This patch prevents a code execution vector involving terminal escape
sequences when rxvt-unicode is in "secure mode".

This change was spurred by the following conversation on the
oss-security mailing list:

Problem description and proof of concept:
http://seclists.org/oss-sec/2017/q2/190

Upstream response:
http://seclists.org/oss-sec/2017/q2/291

Patch copied from upstream source repository:
http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.582&r2=1.583

--- rxvt-unicode/src/command.C	2016/07/14 05:33:26	1.582
+++ rxvt-unicode/src/command.C	2017/05/18 02:43:18	1.583
@@ -2695,7 +2695,7 @@
         /* kidnapped escape sequence: Should be 8.3.48 */
       case C1_ESA:		/* ESC G */
         // used by original rxvt for rob nations own graphics mode
-        if (cmd_getc () == 'Q')
+        if (cmd_getc () == 'Q' && option (Opt_insecure))
           tt_printf ("\033G0\012");	/* query graphics - no graphics */
         break;
 
@@ -2914,7 +2914,7 @@
         break;
 
       case CSI_CUB:		/* 8.3.18: (1) CURSOR LEFT */
-      case CSI_HPB: 		/* 8.3.59: (1) CHARACTER POSITION BACKWARD */
+      case CSI_HPB:		/* 8.3.59: (1) CHARACTER POSITION BACKWARD */
 #ifdef ISO6429
         arg[0] = -arg[0];
 #else				/* emulate common DEC VTs */
775e76c0a898c7d4b53691d1932fc0e6eb'>tree</a><a href='/guix/commit/gnu/packages/php.scm?id=7d990e775e76c0a898c7d4b53691d1932fc0e6eb'>commit</a><a href='/guix/diff/gnu/packages/php.scm?id=7d990e775e76c0a898c7d4b53691d1932fc0e6eb'>diff</a></td><td class='form'><form class='right' method='get' action='/guix/log/gnu/packages/php.scm'>
<input type='hidden' name='id' value='7d990e775e76c0a898c7d4b53691d1932fc0e6eb'/><select name='qt'>
<option value='grep'>log msg</option>
<option value='author'>author</option>
<option value='committer'>committer</option>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/guix/log/?id=7d990e775e76c0a898c7d4b53691d1932fc0e6eb'>root</a>/<a href='/guix/log/gnu?id=7d990e775e76c0a898c7d4b53691d1932fc0e6eb'>gnu</a>/<a href='/guix/log/gnu/packages?id=7d990e775e76c0a898c7d4b53691d1932fc0e6eb'>packages</a>/<a href='/guix/log/gnu/packages/php.scm?id=7d990e775e76c0a898c7d4b53691d1932fc0e6eb'>php.scm</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th class='left'>Age</th><th class='left'>Commit message (<a href='/guix/log/gnu/packages/php.scm?id=7d990e775e76c0a898c7d4b53691d1932fc0e6eb&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2021-12-16 19:06:50 +0100'>2021-12-16</span></td><td><a href='/guix/commit/gnu/packages/php.scm?id=88b4dcdabe512992ae79a50fc333e4e463d91634'>gnu: php: Properly fix openssl_x509_checkpurpose_basic.phpt.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/php.scm (php)[source]: Add patch.
* gnu/packages/patches/php-openssl_x509_checkpurpose_basic.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.

Thanks to Diego Nicola Barbato &lt;dnbarbato@posteo.de&gt;
</span></span></td><td>Tobias Geerinckx-Rice</td></tr>
<tr><td><span title='2021-12-16 18:28:43 +0100'>2021-12-16</span></td><td><a href='/guix/commit/gnu/packages/php.scm?id=5e59153595bd1346df3eaa79461209b34d879185'>gnu: php: Disable yet another failing test.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/php.scm (php)[arguments]: Delete the
openssl_x509_checkpurpose_basic.phpt test.
</span></span></td><td>Tobias Geerinckx-Rice</td></tr>
<tr><td><span title='2021-12-05 19:17:41 +0100'>2021-12-05</span></td><td><a href='/guix/commit/gnu/packages/php.scm?id=9bc0f45df5d6aed217020b1183dca54989844fb0'>Merge remote-tracking branch 'origin/master' into core-updates-frozen</a></td><td>Ricardo Wurmus</td></tr>
<tr><td><span title='2021-11-28 21:28:18 +0200'>2021-11-28</span></td><td><a href='/guix/commit/gnu/packages/php.scm?id=2d332ba5ed7d058873db20586bca91ba483cafce'>gnu: php: Remove extra glibc input.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/php.scm (php)[arguments]: Use build-system's libc for
gettext.
[inputs]: Remove glibc.
</span></span></td><td>Efraim Flashner</td></tr>
<tr><td><span title='2021-11-28 21:28:18 +0200'>2021-11-28</span></td><td><a href='/guix/commit/gnu/packages/php.scm?id=e8bc37945fb2e9f08c8c468f60a08abac9fccdef'>gnu: php: Update to 7.4.26.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/php.scm (php): Update to 7.4.26.
</span></span></td><td>Efraim Flashner</td></tr>
<tr><td><span title='2021-10-31 14:49:47 +0200'>2021-10-31</span></td><td><a href='/guix/commit/gnu/packages/php.scm?id=bc5155b952ae8bdbc56aded4d8d39768b4e2a7d4'>Merge remote-tracking branch 'origin/master' into core-updates-frozen</a></td><td>Efraim Flashner</td></tr>
<tr><td><span title='2021-10-23 13:25:01 +0200'>2021-10-23</span></td><td><a href='/guix/commit/gnu/packages/php.scm?id=7628430a2f46a4a57d5ff7e51b1be80b7765c96c'>gnu: php: Update to 7.4.25 [security fixes].</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/php.scm (php): Update to 7.4.25.
[source]: Don't explicitly return #t from snippet.
</span></span></td><td>Tobias Geerinckx-Rice</td></tr>
<tr><td><span title='2021-10-12 17:46:23 +0000'>2021-10-12</span></td><td><a href='/guix/commit/gnu/packages/php.scm?id=a1eca979fb8da842e73c42f4f53be29b169810f2'>Merge remote-tracking branch 'origin/master' into core-updates-frozen.</a></td><td>Mathieu Othacehe</td></tr>
<tr><td><span title='2021-10-05 13:45:29 +0200'>2021-10-05</span></td><td><a href='/guix/commit/gnu/packages/php.scm?id=9aaf402a379b9ac9e4c3eee5b16f7496d7606e91'>gnu: php: Patch failing test case.</a><span class='msg-avail'>...<span class='msg-tooltip'>Fixes a failing test case in PHP (Zend/tests/bug74093.phpt).  See
&lt;https://github.com/php/php-src/pull/7555/files&gt; for upstream status.

* gnu/packages/php.scm (php)[source]: Add patch.
* gnu/packages/patches/php-bug-74093-test.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.

Signed-off-by: Tobias Geerinckx-Rice &lt;me@tobias.gr&gt;
</span></span></td><td>Ryan Sundberg via Guix-patches via</td></tr>

Age	Commit message (Expand)	Author
2021-12-16	gnu: php: Properly fix openssl_x509_checkpurpose_basic.phpt....* gnu/packages/php.scm (php)[source]: Add patch. * gnu/packages/patches/php-openssl_x509_checkpurpose_basic.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. Thanks to Diego Nicola Barbato <dnbarbato@posteo.de>	Tobias Geerinckx-Rice
2021-12-16	gnu: php: Disable yet another failing test....* gnu/packages/php.scm (php)[arguments]: Delete the openssl_x509_checkpurpose_basic.phpt test.	Tobias Geerinckx-Rice
2021-12-05	Merge remote-tracking branch 'origin/master' into core-updates-frozen	Ricardo Wurmus
2021-11-28	gnu: php: Remove extra glibc input....* gnu/packages/php.scm (php)[arguments]: Use build-system's libc for gettext. [inputs]: Remove glibc.	Efraim Flashner
2021-11-28	gnu: php: Update to 7.4.26....* gnu/packages/php.scm (php): Update to 7.4.26.	Efraim Flashner
2021-10-31	Merge remote-tracking branch 'origin/master' into core-updates-frozen	Efraim Flashner
2021-10-23	gnu: php: Update to 7.4.25 [security fixes]....* gnu/packages/php.scm (php): Update to 7.4.25. [source]: Don't explicitly return #t from snippet.	Tobias Geerinckx-Rice
2021-10-12	Merge remote-tracking branch 'origin/master' into core-updates-frozen.	Mathieu Othacehe
2021-10-05	gnu: php: Patch failing test case....Fixes a failing test case in PHP (Zend/tests/bug74093.phpt). See <https://github.com/php/php-src/pull/7555/files> for upstream status. * gnu/packages/php.scm (php)[source]: Add patch. * gnu/packages/patches/php-bug-74093-test.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. Signed-off-by: Tobias Geerinckx-Rice <me@tobias.gr>	Ryan Sundberg via Guix-patches via