Bug#861694: rxvt: diff for NMU version 1:2.7.10-7.1

Tue, 03 Oct 2017 12:16:12 -0700 

Control: tags 861694 + pending

Dear maintainer,

I've prepared an NMU for rxvt (versioned as 1:2.7.10-7.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

diff -Nru rxvt-2.7.10/debian/changelog rxvt-2.7.10/debian/changelog
--- rxvt-2.7.10/debian/changelog	2016-03-26 21:27:42.000000000 +0100
+++ rxvt-2.7.10/debian/changelog	2017-10-03 21:07:20.000000000 +0200
@@ -1,3 +1,11 @@
+rxvt (1:2.7.10-7.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2017-7483: crash / code execution via escape sequence
+    (Closes: #861694)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Tue, 03 Oct 2017 21:07:20 +0200
+
 rxvt (1:2.7.10-7) unstable; urgency=medium
 
   * Fixed rxvt-ml cjk builds to use updated configure params.
diff -Nru rxvt-2.7.10/debian/patches/CVE-2017-7483-rxvt-integer-overflow-fix.patch rxvt-2.7.10/debian/patches/CVE-2017-7483-rxvt-integer-overflow-fix.patch
--- rxvt-2.7.10/debian/patches/CVE-2017-7483-rxvt-integer-overflow-fix.patch	1970-01-01 01:00:00.000000000 +0100
+++ rxvt-2.7.10/debian/patches/CVE-2017-7483-rxvt-integer-overflow-fix.patch	2017-10-03 21:07:20.000000000 +0200
@@ -0,0 +1,20 @@
+Description: CVE-2017-7483: rxvt: crash / code execution via escape sequence
+Origin: vendor, https://bugzilla.novell.com/attachment.cgi?id=723455
+Bug-Debian: https://bugs.debian.org/861694
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7483
+Bug-SuSE: https://bugzilla.novell.com/show_bug.cgi?id=1036456
+Forwarded: no
+Author: "Jason A. Donenfeld" <ja...@zx2c4.com>
+Last-Update: 2017-10-03
+
+--- rxvt-2.7.10/src/command.c	2003-03-26 07:01:23.000000000 +0100
++++ rxvt-2.7.10-patched/src/command.c	2017-04-27 12:06:05.682072274 +0200
+@@ -2096,7 +2096,7 @@
+     i = ch - CSI_ICH;
+     ndef = get_byte_array_bit(csi_defaults, i);
+     for (p = 0; p < nargs; p++)
+-	if (arg[p] == -1)
++	if (arg[p] < 0 || arg[p] > 30000)
+ 	    arg[p] = ndef;
+ 
+ #ifdef DEBUG_CMD
diff -Nru rxvt-2.7.10/debian/patches/series rxvt-2.7.10/debian/patches/series
--- rxvt-2.7.10/debian/patches/series	2016-03-26 18:42:18.000000000 +0100
+++ rxvt-2.7.10/debian/patches/series	2017-10-03 21:07:20.000000000 +0200
@@ -16,3 +16,4 @@
 rxvt-tbl.patch
 rclock-segfault-empty-env-716576.patch
 sighup-exits-347344.patch
+CVE-2017-7483-rxvt-integer-overflow-fix.patch

Reply via email to