x11-terms/rxvt-unicode-9.22: mark ANSI sequence ESC G Q as insecure

Can in theory be used to perform remote code execution, see
https://seclists.org/oss-sec/2021/q2/145 . This was fixed upstream in 2017
(see http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.582&r2=1.583)
so 9.26 is not vulnerable, that said 9.22 will likely not go away any
time soon (if only because of 24-bit colour support) so let's backport
this.

Reported-by: Roman Dobosz <gryf73@gmail.com>
Bug: https://bugs.gentoo.org/790782
Closes: https://github.com/gentoo/gentoo/pull/20863
Signed-off-by: Marek Szuba <marecki@gentoo.org>

1 files changed, 11 insertions, 0 deletions

diff --git a/x11-terms/rxvt-unicode/files/rxvt-unicode-9.22-query-graphics-insecure.patch b/x11-terms/rxvt-unicode/files/rxvt-unicode-9.22-query-graphics-insecure.patch
new file mode 100644
index 000000000000..52a8c8297050
--- /dev/null
+++ b/x11-terms/rxvt-unicode/files/rxvt-unicode-9.22-query-graphics-insecure.patch
@@ -0,0 +1,11 @@
+--- a/src/command.C
++++ b/src/command.C
+@@ -2695,7 +2695,7 @@
+         /* kidnapped escape sequence: Should be 8.3.48 */
+       case C1_ESA:		/* ESC G */
+         // used by original rxvt for rob nations own graphics mode
+-        if (cmd_getc () == 'Q')
++        if (cmd_getc () == 'Q' && option (Opt_insecure))
+           tt_printf ("\033G0\012");	/* query graphics - no graphics */
+         break;
+