Your message dated Wed, 27 Sep 2023 18:19:52 +0000 with message-id <e1qlz8a-00eanj...@fasolo.debian.org> and subject line Bug#1053115: fixed in foot 1.15.3-2 has caused the Debian Bug report #1053115, regarding foot: code execution via malformed XTGETTCAP to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1053115: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053115 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: foot Version: 1.13.1-2 Severity: important Tags: security upstream X-Debbugs-Cc: bir...@debian.org, Debian Security Team <t...@security.debian.org> If an XTGETTCAP escape sequence printed to the terminal contains newline characters, foot will echo the newline characters back into the PTY as part of the "invalid capability" response. (XTGETTCAP strings are supposed to be hex-encoded, so it's not valid for them to contain newline characters.) In a cat/curl scenario, the user's shell will receive those newline characters and execute any commands embedded in the XTGETTCAP sequence as though they were typed in by the user.
--- End Message ---
--- Begin Message ---Source: foot Source-Version: 1.15.3-2 Done: Birger Schacht <bir...@debian.org> We believe that the bug you reported is fixed in the latest version of foot, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1053...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Birger Schacht <bir...@debian.org> (supplier of updated foot package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 27 Sep 2023 18:49:57 +0200 Source: foot Architecture: source Version: 1.15.3-2 Distribution: unstable Urgency: medium Maintainer: Birger Schacht <bir...@debian.org> Changed-By: Birger Schacht <bir...@debian.org> Closes: 1053115 Changes: foot (1.15.3-2) unstable; urgency=medium . * debian/patches/0002-dcs-xtgettcap-ignore-queries.patch: Backport patch to ignore XTGETTCAP queries with invalid hex encodings (Closes: #1053115) Checksums-Sha1: cbfddbedddb412f50aed8358cb65ad48866d5f15 2196 foot_1.15.3-2.dsc 5d9f77f05c88261f52e4aba45fd73543927e1c28 10312 foot_1.15.3-2.debian.tar.xz c1b1f2176a06b211a743f3f67630f8e03ca2ee25 10039 foot_1.15.3-2_amd64.buildinfo Checksums-Sha256: 50018aadd622500fdec410c0092184b37e9a096e6085dbb37d5cc78359a117e0 2196 foot_1.15.3-2.dsc 7da82f478357525dcd515ff24c3ab22bc15525c73f771a66d81fc2d6915d09e4 10312 foot_1.15.3-2.debian.tar.xz fa2655390baf50825e49c5c02a2fbdafe470fa27f220235273aed22cf0692582 10039 foot_1.15.3-2_amd64.buildinfo Files: 14103b8ccd01950c1a854fc1ad46c54e 2196 x11 optional foot_1.15.3-2.dsc 5d15fa5a50c4cf871a738f418d570c6b 10312 x11 optional foot_1.15.3-2.debian.tar.xz aa5c5aadd5b617ebc73c28bf21480292 10039 x11 optional foot_1.15.3-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJGBAEBCgAwFiEEOvC8tnwmrEjOtOW8KgxdYPIEvbAFAmUUa4ISHGJpcmdlckBk ZWJpYW4ub3JnAAoJECoMXWDyBL2wU4UP/15eoKqYr3IYv4QA/NtiO46MVzGvQmVM NtOagxysFdEhLsBQxOprl/MWZ36SqK8UucLZrpsK0eyGo9dtY2DQFsXAfxI2fjnA e5KHEAxtHfWxyMYnvkPILDX5doLBtDdN3aw8jgcEHIayyXH+3EEuoTmhgITQEDX8 82ShcnGRjyirADsnRGE5P9iGO0JBGz0jUQkccMU0cAj1Gipa64125VqE+xcqoLkF TdVyUAiSlrvLaDr6xg90TAg75llcUjOYOTYMwc2tl+lHlcT0lBP5ldkNP0if/FDG G1eQJOnunkgTSUFvn3v5/uRrTcuPcHSU9ZuSajVJB+5lR4jy7NqAR91y4SfwbXmb +IXYiPRpbfC/nsfLbSkmhgfnYBX3NSK/NGmWvhWMJziIZif4TVN2Vy0JcjsYHI+f XGnyFwuy9nqDJ2zVwYjNoFB4jv7FmYLMWibWuulENPsgmS11IK0PUE2v1acQr6D5 gjNkKqBsX7b3DOaY4kNhr09ulU9EelEed5wdmiBrhvB+61slFnyj7TnLVk7JwP9s a6r+gDIsuOHk8t+EASRFWrK4GjvBIh7+ZE38PIDhF2JsyBcXPVAlElZzE+dedOiC eI+pdhfLTkx9QRT7cNQovPT06v02cJUMNP9QxUj8uY0JQ8K7bUEhwQi+naQ9HkK1 rUUSgmy6cxGZ =buyh -----END PGP SIGNATURE-----
--- End Message ---
