Your message dated Mon, 17 Dec 2018 18:36:22 +0000 with message-id <e1gyxkc-0003h3...@fasolo.debian.org> and subject line Bug#916630: fixed in terminology 1.3.1-1 has caused the Debian Bug report #916630, regarding terminology: CVE-2018-20167: Remote execution via special escape codes that handle unknown media types to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 916630: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916630 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: terminology Version: 1.3.0-1 Severity: grave Tags: security upstream Justification: user security hole Owner: r...@kallisti.us Forwarded: https://phab.enlightenment.org/T7504 Terminology 1.3.1 has been released to fix a remote code execution vulnerability in special escape handling. This can be mitigated by unchecking Settings -> Enable special Terminology escape codes. I'm preparing a release. Details from upstream bug report: The \e}pn sequence allows a user to display media like an image or open a web page. However, all unknown media types are handled with the media_unknown_handle function which executes xdg-open against the file type. This creates a large attack surface that allows a remotely introduced executable file to be executed when that file's MIME type is registered for xdg-open. See the linked bug for full info. Ross
--- End Message ---
--- Begin Message ---Source: terminology Source-Version: 1.3.1-1 We believe that the bug you reported is fixed in the latest version of terminology, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 916...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ross Vandegrift <r...@kallisti.us> (supplier of updated terminology package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 16 Dec 2018 10:28:36 -0800 Source: terminology Binary: terminology terminology-data Architecture: source Version: 1.3.1-1 Distribution: unstable Urgency: high Maintainer: Debian Pkg-e Team <pkg-e-de...@lists.alioth.debian.org> Changed-By: Ross Vandegrift <r...@kallisti.us> Closes: 916630 Description: terminology-data - Enlightenment efl based terminal emulator data terminology - Enlightenment efl based terminal emulator Changes: terminology (1.3.1-1) unstable; urgency=high . * New upstream release. + Fix for CVE-2018-20167: Disable special escape handling for unknown media types (Closes: #916630). * d/p/0002-Minor-manpage-improvements.patch: drop, applied upstream Checksums-Sha1: faecbdaea8c66c45e04b5732d3cf225c79c532bc 2099 terminology_1.3.1-1.dsc b36a315edc317dbbf3062841dafac8a5b2df8590 4851556 terminology_1.3.1.orig.tar.xz 681599bc89f8c2f0f531741ceb2ee68b470e7af7 9416 terminology_1.3.1-1.debian.tar.xz Checksums-Sha256: 925fdde970656774a401b6f342b8866941724d3899dd28a415684a5ad6be078f 2099 terminology_1.3.1-1.dsc 5f8abe4a2a2dd0270c32f2c4f93078a7f759e067b6e8cf998994a06342948981 4851556 terminology_1.3.1.orig.tar.xz 90d3b141209d86955dd8c94269a3adc59a655084b033be592c93c12cdbbc9f58 9416 terminology_1.3.1-1.debian.tar.xz Files: a3f14e8a2e87a7477b19a2e96b4cfdb4 2099 x11 optional terminology_1.3.1-1.dsc f8da11f61edf1d049bafac6c6d7a16f5 4851556 x11 optional terminology_1.3.1.orig.tar.xz 1887d4a9e1f3ca79c9022c9f2c9b3d4f 9416 x11 optional terminology_1.3.1-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAlwX6UUACgkQpU8BhUOC FIQ83g//W9ckTy+zd/KZjLiQYrPAyoCuJeo/JLBmPlQEQYa3awDusDcEuVmvAAuU i0GBM7oz3P68qu174XR4eehNvSmlWtON81qJpsZl9dwy1155wTT+FEoiu6FvJx3l PDmwaTSZiQTPlth1UEstCmFzJ2YPSZBTvaCeTjqNE1V2MoJOfGezHrKq9RrvUVSM VuBeT3aVaL1EGIoDDHDm/gdNoSO+NQe1sIjr+gKuLyKhdznoX1HHcSlKCUdZzNgN uQ0VFfAJZ056psqCSXs+WP2mIS7Bc7KgsCC6s5klIb0K2nkX7XyPzLhyzLbxUc4f W6ueWsgAnSAINnhQuj7mrQnNZb1e+v8aj8c+m2ZoR9izapo/yC2Q+bfKcdxrS3O8 RLmUAN0pbo6ojtHKFtlbBHPyj1FMfLcTMmjInnderKTlZZ76LqHGDbGsuHvz+r+3 9vj1759LjnSuwJPP4z2wFy7B1gkQCFE1JohoxZ52q8lMIng66Cz/Prc8cPhvihRJ wUeZzZpAGrJ1PVYeB293LiDwIgKJVpd/0WB9dNRyCt/XJETdSXycIpywRZ/r7TuW 0Oe+Ez6/L8T4EO2Wqpoyv82leMcYvaRwPy5sNyaEyhDAjaOhgd/+W1WaADzYHZv0 THrMkum+Ttmz0GxLSFBrUK+c/VEt1chqZVOF8ErOq2FiF++Xyy8= =Zsry -----END PGP SIGNATURE-----
--- End Message ---
