Debian Bug report logs - #989041
eterm: CVE-2021-33477

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: eterm: CVE-2021-33477

Date: Mon, 24 May 2021 16:44:51 +0200

Source: eterm
Version: 0.9.6-6
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 0.9.6-5

Hi,

The following vulnerability was published for eterm.

Strictly speaking the severity to RC is overrated, but I think it is
sensible to make sure that the fix lands in bullseye. For buster the
issue is marked no-dsa and could be fixed via an upcoming point
release.

For reference see the rxvt-unicode fix (which disables the code).

CVE-2021-33477[0]:
| rxvt-unicode 9.22, rxvt 2.7.10, mrxvt 0.5.4, and Eterm 0.9.7 allow
| (potentially remote) code execution because of improper handling of
| certain escape sequences (ESC G Q). A response is terminated by a
| newline.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-33477
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33477

Regards,
Salvatore

Message #12 received at 989041@bugs.debian.org (full text, mbox, reply):

From: Jose Antonio Jimenez Madrid <donjosemadrid@gmail.com>

To: Salvatore Bonaccorso <carnil@debian.org>, 989041@bugs.debian.org

Subject: Re: Bug#989041: eterm: CVE-2021-33477

Date: Sun, 30 May 2021 17:42:15 +0200

Thank you Salvatore for submitting this important bug.

I have sent this information to upstream and I have read the information
you provided.
It is the first time I have to deal with a security bug, so I do not
know the right procedure to follow.

I suppose there is a script or procedure to check whether the patch
version has the problem fixed or not.
I let you to know if upstream gives a patch.

Sincerely,

Jose

P.S.: I have some knowledge of programming but I do not know whether I
would be able to produce a patch on time for the upcoming bullseye release.

Message #17 received at 989041@bugs.debian.org (full text, mbox, reply):

From: Utkarsh Gupta <utkarsh@debian.org>

To: donjosemadrid@gmail.com, 989041@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#989041: eterm: CVE-2021-33477

Date: Wed, 9 Jun 2021 15:11:57 +0530

[Message part 1 (text/plain, inline)]

Hi Jose,

Patch attached. Please let me know if I can upload to unstable
directly? This also needs to go to buster-pu.

Let me know if you have questions or concerns.


- u

[CVE-2021-33477.patch (text/x-patch, attachment)]

Message #22 received at 989041@bugs.debian.org (full text, mbox, reply):

From: Jose Antonio Jimenez Madrid <donjosemadrid@gmail.com>

To: Utkarsh Gupta <utkarsh@debian.org>, 989041@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#989041: eterm: CVE-2021-33477

Date: Thu, 10 Jun 2021 19:37:55 +0200

Thank you so much Utkarsh for the patch,


Please, upload it to unstable, as I have to upload it by Debian Mentors
so it will  reach testing faster if you upload it to fix this security bug.
Also, you can upload it to buster-pu, the package version is the same
than in Stretch, so it just to upload the same that you have already
upload for Stretch.

I will send the patch to upstream. There are several minor issues I have
to coordinate with upstream that can be done later.

Thank you so much for your great work.

Jose

Message #27 received at 989041@bugs.debian.org (full text, mbox, reply):

From: Utkarsh Gupta <utkarsh@debian.org>

To: 989041@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>, Jose Antonio Jimenez Madrid <donjosemadrid@gmail.com>

Subject: Re: Bug#989041: eterm: CVE-2021-33477

Date: Fri, 11 Jun 2021 01:37:18 +0530

Hi Jose,

On Thu, Jun 10, 2021 at 11:08 PM Jose Antonio Jimenez Madrid
<donjosemadrid@gmail.com> wrote:
> Thank you so much Utkarsh for the patch,

Of course, no problem! :)

> Please, upload it to unstable, as I have to upload it by Debian Mentors
> so it will  reach testing faster if you upload it to fix this security bug.
> Also, you can upload it to buster-pu, the package version is the same
> than in Stretch, so it just to upload the same that you have already
> upload for Stretch.

Okay, uploaded to unstable; filed an unblock request via #989703.
Subsequently, uploaded to buster and opened the -pu bug, #989702.

Let me know if you have any questions or concerns. Thanks! \o/


- u

Message #32 received at 989041-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 989041-close@bugs.debian.org

Subject: Bug#989041: fixed in eterm 0.9.6-6.1

Date: Thu, 10 Jun 2021 20:22:31 +0000

Source: eterm
Source-Version: 0.9.6-6.1
Done: Utkarsh Gupta <utkarsh@debian.org>

We believe that the bug you reported is fixed in the latest version of
eterm, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 989041@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Utkarsh Gupta <utkarsh@debian.org> (supplier of updated eterm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 11 Jun 2021 01:11:10 +0530
Source: eterm
Architecture: source
Version: 0.9.6-6.1
Distribution: unstable
Urgency: high
Maintainer: José Antonio Jiménez Madrid <donjosemadrid@gmail.com>
Changed-By: Utkarsh Gupta <utkarsh@debian.org>
Closes: 989041
Changes:
 eterm (0.9.6-6.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Add patch from rxvt-unicode to fix CVE-2021-33477.
     (Closes: #989041)
Checksums-Sha1:
 bd1c513eb3db769f5d6a82817d49d6cd286c559f 1916 eterm_0.9.6-6.1.dsc
 7218dc121964f33b8cfd4ea28636b725df523535 13356 eterm_0.9.6-6.1.debian.tar.xz
 a63debe66dee34ecfa72ebf3e2bd54b896160c3b 8039 eterm_0.9.6-6.1_amd64.buildinfo
Checksums-Sha256:
 11b65f9e3fe05b1e9462fd458977ff7d4b13053352c498212dfc36d836945fc2 1916 eterm_0.9.6-6.1.dsc
 f1a03d8ed49c1e1ced9b34931a5fb51d04fbf9ccf5014d1318b13aaf405a1e8e 13356 eterm_0.9.6-6.1.debian.tar.xz
 965a0351b944500720b421f4e5e96ef0271b4c00ca2103a04a6e8808e98cc46c 8039 eterm_0.9.6-6.1_amd64.buildinfo
Files:
 f43e0c7de901668a9bcaba6a7c8566f9 1916 x11 optional eterm_0.9.6-6.1.dsc
 0777789f21968aff72f52b5359e2d270 13356 x11 optional eterm_0.9.6-6.1.debian.tar.xz
 3f495800ef31f15fad7194c5bf9007fa 8039 x11 optional eterm_0.9.6-6.1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmDCa5wTHHV0a2Fyc2hA
ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlsdKEAC4Z/piwGfD0jZT6vf5tDQICVXrfNxo
KpkiREvgQ4oS/wEJOJwSIdR5I4/ocNs2aUK2NJkC5XSrkjV7lkWyUHQzE+F1hRT2
fBsf83oMrb2nnM/m3g+FKNSdS2+t3wv6CvcJyYPOGAIuVA40qmnk4HUpNNuDGSRn
ZmTBNxxO1lUxOgJ0EWDI+BeBHgppY0hAHwENE3ypu5RxquZnyWVMZDZMEbfKKvj4
9b/zhcxiX0VpoPB/oQKlHIge2upCC26hB+Isfj2zarReC5/Tj7wX50zauA+mYS9P
9++r53+wpIvSdyIcK64Digkukf42cQ6kk3ZBjbxfccp6/xQaG6Ogr+9M5GMpE8+f
1s/1A7U+rDHhMAe6SX/s+LT56hjrQb8CQS6twQwpR7oFaVaAlHh8o0N/xi7fVX5D
6qIDb0prNChIXr5H/HzM7edKwEORHjxEV1PpSGabq25etNmbOGJg+/wISsqNSkQW
Q1aMIy2G4Eod9dpk6W0jfP5sOtR/5Cm8Z0xzV62HSzd1d8eX8IW1hynpWgU0niAC
HjVKhWBSSCoyrUUOpUASD57Q/8WxhLL4/oD1XAklTSV5PvkG5xDpovx2Ob6EeZnk
iA53li2You+eoE9MSwOU/zEX2FoksPtBUT8r3m+sFIImPVCwEJumzrl1toKjBB+Q
IywmIyYmAbXW5Q==
=SZLW
-----END PGP SIGNATURE-----

Message #37 received at 989041-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 989041-close@bugs.debian.org

Subject: Bug#989041: fixed in eterm 0.9.6-5+deb10u1

Date: Fri, 11 Jun 2021 09:47:07 +0000

Source: eterm
Source-Version: 0.9.6-5+deb10u1
Done: Utkarsh Gupta <utkarsh@debian.org>

We believe that the bug you reported is fixed in the latest version of
eterm, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 989041@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Utkarsh Gupta <utkarsh@debian.org> (supplier of updated eterm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 11 Jun 2021 01:16:57 +0530
Source: eterm
Architecture: source
Version: 0.9.6-5+deb10u1
Distribution: buster
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Utkarsh Gupta <utkarsh@debian.org>
Closes: 989041
Changes:
 eterm (0.9.6-5+deb10u1) buster; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Add patch from rxvt-unicode to fix CVE-2021-33477.
     (Closes: #989041)
Checksums-Sha1:
 6aad465d8a38431b94a96ab214509b9aa0ed6cb0 1920 eterm_0.9.6-5+deb10u1.dsc
 b4cb00f898ffd2de9bf7ae0ecde1cc3a5fee9f02 831756 eterm_0.9.6.orig.tar.gz
 9540adf680b647c24fec1f0a458ed7cf35d66755 13084 eterm_0.9.6-5+deb10u1.debian.tar.xz
 7f0cf5299d50b1cee5dcd3f67495181445a14a03 6020 eterm_0.9.6-5+deb10u1_source.buildinfo
Checksums-Sha256:
 a6f9679f1af7029fc0ccac5103e6e160656c6baf69754482aa81caf585c0ac35 1920 eterm_0.9.6-5+deb10u1.dsc
 72b907aa64f8bcf053f2ecbc8a2e243c6de353a94ecaf579ff2c4e3ae5d7e13c 831756 eterm_0.9.6.orig.tar.gz
 7b59164f66acbdb22f6d23a89cb25210c70998bff7a707f16fb163a0b73cbdac 13084 eterm_0.9.6-5+deb10u1.debian.tar.xz
 fcf260b07291f70616b2f03d4560465ac63951dae6fb2e619e8472d5a1bb9f6c 6020 eterm_0.9.6-5+deb10u1_source.buildinfo
Files:
 6090d39921e1f370705d37f02a7284bd 1920 x11 optional eterm_0.9.6-5+deb10u1.dsc
 90e424584c22d4050496874d14f78bb1 831756 x11 optional eterm_0.9.6.orig.tar.gz
 6b376838f01474f7288c5c3fdfd79999 13084 x11 optional eterm_0.9.6-5+deb10u1.debian.tar.xz
 b8fd1a2c2583ade89ff4ae59cb1b64cf 6020 x11 optional eterm_0.9.6-5+deb10u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmDCbR4THHV0a2Fyc2hA
ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlt6lEACIZrNkSxO9czdftIJlahcfskcWFNS4
tuOJLo/ka5sKoVzBNUu+VtJZnLv6CI6DrbMTSpKDxkvECN5uv/2YC/crJfNj9dLC
u4tkMUXqjOmW1BbcUg7JgpqyvybLUy3Mzuf8FbOep7JN1WLfVd20qBinX6FUc2pi
xRGH+qcx+SwForPZsQf/dDkAWT1N5dryItJwP/Kk26eHGgv+TdK85ejPk5aZaUS8
/ZLN9dlCfuUUEmDjqLbG07R3UjDZQs0ajh20K1+Sg5OQvSdIzrhhEGIo1KlrRYzC
pwp+5IXM4hYTMa5GURs6KfkwE69mOdp7YX/t0jEPrfQU8EJaj/0vMpAkYvYGfZDm
ZN0pveDw44m2NzgH10yk7C7icitck0v9qwMOwWfuJLBAlygrz3jgWWokrYnPMUGj
S60/spolIQeOj9H/xvdbnBHsm7viUWzjyebVi1XqZFa9ytS3qJm04rViPQ9rq55n
a24O4U+QgwtjDnEs46wpRhmo4Ea8I7lydvHfw2rY44MwBJYTJi+vALRHqsjT7dKc
nBzyF0R4Yk7CTLqiNtGHm6RxytLPio0H/425fPWnJOwTu2IllDbBu3UmzIXC2uRk
MZ501RdIs8eRszjFXw6mw3MGSch9gU1hDekbfSWsKOSqYtce6N91WO4gczSVb3mA
RhcKNxtddIWikg==
=n1Yh
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.