Your message dated Sun, 01 Oct 2023 18:47:09 +0000 with message-id <e1qn1tb-000xv9...@fasolo.debian.org> and subject line Bug#1053115: fixed in foot 1.13.1-2+deb12u1 has caused the Debian Bug report #1053115, regarding foot: code execution via malformed XTGETTCAP to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1053115: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053115 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: foot Version: 1.13.1-2 Severity: important Tags: security upstream X-Debbugs-Cc: bir...@debian.org, Debian Security Team <t...@security.debian.org> If an XTGETTCAP escape sequence printed to the terminal contains newline characters, foot will echo the newline characters back into the PTY as part of the "invalid capability" response. (XTGETTCAP strings are supposed to be hex-encoded, so it's not valid for them to contain newline characters.) In a cat/curl scenario, the user's shell will receive those newline characters and execute any commands embedded in the XTGETTCAP sequence as though they were typed in by the user.
--- End Message ---
--- Begin Message ---Source: foot Source-Version: 1.13.1-2+deb12u1 Done: Birger Schacht <bir...@debian.org> We believe that the bug you reported is fixed in the latest version of foot, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1053...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Birger Schacht <bir...@debian.org> (supplier of updated foot package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 25 Sep 2023 19:07:33 +0200 Source: foot Architecture: source Version: 1.13.1-2+deb12u1 Distribution: stable Urgency: medium Maintainer: Birger Schacht <bir...@debian.org> Changed-By: Birger Schacht <bir...@debian.org> Closes: 1053115 Changes: foot (1.13.1-2+deb12u1) bookworm; urgency=medium . * Backport patch to ignore XTGETTCAP queries with invalid hex encodings (Closes: #1053115) Checksums-Sha1: 9fa1b511a6d7be273da5b6010a1f7bad87e8cc55 2224 foot_1.13.1-2+deb12u1.dsc 655261eb725ec1a519211a805c62c3e46c8aa58e 497052 foot_1.13.1.orig.tar.gz 2d780df28f46b935c54454d5e47d03b6aea5ad8d 9952 foot_1.13.1-2+deb12u1.debian.tar.xz d48f117b2c2fcee7968cdc2db5ef4a282601af34 9784 foot_1.13.1-2+deb12u1_amd64.buildinfo Checksums-Sha256: dc85d0dcc5cd3648ae35470a66a8efc4bc4e8353ed8f7f3f261c4ae99fd8dc07 2224 foot_1.13.1-2+deb12u1.dsc 76f94e8f2698749f4b78476a0d01da949c67dc6fc7ed3717238e99a9bc1be4d6 497052 foot_1.13.1.orig.tar.gz d59478ecd2c83b7ab580c8bcb27a46aebeb85be355b101149b023459bddfb27f 9952 foot_1.13.1-2+deb12u1.debian.tar.xz f14dfe5da7ff05979608c6940d6a55a46189724328d30d9edbdca1388b703137 9784 foot_1.13.1-2+deb12u1_amd64.buildinfo Files: ed97ac316f9b0b95e2883e0aec809ed8 2224 x11 optional foot_1.13.1-2+deb12u1.dsc a3946a7192f1dc355e5a581f6bc18deb 497052 x11 optional foot_1.13.1.orig.tar.gz bff473d2b96722766c20428c3c9eca95 9952 x11 optional foot_1.13.1-2+deb12u1.debian.tar.xz 69601d798535b4917967f653340a0c20 9784 x11 optional foot_1.13.1-2+deb12u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJGBAEBCgAwFiEEOvC8tnwmrEjOtOW8KgxdYPIEvbAFAmUZn/cSHGJpcmdlckBk ZWJpYW4ub3JnAAoJECoMXWDyBL2wrMsP/2jhF+g7q+an2OPUgzhE44hEBw8+I+mS 3myfjNKjw7IOd//ZgOaZRrCSLzdC7o0OjkD5183s+9VVEbReOT0wk8SajN33+1vS Js3Q+tf8DnlPNbknShh+yaqjsEMGQ7dX0AKIAjVR0k+iDIyiIb+ooZMzvywOhhKL +ouAFHL+b0Ttm6t7HpZzE8SYbFnuv+m5fo+aTCLaOp2PH9GO9Q11/FNg+QcDvtsG 0bQ9BKriXRg1TbJLVp6istlLfcss2e1rX/R/cEiZk28WY3GhNweSqFd/SOUmCsLA iR7/YiUoxSGB/d1JnqpWj+FDuGrwai3waBmcXsNuNzb5OBTW8usJ0tgpuA8IleOY MCIjuNpzi76M6s8gXYNpv3aIryjcyYfvfMxJLOM0EhFFeGDK/iKOrHOXP6e9Lb57 TUZJMi3kocSD7rTASCnjCSyqzWvUMV0REN4NzZI1qK9KK0U0NzPFtgZgYnCbChaD WYAGRzhr2ikZc9l32zFzS7Xw3hWRqg9Vqkw9rCnq4zPn0YeciPRf/EbfX+IfTtzv fvFfb4D/Uox72zL152oUnBlBaZt0q2S8Zz9SEEJTV9RD86T9wzlf2E9vYerep2yP vmSqPf8CWLao/J98FP/8I1BsplmCgQaexY0zEZ27ctGCKrmqK9FjyZaEU2Ko1Tnh V2j0Fl5Uqt2N =9qF2 -----END PGP SIGNATURE-----
--- End Message ---
