt_printf ("\033G0\012");	/* query graphics - no graphics */
+         break;
++#endif
+ 
+         /* 8.3.63: CHARACTER TABULATION SET */
+       case C1_HTS:		/* ESC H */
diff --git c/debian/patches/series w/debian/patches/series
index 03471d7..8a2f59f 100644
--- c/debian/patches/series
+++ w/debian/patches/series
@@ -9,3 +9,4 @@
 16_no_terminfo.diff
 17_unsafe_man.diff
 18_expand_urxvt-tabbed.1.diff
+20_disable_escape_sequence.diff

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.10

Hi,

Each of the updates referenced in these bugs was included in the 10.10
point release today.

Regards,

Adam

--- End Message ---
Reply to: