Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: r...@debian.org
Please unblock package rxvt-unicode Disables the ESC G Q escape sequence, which could cause the command '0' to be executed. This addresses: https://security-tracker.debian.org/tracker/CVE-2021-33477 [ Tests ] None [ Risks ] Trivial fix cherry-picked from upstream VCS. Original commit from 2019. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock rxvt-unicode/9.22-11 -- |)|/ Ryan Kavanagh | GPG: 4E46 9519 ED67 7734 268F |\|\ https://rak.ac | BD95 8F7B F8FC 4A11 C97A
diff -Nru rxvt-unicode-9.22/debian/changelog rxvt-unicode-9.22/debian/changelog --- rxvt-unicode-9.22/debian/changelog 2021-03-20 12:48:03.000000000 -0400 +++ rxvt-unicode-9.22/debian/changelog 2021-05-21 10:48:43.000000000 -0400 @@ -1,3 +1,10 @@ +rxvt-unicode (9.22-11) unstable; urgency=medium + + * Disable ESC G Q escape sequence, 20_disable_escape_sequence.diff + (Closes: #988763, CVE-2021-33477) + + -- Ryan Kavanagh <r...@debian.org> Fri, 21 May 2021 10:48:43 -0400 + rxvt-unicode (9.22-10) unstable; urgency=medium * Correct a mistake in 19_sigsegv_perl_environ.diff diff -Nru rxvt-unicode-9.22/debian/patches/20_disable_escape_sequence.diff rxvt-unicode-9.22/debian/patches/20_disable_escape_sequence.diff --- rxvt-unicode-9.22/debian/patches/20_disable_escape_sequence.diff 1969-12-31 19:00:00.000000000 -0500 +++ rxvt-unicode-9.22/debian/patches/20_disable_escape_sequence.diff 2021-05-21 10:47:48.000000000 -0400 @@ -0,0 +1,25 @@ +Description: disable ESC G Q escape sequence +Origin: http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.584&r2=1.585 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988763 +Last-Update: 2021-05-21 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: rxvt-unicode/src/command.C +=================================================================== +--- rxvt-unicode.orig/src/command.C 2019-02-07 15:12:08.000000000 -0500 ++++ rxvt-unicode/src/command.C 2021-05-21 10:45:22.522127101 -0400 +@@ -2722,12 +2722,14 @@ + } + break; + ++#if 0 // disabled because embedded newlines can make exploits easier + /* kidnapped escape sequence: Should be 8.3.48 */ + case C1_ESA: /* ESC G */ + // used by original rxvt for rob nations own graphics mode + if (cmd_getc () == 'Q') + tt_printf ("\033G0\012"); /* query graphics - no graphics */ + break; ++#endif + + /* 8.3.63: CHARACTER TABULATION SET */ + case C1_HTS: /* ESC H */ diff -Nru rxvt-unicode-9.22/debian/patches/series rxvt-unicode-9.22/debian/patches/series --- rxvt-unicode-9.22/debian/patches/series 2021-03-20 12:48:03.000000000 -0400 +++ rxvt-unicode-9.22/debian/patches/series 2021-05-21 10:44:44.000000000 -0400 @@ -9,3 +9,4 @@ 17_unsafe_man.diff 18_expand_urxvt-tabbed.1.diff 19_sigsegv_perl_environ.diff +20_disable_escape_sequence.diff
signature.asc
Description: PGP signature