diff -Nru osc-0.132.6/debian/changelog osc-0.132.6/debian/changelog
--- osc-0.132.6/debian/changelog	2011-08-30 15:26:02.000000000 +0700
+++ osc-0.132.6/debian/changelog	2013-07-16 11:44:33.000000000 +0700
@@ -1,3 +1,14 @@
+osc (0.132.6-1ubuntu0.1) precise-security; urgency=low
+
+  * SECURITY UPDATE: Improper sanitization of terminal emulator escape
+    sequences when displaying build log and build status (LP: #1197639)
+    - debian/patches/CVE-2012-1095.patch: osc/core.py(print_buildlog): strip
+      terminal control chars, except new lines from build logs. Based on
+      upstream patch.
+    - CVE-2012-1095
+
+ -- Christian Kuersteiner <ckuerste@gmx.ch>  Tue, 16 Jul 2013 11:44:28 +0700
+
 osc (0.132.6-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru osc-0.132.6/debian/control osc-0.132.6/debian/control
--- osc-0.132.6/debian/control	2011-04-28 16:12:21.000000000 +0700
+++ osc-0.132.6/debian/control	2013-06-26 14:54:45.000000000 +0700
@@ -1,7 +1,8 @@
 Source: osc
 Section: devel
 Priority: extra
-Maintainer: Michal Čihař <nijel@debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Michal Čihař <nijel@debian.org>
 Uploaders: Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>
 Build-Depends: debhelper (>= 7.0.50)
 Build-Depends-Indep: python (>= 2.6.6-3~), python-urlgrabber
diff -Nru osc-0.132.6/debian/patches/CVE-2012-1095.patch osc-0.132.6/debian/patches/CVE-2012-1095.patch
--- osc-0.132.6/debian/patches/CVE-2012-1095.patch	1970-01-01 07:00:00.000000000 +0700
+++ osc-0.132.6/debian/patches/CVE-2012-1095.patch	2013-07-04 13:51:23.000000000 +0700
@@ -0,0 +1,29 @@
+Description: strip terminal control chars, except new lines from build logs
+Origin: backport, https://github.com/openSUSE/osc/commit/effe3835ba65745f51dbb579af4ea3556d2ab597.patch
+Author: ckuerste@gmx.ch
+Bug: https://bugzilla.novell.com/show_bug.cgi?id=749335
+Ubuntu-Bug: https://bugs.launchpad.net/ubuntu/+source/osc/+bug/1197639
+--- a/osc/core.py
++++ b/osc/core.py
+@@ -5000,6 +5000,12 @@
+ 
+ def print_buildlog(apiurl, prj, package, repository, arch, offset = 0):
+     """prints out the buildlog on stdout"""
++
++    # to protect us against control characters
++    import string
++    all_bytes = string.maketrans('', '')
++    remove_bytes = all_bytes[:10] + all_bytes[11:32] # accept newlines
++
+     query = {'nostream' : '1', 'start' : '%s' % offset}
+     while True:
+         query['start'] = offset
+@@ -5007,7 +5013,7 @@
+         u = makeurl(apiurl, ['build', prj, repository, arch, package, '_log'], query=query)
+         for data in streamfile(u):
+             offset += len(data)
+-            sys.stdout.write(data)
++            sys.stdout.write(data.translate(all_bytes, remove_bytes))
+         if start_offset == offset:
+             break
+ 
diff -Nru osc-0.132.6/debian/patches/series osc-0.132.6/debian/patches/series
--- osc-0.132.6/debian/patches/series	2011-02-21 18:05:53.000000000 +0700
+++ osc-0.132.6/debian/patches/series	2013-06-26 14:26:05.000000000 +0700
@@ -1 +1,2 @@
 fix-package-name.patch
+CVE-2012-1095.patch