This patch prevents a code execution vector involving terminal escape sequences when rxvt-unicode is in "secure mode". This change was spurred by the following conversation on the oss-security mailing list: Problem description and proof of concept: http://seclists.org/oss-sec/2017/q2/190 Upstream response: http://seclists.org/oss-sec/2017/q2/291 Patch copied from upstream source repository: http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.582&r2=1.583 --- rxvt-unicode/src/command.C 2016/07/14 05:33:26 1.582 +++ rxvt-unicode/src/command.C 2017/05/18 02:43:18 1.583 @@ -2695,7 +2695,7 @@ /* kidnapped escape sequence: Should be 8.3.48 */ case C1_ESA: /* ESC G */ // used by original rxvt for rob nations own graphics mode - if (cmd_getc () == 'Q') + if (cmd_getc () == 'Q' && option (Opt_insecure)) tt_printf ("\033G0\012"); /* query graphics - no graphics */ break; @@ -2914,7 +2914,7 @@ break; case CSI_CUB: /* 8.3.18: (1) CURSOR LEFT */ - case CSI_HPB: /* 8.3.59: (1) CHARACTER POSITION BACKWARD */ + case CSI_HPB: /* 8.3.59: (1) CHARACTER POSITION BACKWARD */ #ifdef ISO6429 arg[0] = -arg[0]; #else /* emulate common DEC VTs */