Fix CVE-2021-25743 bullseye (!7) · Merge requests · Kubernetes Team / packages / kubernetes

Arthur Diniz requested to merge bullseye-CVE-2021-25743 into debian/bullseye Jul 18, 2025

This patch addresses CVE-2021-25743 by adding proper terminal special character escaping in kubectl output to prevent potential terminal escape sequence attacks. The changes include:

Terminal Output Escaping:

Added terminal escape functionality in tableprinter.go to handle special characters like newlines, carriage returns, and formfeeds.
Created new terminal.go with EscapeTerminal() function to properly escape terminal control characters.
Modified table printing to use the new escaping function.

Event Printing:

Added escaping for kubectl alpha events output.
Created new event printer files event_printer.go and event_printer_test.go.
Modified event printing to escape Type, Reason, Object kind/name, and Message fields.

Custom Column Printing:

Modified custom column output to use escaped values.

Describe Function:

Added terminal escaping to the describe output writer.

Fix CVE-2021-25743 bullseye

Merge request reports