~ruther/guix-local

0fd0bb56a806d3da4158e1744249de0296161fa6 — Leo Famulari 8 years ago 5cd0122 
gnu: rxvt-unicode: Disable an unwanted code execution vector.

* gnu/packages/patches/rxvt-unicode-escape-sequences.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/xdisorg.scm (rxvt-unicode)[source]: Use it.
patch browse .tar.gz 
3 files changed, 37 insertions(+), 0 deletions(-)

M gnu/local.mk
A gnu/packages/patches/rxvt-unicode-escape-sequences.patch
M gnu/packages/xdisorg.scm

M gnu/local.mk => gnu/local.mk +1 -0
@@ 972,6 972,7 @@ dist_patch_DATA =						\
  %D%/packages/patches/ruby-puma-ignore-broken-test.patch       \
  %D%/packages/patches/ruby-rack-ignore-failing-test.patch      \
  %D%/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch\
  %D%/packages/patches/rxvt-unicode-escape-sequences.patch	\
  %D%/packages/patches/scheme48-tests.patch			\
  %D%/packages/patches/scotch-test-threading.patch		\
  %D%/packages/patches/screen-fix-info-syntax-error.patch	\


A gnu/packages/patches/rxvt-unicode-escape-sequences.patch => gnu/packages/patches/rxvt-unicode-escape-sequences.patch +35 -0
@@ 0,0 1,35 @@
This patch prevents a code execution vector involving terminal escape
sequences when rxvt-unicode is in "secure mode".

This change was spurred by the following conversation on the
oss-security mailing list:

Problem description and proof of concept:
http://seclists.org/oss-sec/2017/q2/190

Upstream response:
http://seclists.org/oss-sec/2017/q2/291

Patch copied from upstream source repository:
http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.582&r2=1.583

--- rxvt-unicode/src/command.C	2016/07/14 05:33:26	1.582
+++ rxvt-unicode/src/command.C	2017/05/18 02:43:18	1.583
@@ -2695,7 +2695,7 @@
         /* kidnapped escape sequence: Should be 8.3.48 */
       case C1_ESA:		/* ESC G */
         // used by original rxvt for rob nations own graphics mode
-        if (cmd_getc () == 'Q')
+        if (cmd_getc () == 'Q' && option (Opt_insecure))
           tt_printf ("\033G0\012");	/* query graphics - no graphics */
         break;
 
@@ -2914,7 +2914,7 @@
         break;
 
       case CSI_CUB:		/* 8.3.18: (1) CURSOR LEFT */
-      case CSI_HPB: 		/* 8.3.59: (1) CHARACTER POSITION BACKWARD */
+      case CSI_HPB:		/* 8.3.59: (1) CHARACTER POSITION BACKWARD */
 #ifdef ISO6429
         arg[0] = -arg[0];
 #else				/* emulate common DEC VTs */


M gnu/packages/xdisorg.scm => gnu/packages/xdisorg.scm +1 -0
@@ 682,6 682,7 @@ compact configuration syntax.")
              (method url-fetch)
              (uri (string-append "http://dist.schmorp.de/rxvt-unicode/Attic/"
                                  name "-" version ".tar.bz2"))
              (patches (search-patches "rxvt-unicode-escape-sequences.patch"))
              (sha256
               (base32
                "1pddjn5ynblwfrdmskylrsxb9vfnk3w4jdnq2l8xn2pspkljhip9"))))