From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:50079)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dEdGA-000243-HF
	for guix-patches@gnu.org; Sat, 27 May 2017 11:04:07 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dEdG6-0000Gy-I9
	for guix-patches@gnu.org; Sat, 27 May 2017 11:04:06 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:38188)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1dEdG6-0000Gs-EF
	for guix-patches@gnu.org; Sat, 27 May 2017 11:04:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dEdG6-0005WZ-2d
	for guix-patches@gnu.org; Sat, 27 May 2017 11:04:02 -0400
Subject: bug#27101: [PATCH] gnu: rxvt-unicode: Disable an unwanted code
	execution vector.
Resent-Message-ID: <handler.27101.B.149589740521187@debbugs.gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:49997)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1dEdFF-000222-4D
	for guix-patches@gnu.org; Sat, 27 May 2017 11:03:12 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1dEdFB-0008C4-3p
	for guix-patches@gnu.org; Sat, 27 May 2017 11:03:09 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:41461)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <leo@famulari.name>) id 1dEdFA-0008At-Sm
	for guix-patches@gnu.org; Sat, 27 May 2017 11:03:05 -0400
Received: from localhost.localdomain (c-73-165-108-70.hsd1.pa.comcast.net
	[73.165.108.70])
	by mail.messagingengine.com (Postfix) with ESMTPA id 0879E7E266
	for <guix-patches@gnu.org>; Sat, 27 May 2017 11:03:02 -0400 (EDT)
From: Leo Famulari <leo@famulari.name>
Date: Sat, 27 May 2017 11:02:56 -0400
Message-Id: <0eb2c52da308cdf5302508a38c421452208dfe1d.1495897376.git.leo@famulari.name>
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: 27101@debbugs.gnu.org

* gnu/packages/patches/rxvt-unicode-escape-sequences.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/xdisorg.scm (rxvt-unicode)[source]: Use it.
---
 gnu/local.mk                                       |  1 +
 .../patches/rxvt-unicode-escape-sequences.patch    | 35 ++++++++++++++++++++++
 gnu/packages/xdisorg.scm                           |  1 +
 3 files changed, 37 insertions(+)
 create mode 100644 gnu/packages/patches/rxvt-unicode-escape-sequences.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 0ef6e2af9..ee043d0c6 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -966,6 +966,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/ruby-puma-ignore-broken-test.patch       \
   %D%/packages/patches/ruby-rack-ignore-failing-test.patch      \
   %D%/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch\
+  %D%/packages/patches/rxvt-unicode-escape-sequences.patch	\
   %D%/packages/patches/scheme48-tests.patch			\
   %D%/packages/patches/scotch-test-threading.patch		\
   %D%/packages/patches/screen-fix-info-syntax-error.patch	\
diff --git a/gnu/packages/patches/rxvt-unicode-escape-sequences.patch b/gnu/packages/patches/rxvt-unicode-escape-sequences.patch
new file mode 100644
index 000000000..064dd51e2
--- /dev/null
+++ b/gnu/packages/patches/rxvt-unicode-escape-sequences.patch
@@ -0,0 +1,35 @@
+This patch prevents a code execution vector involving terminal escape
+sequences when rxvt-unicode is in "secure mode".
+
+This change was spurred by the following conversation on the
+oss-security mailing list:
+
+Problem description and proof of concept:
+http://seclists.org/oss-sec/2017/q2/190
+
+Upstream response:
+http://seclists.org/oss-sec/2017/q2/291
+
+Patch copied from upstream source repository:
+http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.582&r2=1.583
+
+--- rxvt-unicode/src/command.C	2016/07/14 05:33:26	1.582
++++ rxvt-unicode/src/command.C	2017/05/18 02:43:18	1.583
+@@ -2695,7 +2695,7 @@
+         /* kidnapped escape sequence: Should be 8.3.48 */
+       case C1_ESA:		/* ESC G */
+         // used by original rxvt for rob nations own graphics mode
+-        if (cmd_getc () == 'Q')
++        if (cmd_getc () == 'Q' && option (Opt_insecure))
+           tt_printf ("\033G0\012");	/* query graphics - no graphics */
+         break;
+ 
+@@ -2914,7 +2914,7 @@
+         break;
+ 
+       case CSI_CUB:		/* 8.3.18: (1) CURSOR LEFT */
+-      case CSI_HPB: 		/* 8.3.59: (1) CHARACTER POSITION BACKWARD */
++      case CSI_HPB:		/* 8.3.59: (1) CHARACTER POSITION BACKWARD */
+ #ifdef ISO6429
+         arg[0] = -arg[0];
+ #else				/* emulate common DEC VTs */
diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index ad919a6b2..a2230c4e9 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -682,6 +682,7 @@ compact configuration syntax.")
               (method url-fetch)
               (uri (string-append "http://dist.schmorp.de/rxvt-unicode/Attic/"
                                   name "-" version ".tar.bz2"))
+              (patches (search-patches "rxvt-unicode-escape-sequences.patch"))
               (sha256
                (base32
                 "1pddjn5ynblwfrdmskylrsxb9vfnk3w4jdnq2l8xn2pspkljhip9"))))
-- 
2.13.0