From d825775c2f569e1ebf09697bf2eece365e7dbaee Mon Sep 17 00:00:00 2001
From: Ariadne Conill <ariadne@dereferenced.org>
Date: Mon, 31 May 2021 18:17:41 -0600
Subject: [PATCH] main/rxvt-unicode: add mitigation for CVE-2021-33477

---
 main/rxvt-unicode/APKBUILD             | 18 +++++++++++++-----
 main/rxvt-unicode/CVE-2021-33477.patch | 20 ++++++++++++++++++++
 2 files changed, 33 insertions(+), 5 deletions(-)
 create mode 100644 main/rxvt-unicode/CVE-2021-33477.patch

diff --git a/main/rxvt-unicode/APKBUILD b/main/rxvt-unicode/APKBUILD
index 09375b2207b..1aaa679fc4e 100644
--- a/main/rxvt-unicode/APKBUILD
+++ b/main/rxvt-unicode/APKBUILD
@@ -4,7 +4,7 @@
 # Maintainer: Sören Tempel <soeren+alpine@soeren-tempel.net>
 pkgname=rxvt-unicode
 pkgver=9.22
-pkgrel=6
+pkgrel=7
 pkgdesc="rxvt fork with improved unicode support"
 url="http://software.schmorp.de/pkg/rxvt-unicode.html"
 arch="all"
@@ -14,12 +14,17 @@ depends="$pkgname-terminfo"
 makedepends="libx11-dev libxft-dev ncurses fontconfig-dev
 	gdk-pixbuf-dev libxrender-dev perl-dev startup-notification-dev"
 subpackages="$pkgname-doc $pkgname-terminfo::noarch"
-source="http://dist.schmorp.de/rxvt-unicode/$pkgname-$pkgver.tar.bz2
+source="http://dist.schmorp.de/rxvt-unicode/Attic/$pkgname-$pkgver.tar.bz2
 	gentables.patch
-	rxvt-unicode-kerning.patch"
+	rxvt-unicode-kerning.patch
+	CVE-2021-33477.patch"
 
 builddir="${srcdir}/${pkgname}-${pkgver}"
 
+# secfixes:
+#   9.22-r7:
+#     - CVE-2021-33477
+
 build() {
 	cd "$builddir"
 	./configure \
@@ -68,6 +73,9 @@ terminfo() {
 		"$subpkgdir"/usr/share/terminfo/
 }
 
-sha512sums="b39f1b2cbe6dd3fbd2a0ad6a9d391a2b6f49d7c5e67bc65fe44a9c86937f8db379572c67564c6e21ff6e09b447cdfd4e540544e486179e94da0e0db679c04dd9  rxvt-unicode-9.22.tar.bz2
+sha512sums="
+b39f1b2cbe6dd3fbd2a0ad6a9d391a2b6f49d7c5e67bc65fe44a9c86937f8db379572c67564c6e21ff6e09b447cdfd4e540544e486179e94da0e0db679c04dd9  rxvt-unicode-9.22.tar.bz2
 2a973e001dacf900895d0c1045dfffd5a1ca7650669853bd5fdf09819b19a750bb59d913f8bdc83b103e5e0e7cce7f0d2b6184f36a29c1bac86e90c08ae6a475  gentables.patch
-d2fb68b3e11a78328ded4d2d646ffbaae657e9f23f3b4b81e11bc4350dd3e1e7585eeaeee47a70246bdfb7e12fbb667e40a7766989154235064f56ed4ad0a987  rxvt-unicode-kerning.patch"
+d2fb68b3e11a78328ded4d2d646ffbaae657e9f23f3b4b81e11bc4350dd3e1e7585eeaeee47a70246bdfb7e12fbb667e40a7766989154235064f56ed4ad0a987  rxvt-unicode-kerning.patch
+2c1cb4dad04b0fdf9212949337a37b402ed86638b26390d18f00620a71a80e91894eb624ec8058e10b7c18e1c369d8e6af91a7cd26ca6c2b221a0cf060aa0950  CVE-2021-33477.patch
+"
diff --git a/main/rxvt-unicode/CVE-2021-33477.patch b/main/rxvt-unicode/CVE-2021-33477.patch
new file mode 100644
index 00000000000..e315fb1309d
--- /dev/null
+++ b/main/rxvt-unicode/CVE-2021-33477.patch
@@ -0,0 +1,20 @@
+--- rxvt-unicode/src/command.C	2016/07/14 05:33:26	1.582
++++ rxvt-unicode/src/command.C	2017/05/18 02:43:18	1.583
+@@ -2695,7 +2695,7 @@
+         /* kidnapped escape sequence: Should be 8.3.48 */
+       case C1_ESA:		/* ESC G */
+         // used by original rxvt for rob nations own graphics mode
+-        if (cmd_getc () == 'Q')
++        if (cmd_getc () == 'Q' && option (Opt_insecure))
+           tt_printf ("\033G0\012");	/* query graphics - no graphics */
+         break;
+ 
+@@ -2914,7 +2914,7 @@
+         break;
+ 
+       case CSI_CUB:		/* 8.3.18: (1) CURSOR LEFT */
+-      case CSI_HPB: 		/* 8.3.59: (1) CHARACTER POSITION BACKWARD */
++      case CSI_HPB:		/* 8.3.59: (1) CHARACTER POSITION BACKWARD */
+ #ifdef ISO6429
+         arg[0] = -arg[0];
+ #else				/* emulate common DEC VTs */