Package: foot Version: 1.13.1-2 Severity: important Tags: security upstream X-Debbugs-Cc: bir...@debian.org, Debian Security Team <t...@security.debian.org>
If an XTGETTCAP escape sequence printed to the terminal contains newline characters, foot will echo the newline characters back into the PTY as part of the "invalid capability" response. (XTGETTCAP strings are supposed to be hex-encoded, so it's not valid for them to contain newline characters.) In a cat/curl scenario, the user's shell will receive those newline characters and execute any commands embedded in the XTGETTCAP sequence as though they were typed in by the user.
