From 0fd0bb56a806d3da4158e1744249de0296161fa6 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Sat, 27 May 2017 11:01:25 -0400 Subject: [PATCH] gnu: rxvt-unicode: Disable an unwanted code execution vector. * gnu/packages/patches/rxvt-unicode-escape-sequences.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/xdisorg.scm (rxvt-unicode)[source]: Use it. --- gnu/local.mk | 1 + .../rxvt-unicode-escape-sequences.patch | 35 +++++++++++++++++++ gnu/packages/xdisorg.scm | 1 + 3 files changed, 37 insertions(+) create mode 100644 gnu/packages/patches/rxvt-unicode-escape-sequences.patch diff --git a/gnu/local.mk b/gnu/local.mk index 1937da8968..e811e9a0be 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -972,6 +972,7 @@ dist_patch_DATA = \ %D%/packages/patches/ruby-puma-ignore-broken-test.patch \ %D%/packages/patches/ruby-rack-ignore-failing-test.patch \ %D%/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch\ + %D%/packages/patches/rxvt-unicode-escape-sequences.patch \ %D%/packages/patches/scheme48-tests.patch \ %D%/packages/patches/scotch-test-threading.patch \ %D%/packages/patches/screen-fix-info-syntax-error.patch \ diff --git a/gnu/packages/patches/rxvt-unicode-escape-sequences.patch b/gnu/packages/patches/rxvt-unicode-escape-sequences.patch new file mode 100644 index 0000000000..064dd51e2d --- /dev/null +++ b/gnu/packages/patches/rxvt-unicode-escape-sequences.patch @@ -0,0 +1,35 @@ +This patch prevents a code execution vector involving terminal escape +sequences when rxvt-unicode is in "secure mode". + +This change was spurred by the following conversation on the +oss-security mailing list: + +Problem description and proof of concept: +http://seclists.org/oss-sec/2017/q2/190 + +Upstream response: +http://seclists.org/oss-sec/2017/q2/291 + +Patch copied from upstream source repository: +http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.582&r2=1.583 + +--- rxvt-unicode/src/command.C 2016/07/14 05:33:26 1.582 ++++ rxvt-unicode/src/command.C 2017/05/18 02:43:18 1.583 +@@ -2695,7 +2695,7 @@ + /* kidnapped escape sequence: Should be 8.3.48 */ + case C1_ESA: /* ESC G */ + // used by original rxvt for rob nations own graphics mode +- if (cmd_getc () == 'Q') ++ if (cmd_getc () == 'Q' && option (Opt_insecure)) + tt_printf ("\033G0\012"); /* query graphics - no graphics */ + break; + +@@ -2914,7 +2914,7 @@ + break; + + case CSI_CUB: /* 8.3.18: (1) CURSOR LEFT */ +- case CSI_HPB: /* 8.3.59: (1) CHARACTER POSITION BACKWARD */ ++ case CSI_HPB: /* 8.3.59: (1) CHARACTER POSITION BACKWARD */ + #ifdef ISO6429 + arg[0] = -arg[0]; + #else /* emulate common DEC VTs */ diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm index ad919a6b28..a2230c4e93 100644 --- a/gnu/packages/xdisorg.scm +++ b/gnu/packages/xdisorg.scm @@ -682,6 +682,7 @@ (define-public rxvt-unicode (method url-fetch) (uri (string-append "http://dist.schmorp.de/rxvt-unicode/Attic/" name "-" version ".tar.bz2")) + (patches (search-patches "rxvt-unicode-escape-sequences.patch")) (sha256 (base32 "1pddjn5ynblwfrdmskylrsxb9vfnk3w4jdnq2l8xn2pspkljhip9"))))