Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: f...@packages.debian.org, bir...@debian.org
Control: affects -1 + src:foot
[ Reason ]
The terminal emulator foot contains a vulnerability. The issue is that,
if an XTGETTCAP escape sequence printed to the terminal contains newline
characters, foot will echo the newline characters back into the PTY as
part of the "invalid capability" response. (XTGETTCAP strings are
supposed to be hex-encoded, so it's not valid for them to contain
newline characters.)
The bug report is on
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053115
Debian Security is informed about the bug and Moritz suggested I fix
this via the next point release.
[ Impact ]
In a cat/curl scenario, the user's shell will receive those newline
characters and execute any commands embedded in the XTGETTCAP sequence
as though they were typed in by the user.
foot is not affected in oldstable, the bug was fixed in unstable by
backporting the patch.
[ Tests ]
Manual tests only.
I built the package and tested it on a fresh bookworm virtual machine.
I first tested the version that is currently in bookworm, to make sure
the bug exists, and then tested the patched version to make sure the bug
is gone.
[ Risks ]
The code change is trivial and was implemented by upstream, so basically
no risks
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Backport patch to ignore XTGETTCAP queries with invalid hex encodings
(Closes: #1053115)
diff -Nru foot-1.13.1/debian/changelog foot-1.13.1/debian/changelog
--- foot-1.13.1/debian/changelog 2022-10-26 11:15:54.000000000 +0200
+++ foot-1.13.1/debian/changelog 2023-09-25 19:07:33.000000000 +0200
@@ -1,3 +1,10 @@
+foot (1.13.1-2+deb12u1) bookworm; urgency=medium
+
+ * Backport patch to ignore XTGETTCAP queries with invalid hex encodings
+ (Closes: #1053115)
+
+ -- Birger Schacht <bir...@debian.org> Mon, 25 Sep 2023 19:07:33 +0200
+
foot (1.13.1-2) unstable; urgency=medium
[ Andrea Pappacoda ]
diff -Nru foot-1.13.1/debian/patches/0002-dcs-xtgettcap-ignore-queries.patch
foot-1.13.1/debian/patches/0002-dcs-xtgettcap-ignore-queries.patch
--- foot-1.13.1/debian/patches/0002-dcs-xtgettcap-ignore-queries.patch
1970-01-01 01:00:00.000000000 +0100
+++ foot-1.13.1/debian/patches/0002-dcs-xtgettcap-ignore-queries.patch
2023-09-25 19:07:33.000000000 +0200
@@ -0,0 +1,34 @@
+From 8a5f2915e9d327d1517d1da49ce7e2303fe61d36 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20Ekl=C3=B6f?= <dan...@ekloef.se>
+Date: Mon, 25 Sep 2023 16:37:32 +0200
+Subject: [PATCH] dcs: xtgettcap: ignore queries with invalid hex encodings
+
+When we receive an XTGETTCAP query, where the capability is not
+correctly hex encoded, ignore it.
+
+Before this patch, we echo:ed it back to the TTY inside an error
+resonse.
+---
+diff --git a/dcs.c b/dcs.c
+index 7ce1a868..601f1172 100644
+--- a/dcs.c
++++ b/dcs.c
+@@ -111,14 +111,11 @@ static void
+ xtgettcap_reply(struct terminal *term, const char *hex_cap_name, size_t len)
+ {
+ char *name = hex_decode(hex_cap_name, len);
+- if (name == NULL)
+- goto err;
++ if (name == NULL) {
++ LOG_WARN("XTGETTCAP: invalid hex encoding, ignoring capability");
++ return;
++ }
+
+-#if 0
+- const struct foot_terminfo_entry *entry =
+- bsearch(name, terminfo_capabilities, ALEN(terminfo_capabilities),
+- sizeof(*entry), &terminfo_entry_compar);
+-#endif
+ const char *value;
+ bool valid_capability = lookup_capability(name, &value);
+ xassert(!valid_capability || value != NULL);
diff -Nru foot-1.13.1/debian/patches/series foot-1.13.1/debian/patches/series
--- foot-1.13.1/debian/patches/series 2022-10-26 11:15:54.000000000 +0200
+++ foot-1.13.1/debian/patches/series 2023-09-25 19:07:33.000000000 +0200
@@ -1,3 +1,4 @@
0001-Set-zsh_install_dir-to-vendor-completions.patch
pgo-fix-gcc-detection.patch
verbose-pgo.patch
+0002-dcs-xtgettcap-ignore-queries.patch
