Bug#1053189: bookworm-pu: package foot/1.13.1-2+deb12u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1053189: bookworm-pu: package foot/1.13.1-2+deb12u1
From: Birger Schacht <birger@debian.org>
Date: Fri, 29 Sep 2023 08:35:29 +0200
Message-id: <[🔎] 169596932994.5630.476440815092791736.reportbug@localhost>
Reply-to: Birger Schacht <birger@debian.org>, 1053189@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: foot@packages.debian.org, birger@debian.org
Control: affects -1 + src:foot

[ Reason ]
The terminal emulator foot contains a vulnerability. The issue is that,
if an XTGETTCAP escape sequence printed to the terminal contains newline
characters, foot will echo the newline characters back into the PTY as
part of the "invalid capability" response. (XTGETTCAP strings are
supposed to be hex-encoded, so it's not valid for them to contain
newline characters.) 
The bug report is on
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053115

Debian Security is informed about the bug and Moritz suggested I fix
this via the next point release.

[ Impact ]
In a cat/curl scenario, the user's shell will receive those newline
characters and execute any commands embedded in the XTGETTCAP sequence
as though they were typed in by the user.

foot is not affected in oldstable, the bug was fixed in unstable by
backporting the patch.

[ Tests ]
Manual tests only.
I built the package and tested it on a fresh bookworm virtual machine.
I first tested the version that is currently in bookworm, to make sure
the bug exists, and then tested the patched version to make sure the bug
is gone.

[ Risks ]
The code change is trivial and was implemented by upstream, so basically
no risks

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
* Backport patch to ignore XTGETTCAP queries with invalid hex encodings
  (Closes: #1053115)

diff -Nru foot-1.13.1/debian/changelog foot-1.13.1/debian/changelog
--- foot-1.13.1/debian/changelog	2022-10-26 11:15:54.000000000 +0200
+++ foot-1.13.1/debian/changelog	2023-09-25 19:07:33.000000000 +0200
@@ -1,3 +1,10 @@
+foot (1.13.1-2+deb12u1) bookworm; urgency=medium
+
+  * Backport patch to ignore XTGETTCAP queries with invalid hex encodings
+    (Closes: #1053115)
+
+ -- Birger Schacht <birger@debian.org>  Mon, 25 Sep 2023 19:07:33 +0200
+
 foot (1.13.1-2) unstable; urgency=medium
 
   [ Andrea Pappacoda ]
diff -Nru foot-1.13.1/debian/patches/0002-dcs-xtgettcap-ignore-queries.patch foot-1.13.1/debian/patches/0002-dcs-xtgettcap-ignore-queries.patch
--- foot-1.13.1/debian/patches/0002-dcs-xtgettcap-ignore-queries.patch	1970-01-01 01:00:00.000000000 +0100
+++ foot-1.13.1/debian/patches/0002-dcs-xtgettcap-ignore-queries.patch	2023-09-25 19:07:33.000000000 +0200
@@ -0,0 +1,34 @@
+From 8a5f2915e9d327d1517d1da49ce7e2303fe61d36 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20Ekl=C3=B6f?= <daniel@ekloef.se>
+Date: Mon, 25 Sep 2023 16:37:32 +0200
+Subject: [PATCH] dcs: xtgettcap: ignore queries with invalid hex encodings
+
+When we receive an XTGETTCAP query, where the capability is not
+correctly hex encoded, ignore it.
+
+Before this patch, we echo:ed it back to the TTY inside an error
+resonse.
+---
+diff --git a/dcs.c b/dcs.c
+index 7ce1a868..601f1172 100644
+--- a/dcs.c
++++ b/dcs.c
+@@ -111,14 +111,11 @@ static void
+ xtgettcap_reply(struct terminal *term, const char *hex_cap_name, size_t len)
+ {
+     char *name = hex_decode(hex_cap_name, len);
+-    if (name == NULL)
+-        goto err;
++    if (name == NULL) {
++        LOG_WARN("XTGETTCAP: invalid hex encoding, ignoring capability");
++        return;
++    }
+ 
+-#if 0
+-    const struct foot_terminfo_entry *entry =
+-        bsearch(name, terminfo_capabilities, ALEN(terminfo_capabilities),
+-                sizeof(*entry), &terminfo_entry_compar);
+-#endif
+     const char *value;
+     bool valid_capability = lookup_capability(name, &value);
+     xassert(!valid_capability || value != NULL);
diff -Nru foot-1.13.1/debian/patches/series foot-1.13.1/debian/patches/series
--- foot-1.13.1/debian/patches/series	2022-10-26 11:15:54.000000000 +0200
+++ foot-1.13.1/debian/patches/series	2023-09-25 19:07:33.000000000 +0200
@@ -1,3 +1,4 @@
 0001-Set-zsh_install_dir-to-vendor-completions.patch
 pgo-fix-gcc-detection.patch
 verbose-pgo.patch
+0002-dcs-xtgettcap-ignore-queries.patch

Reply to:

Follow-Ups:
- Processed: bookworm-pu: package foot/1.13.1-2+deb12u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Processed: Re: Bug#1053189: bookworm-pu: package foot/1.13.1-2+deb12u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1053189: bookworm-pu: package foot/1.13.1-2+deb12u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Processed: bookworm-pu: package foot/1.13.1-2+deb12u1
Next by Date: NEW changes in stable-new
Previous by thread: Processed: xen 4.14.6-1 flagged for acceptance
Next by thread: Processed: bookworm-pu: package foot/1.13.1-2+deb12u1
Index(es):
- Date
- Thread