all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* bug#27101: [PATCH] gnu: rxvt-unicode: Disable an unwanted code execution vector.
@ 2017-05-27 15:02 Leo Famulari
  2017-05-28 17:49 ` Marius Bakke
  0 siblings, 1 reply; 3+ messages in thread
From: Leo Famulari @ 2017-05-27 15:02 UTC (permalink / raw)
  To: 27101

* gnu/packages/patches/rxvt-unicode-escape-sequences.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/xdisorg.scm (rxvt-unicode)[source]: Use it.
---
 gnu/local.mk                                       |  1 +
 .../patches/rxvt-unicode-escape-sequences.patch    | 35 ++++++++++++++++++++++
 gnu/packages/xdisorg.scm                           |  1 +
 3 files changed, 37 insertions(+)
 create mode 100644 gnu/packages/patches/rxvt-unicode-escape-sequences.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 0ef6e2af9..ee043d0c6 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -966,6 +966,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/ruby-puma-ignore-broken-test.patch       \
   %D%/packages/patches/ruby-rack-ignore-failing-test.patch      \
   %D%/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch\
+  %D%/packages/patches/rxvt-unicode-escape-sequences.patch	\
   %D%/packages/patches/scheme48-tests.patch			\
   %D%/packages/patches/scotch-test-threading.patch		\
   %D%/packages/patches/screen-fix-info-syntax-error.patch	\
diff --git a/gnu/packages/patches/rxvt-unicode-escape-sequences.patch b/gnu/packages/patches/rxvt-unicode-escape-sequences.patch
new file mode 100644
index 000000000..064dd51e2
--- /dev/null
+++ b/gnu/packages/patches/rxvt-unicode-escape-sequences.patch
@@ -0,0 +1,35 @@
+This patch prevents a code execution vector involving terminal escape
+sequences when rxvt-unicode is in "secure mode".
+
+This change was spurred by the following conversation on the
+oss-security mailing list:
+
+Problem description and proof of concept:
+http://seclists.org/oss-sec/2017/q2/190
+
+Upstream response:
+http://seclists.org/oss-sec/2017/q2/291
+
+Patch copied from upstream source repository:
+http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.582&r2=1.583
+
+--- rxvt-unicode/src/command.C	2016/07/14 05:33:26	1.582
++++ rxvt-unicode/src/command.C	2017/05/18 02:43:18	1.583
+@@ -2695,7 +2695,7 @@
+         /* kidnapped escape sequence: Should be 8.3.48 */
+       case C1_ESA:		/* ESC G */
+         // used by original rxvt for rob nations own graphics mode
+-        if (cmd_getc () == 'Q')
++        if (cmd_getc () == 'Q' && option (Opt_insecure))
+           tt_printf ("\033G0\012");	/* query graphics - no graphics */
+         break;
+ 
+@@ -2914,7 +2914,7 @@
+         break;
+ 
+       case CSI_CUB:		/* 8.3.18: (1) CURSOR LEFT */
+-      case CSI_HPB: 		/* 8.3.59: (1) CHARACTER POSITION BACKWARD */
++      case CSI_HPB:		/* 8.3.59: (1) CHARACTER POSITION BACKWARD */
+ #ifdef ISO6429
+         arg[0] = -arg[0];
+ #else				/* emulate common DEC VTs */
diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index ad919a6b2..a2230c4e9 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -682,6 +682,7 @@ compact configuration syntax.")
               (method url-fetch)
               (uri (string-append "http://dist.schmorp.de/rxvt-unicode/Attic/"
                                   name "-" version ".tar.bz2"))
+              (patches (search-patches "rxvt-unicode-escape-sequences.patch"))
               (sha256
                (base32
                 "1pddjn5ynblwfrdmskylrsxb9vfnk3w4jdnq2l8xn2pspkljhip9"))))
-- 
2.13.0

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* bug#27101: [PATCH] gnu: rxvt-unicode: Disable an unwanted code execution vector.
  2017-05-27 15:02 bug#27101: [PATCH] gnu: rxvt-unicode: Disable an unwanted code execution vector Leo Famulari
@ 2017-05-28 17:49 ` Marius Bakke
  2017-05-28 18:42   ` Leo Famulari
  0 siblings, 1 reply; 3+ messages in thread
From: Marius Bakke @ 2017-05-28 17:49 UTC (permalink / raw)
  To: Leo Famulari, 27101

[-- Attachment #1: Type: text/plain, Size: 234 bytes --]

Leo Famulari <leo@famulari.name> writes:

> * gnu/packages/patches/rxvt-unicode-escape-sequences.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/xdisorg.scm (rxvt-unicode)[source]: Use it.

LGTM, thanks!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* bug#27101: [PATCH] gnu: rxvt-unicode: Disable an unwanted code execution vector.
  2017-05-28 17:49 ` Marius Bakke
@ 2017-05-28 18:42   ` Leo Famulari
  0 siblings, 0 replies; 3+ messages in thread
From: Leo Famulari @ 2017-05-28 18:42 UTC (permalink / raw)
  To: Marius Bakke; +Cc: 27101-done

[-- Attachment #1: Type: text/plain, Size: 399 bytes --]

On Sun, May 28, 2017 at 07:49:46PM +0200, Marius Bakke wrote:
> Leo Famulari <leo@famulari.name> writes:
> 
> > * gnu/packages/patches/rxvt-unicode-escape-sequences.patch: New file.
> > * gnu/local.mk (dist_patch_DATA): Add it.
> > * gnu/packages/xdisorg.scm (rxvt-unicode)[source]: Use it.
> 
> LGTM, thanks!

Thanks for the review!

Pushed as 0fd0bb56a806d3da4158e1744249de0296161fa6.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2017-05-28 18:43 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-05-27 15:02 bug#27101: [PATCH] gnu: rxvt-unicode: Disable an unwanted code execution vector Leo Famulari
2017-05-28 17:49 ` Marius Bakke
2017-05-28 18:42   ` Leo Famulari

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.