* bug#27101: [PATCH] gnu: rxvt-unicode: Disable an unwanted code execution vector.
@ 2017-05-27 15:02 Leo Famulari
2017-05-28 17:49 ` Marius Bakke
0 siblings, 1 reply; 3+ messages in thread
From: Leo Famulari @ 2017-05-27 15:02 UTC (permalink / raw)
To: 27101
* gnu/packages/patches/rxvt-unicode-escape-sequences.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/xdisorg.scm (rxvt-unicode)[source]: Use it.
---
gnu/local.mk | 1 +
.../patches/rxvt-unicode-escape-sequences.patch | 35 ++++++++++++++++++++++
gnu/packages/xdisorg.scm | 1 +
3 files changed, 37 insertions(+)
create mode 100644 gnu/packages/patches/rxvt-unicode-escape-sequences.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 0ef6e2af9..ee043d0c6 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -966,6 +966,7 @@ dist_patch_DATA = \
%D%/packages/patches/ruby-puma-ignore-broken-test.patch \
%D%/packages/patches/ruby-rack-ignore-failing-test.patch \
%D%/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch\
+ %D%/packages/patches/rxvt-unicode-escape-sequences.patch \
%D%/packages/patches/scheme48-tests.patch \
%D%/packages/patches/scotch-test-threading.patch \
%D%/packages/patches/screen-fix-info-syntax-error.patch \
diff --git a/gnu/packages/patches/rxvt-unicode-escape-sequences.patch b/gnu/packages/patches/rxvt-unicode-escape-sequences.patch
new file mode 100644
index 000000000..064dd51e2
--- /dev/null
+++ b/gnu/packages/patches/rxvt-unicode-escape-sequences.patch
@@ -0,0 +1,35 @@
+This patch prevents a code execution vector involving terminal escape
+sequences when rxvt-unicode is in "secure mode".
+
+This change was spurred by the following conversation on the
+oss-security mailing list:
+
+Problem description and proof of concept:
+http://seclists.org/oss-sec/2017/q2/190
+
+Upstream response:
+http://seclists.org/oss-sec/2017/q2/291
+
+Patch copied from upstream source repository:
+http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.582&r2=1.583
+
+--- rxvt-unicode/src/command.C 2016/07/14 05:33:26 1.582
++++ rxvt-unicode/src/command.C 2017/05/18 02:43:18 1.583
+@@ -2695,7 +2695,7 @@
+ /* kidnapped escape sequence: Should be 8.3.48 */
+ case C1_ESA: /* ESC G */
+ // used by original rxvt for rob nations own graphics mode
+- if (cmd_getc () == 'Q')
++ if (cmd_getc () == 'Q' && option (Opt_insecure))
+ tt_printf ("\033G0\012"); /* query graphics - no graphics */
+ break;
+
+@@ -2914,7 +2914,7 @@
+ break;
+
+ case CSI_CUB: /* 8.3.18: (1) CURSOR LEFT */
+- case CSI_HPB: /* 8.3.59: (1) CHARACTER POSITION BACKWARD */
++ case CSI_HPB: /* 8.3.59: (1) CHARACTER POSITION BACKWARD */
+ #ifdef ISO6429
+ arg[0] = -arg[0];
+ #else /* emulate common DEC VTs */
diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index ad919a6b2..a2230c4e9 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -682,6 +682,7 @@ compact configuration syntax.")
(method url-fetch)
(uri (string-append "http://dist.schmorp.de/rxvt-unicode/Attic/"
name "-" version ".tar.bz2"))
+ (patches (search-patches "rxvt-unicode-escape-sequences.patch"))
(sha256
(base32
"1pddjn5ynblwfrdmskylrsxb9vfnk3w4jdnq2l8xn2pspkljhip9"))))
--
2.13.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* bug#27101: [PATCH] gnu: rxvt-unicode: Disable an unwanted code execution vector.
2017-05-27 15:02 bug#27101: [PATCH] gnu: rxvt-unicode: Disable an unwanted code execution vector Leo Famulari
@ 2017-05-28 17:49 ` Marius Bakke
2017-05-28 18:42 ` Leo Famulari
0 siblings, 1 reply; 3+ messages in thread
From: Marius Bakke @ 2017-05-28 17:49 UTC (permalink / raw)
To: Leo Famulari, 27101
[-- Attachment #1: Type: text/plain, Size: 234 bytes --]
Leo Famulari <leo@famulari.name> writes:
> * gnu/packages/patches/rxvt-unicode-escape-sequences.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/xdisorg.scm (rxvt-unicode)[source]: Use it.
LGTM, thanks!
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* bug#27101: [PATCH] gnu: rxvt-unicode: Disable an unwanted code execution vector.
2017-05-28 17:49 ` Marius Bakke
@ 2017-05-28 18:42 ` Leo Famulari
0 siblings, 0 replies; 3+ messages in thread
From: Leo Famulari @ 2017-05-28 18:42 UTC (permalink / raw)
To: Marius Bakke; +Cc: 27101-done
[-- Attachment #1: Type: text/plain, Size: 399 bytes --]
On Sun, May 28, 2017 at 07:49:46PM +0200, Marius Bakke wrote:
> Leo Famulari <leo@famulari.name> writes:
>
> > * gnu/packages/patches/rxvt-unicode-escape-sequences.patch: New file.
> > * gnu/local.mk (dist_patch_DATA): Add it.
> > * gnu/packages/xdisorg.scm (rxvt-unicode)[source]: Use it.
>
> LGTM, thanks!
Thanks for the review!
Pushed as 0fd0bb56a806d3da4158e1744249de0296161fa6.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-05-28 18:43 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-05-27 15:02 bug#27101: [PATCH] gnu: rxvt-unicode: Disable an unwanted code execution vector Leo Famulari
2017-05-28 17:49 ` Marius Bakke
2017-05-28 18:42 ` Leo Famulari
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.