Bug#988925: unblock: rxvt-unicode/9.22-11

[Ryan Kavanagh <rak@debian.org>]

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: rak@debian.org

Please unblock package rxvt-unicode

Disables the ESC G Q escape sequence, which could cause the command '0'
to be executed. This addresses:

https://security-tracker.debian.org/tracker/CVE-2021-33477

[ Tests ]

None

[ Risks ]

Trivial fix cherry-picked from upstream VCS. Original commit from 2019.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock rxvt-unicode/9.22-11

-- 
|)|/  Ryan Kavanagh      | GPG: 4E46 9519 ED67 7734 268F
|\|\  https://rak.ac     |      BD95 8F7B F8FC 4A11 C97A

diff -Nru rxvt-unicode-9.22/debian/changelog rxvt-unicode-9.22/debian/changelog
--- rxvt-unicode-9.22/debian/changelog	2021-03-20 12:48:03.000000000 -0400
+++ rxvt-unicode-9.22/debian/changelog	2021-05-21 10:48:43.000000000 -0400
@@ -1,3 +1,10 @@
+rxvt-unicode (9.22-11) unstable; urgency=medium
+
+  * Disable ESC G Q escape sequence, 20_disable_escape_sequence.diff
+    (Closes: #988763, CVE-2021-33477)
+
+ -- Ryan Kavanagh <rak@debian.org>  Fri, 21 May 2021 10:48:43 -0400
+
 rxvt-unicode (9.22-10) unstable; urgency=medium
 
   * Correct a mistake in 19_sigsegv_perl_environ.diff
diff -Nru rxvt-unicode-9.22/debian/patches/20_disable_escape_sequence.diff rxvt-unicode-9.22/debian/patches/20_disable_escape_sequence.diff
--- rxvt-unicode-9.22/debian/patches/20_disable_escape_sequence.diff	1969-12-31 19:00:00.000000000 -0500
+++ rxvt-unicode-9.22/debian/patches/20_disable_escape_sequence.diff	2021-05-21 10:47:48.000000000 -0400
@@ -0,0 +1,25 @@
+Description: disable ESC G Q escape sequence
+Origin: http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.584&r2=1.585
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988763
+Last-Update: 2021-05-21
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: rxvt-unicode/src/command.C
+===================================================================
+--- rxvt-unicode.orig/src/command.C	2019-02-07 15:12:08.000000000 -0500
++++ rxvt-unicode/src/command.C	2021-05-21 10:45:22.522127101 -0400
+@@ -2722,12 +2722,14 @@
+         }
+         break;
+ 
++#if 0 // disabled because embedded newlines can make exploits easier
+         /* kidnapped escape sequence: Should be 8.3.48 */
+       case C1_ESA:		/* ESC G */
+         // used by original rxvt for rob nations own graphics mode
+         if (cmd_getc () == 'Q')
+           tt_printf ("\033G0\012");	/* query graphics - no graphics */
+         break;
++#endif
+ 
+         /* 8.3.63: CHARACTER TABULATION SET */
+       case C1_HTS:		/* ESC H */
diff -Nru rxvt-unicode-9.22/debian/patches/series rxvt-unicode-9.22/debian/patches/series
--- rxvt-unicode-9.22/debian/patches/series	2021-03-20 12:48:03.000000000 -0400
+++ rxvt-unicode-9.22/debian/patches/series	2021-05-21 10:44:44.000000000 -0400
@@ -9,3 +9,4 @@
 17_unsafe_man.diff
 18_expand_urxvt-tabbed.1.diff
 19_sigsegv_perl_environ.diff
+20_disable_escape_sequence.diff

Attachment: signature.asc
Description: PGP signature