Hello community, here is the log from the commit of package xterm for openSUSE:Factory checked in at Fri Jan 9 02:11:31 CET 2009. -------- --- xterm/xterm.changes 2008-07-28 11:19:42.000000000 +0200 +++ /mounts/work_src_done/STABLE/xterm/xterm.changes 2009-01-05 17:23:54.000000000 +0100 @@ -1,0 +2,53 @@ +Mon Jan 5 15:03:09 CET 2009 - meissner@suse.de + +- update to release xterm-238, Linux relevant changes: + +- Various security fixes for CVE-2008-2383 (ANSI command injection) + +- xterm-disallow-window-and-fonts-ops.patch: add allowWindowOps and + allowFontOps as "false" for default. bnc#462917 + +- Patch #238 - 2008/12/30 + # reset the screen wrapping-flag at the end of ClearRight to fix an + occasional case where the last character of a scrolled and wrapped + line would be cleared (patch by Joe Peterson). + # modify to use POSIX coding for comparing resource settings such as + locale, to work with locales such as Turkish (report by M Vefa + Bicakci). + # turn on configure paste64 feature by default (request by Jean-Philippe + Bernardy). It is runtime enabled/disabled with allowWindowOps. + # turn on configure tcap-query feature by default, add resource + allowTcapOps to make this runtime enabled/disabled. + # make OSC 3 (change X property, from patch #110) subject to + allowWindowOps resource. + # make VT220 DSR responses inactive in VT100-mode. + # make DECUDK feature inactive in VT100-mode. + # respond to incorrectly formatted DECRQSS with a cancel. + # add allowFontOps resource to allow the fontsize-switching and font + query/set control sequences to be enabled/disabled (prompted by Debian + #510030). + # some code cleanup based on gcc 4.x -Wconversion warnings in button.c + and charproc.c + # modify tcap-query feature to not return data for shifted cursor-keys + when the keyboard type is set to vt220, since returning the same + string for shifted/unshifted keys may confuse some applications + (GenToo #212546). + +- Patch #237 - 2008/09/14 + # improve usability of TrueType fonts by making the font-size switching + for shifted keypad plus/minus use the faceSize resources to determine + the order of fonts (when TrueType fonts are used) rather than the + bitmap fonts, since their sizes may not be in the same order (report + by H Merijn Brand) + # remove an optimization of ConfigureNotify events from patch #236 + which seems to interfere with passing SIGWINCH to applications + (GenToo #233836). + # modify handling of altSendsEscape to reset the eightBitInput mode, + like metaSendsEscape (patch by Ted Phelps). + # add feature to show the text-cursor as an underline rather than a box, + plus command-line options -uc and +uc and resource cursorUnderLine to + control the feature (patch by Paul Lampert). + # update config.guess, config.sub + + +------------------------------------------------------------------- calling whatdependson for head-i586 Old: ---- xterm.tar.gz New: ---- xterm-238.tar.bz2 xterm-disallow-window-and-fonts-ops.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xterm.spec ++++++ --- /var/tmp/diff_new_pack.N16345/_old 2009-01-09 02:10:54.000000000 +0100 +++ /var/tmp/diff_new_pack.N16345/_new 2009-01-09 02:10:54.000000000 +0100 @@ -1,10 +1,17 @@ # -# spec file for package xterm (Version 236) +# spec file for package xterm (Version 238) # -# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. -# This file and all modifications and additions to the pristine -# package are under the same license as the package itself. +# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + # Please submit bugfixes or comments via http://bugs.opensuse.org/ # @@ -19,10 +26,10 @@ Group: System/X11/Utilities Provides: xorg-x11:/usr/X11R6/bin/xterm XFree86:/usr/X11R6/bin/xterm AutoReqProv: on -Version: 236 +Version: 238 Release: 1 Summary: The basic X terminal program -Source: %name.tar.gz +Source: ftp://invisible-island.net/xterm/%name-%version.tar.bz2 Source1: luitx Source3: Backarrow2Delete Source4: Backarrow2BackSpace @@ -37,6 +44,7 @@ Patch2: p_xterm-sigwinch.diff Patch3: bug-246573-tentative-patch.diff Patch4: desktop.diff +Patch5: xterm-disallow-window-and-fonts-ops.patch Patch293793: bugzilla-293793-do-not-insist-on-iso8859-fonts-for-the-menu.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -155,11 +163,12 @@ Zarick Lau %prep -%setup -n xterm-%version -b7 +%setup -q -b7 %patch1 -p0 -b .xterm-settings %patch2 -p0 -b .xterm-sigwinch %patch3 -p1 %patch4 -p0 +%patch5 -p0 %patch293793 -p1 cp $RPM_SOURCE_DIR/*bdf.bz2 . bunzip2 *.bdf.bz2 @@ -270,6 +279,51 @@ /usr/share/pixmaps/* %changelog +* Mon Jan 05 2009 meissner@suse.de +- update to release xterm-238, Linux relevant changes: +- Various security fixes for CVE-2008-2383 (ANSI command injection) +- xterm-disallow-window-and-fonts-ops.patch: add allowWindowOps and + allowFontOps as "false" for default. bnc#462917 +- Patch #238 - 2008/12/30 + [#] reset the screen wrapping-flag at the end of ClearRight to fix an + occasional case where the last character of a scrolled and wrapped + line would be cleared (patch by Joe Peterson). + [#] modify to use POSIX coding for comparing resource settings such as + locale, to work with locales such as Turkish (report by M Vefa + Bicakci). + [#] turn on configure paste64 feature by default (request by Jean-Philippe + Bernardy). It is runtime enabled/disabled with allowWindowOps. + [#] turn on configure tcap-query feature by default, add resource + allowTcapOps to make this runtime enabled/disabled. + [#] make OSC 3 (change X property, from patch #110) subject to + allowWindowOps resource. + [#] make VT220 DSR responses inactive in VT100-mode. + [#] make DECUDK feature inactive in VT100-mode. + [#] respond to incorrectly formatted DECRQSS with a cancel. + [#] add allowFontOps resource to allow the fontsize-switching and font + query/set control sequences to be enabled/disabled (prompted by Debian + [#510030]). + [#] some code cleanup based on gcc 4.x -Wconversion warnings in button.c + and charproc.c + [#] modify tcap-query feature to not return data for shifted cursor-keys + when the keyboard type is set to vt220, since returning the same + string for shifted/unshifted keys may confuse some applications + (GenToo #212546). +- Patch #237 - 2008/09/14 + [#] improve usability of TrueType fonts by making the font-size switching + for shifted keypad plus/minus use the faceSize resources to determine + the order of fonts (when TrueType fonts are used) rather than the + bitmap fonts, since their sizes may not be in the same order (report + by H Merijn Brand) + [#] remove an optimization of ConfigureNotify events from patch #236 + which seems to interfere with passing SIGWINCH to applications + (GenToo #233836). + [#] modify handling of altSendsEscape to reset the eightBitInput mode, + like metaSendsEscape (patch by Ted Phelps). + [#] add feature to show the text-cursor as an underline rather than a box, + plus command-line options -uc and +uc and resource cursorUnderLine to + control the feature (patch by Paul Lampert). + [#] update config.guess, config.sub * Mon Jul 28 2008 sndirsch@suse.de - update to release xterm-236 * correct memory reallocation when handling a paste of UTF-8 @@ -343,12 +397,12 @@ * minor documentation fixes (patch by Slava Semushin) * add makefile actions to install KOI8RXTerm app-defaults file (patch by Julien Cristau). -* Wed Jan 02 2008 sndirsch@suse.de +* Tue Jan 01 2008 sndirsch@suse.de - update to xterm-230: * mainly bugfixes * Wed Sep 19 2007 sndirsch@suse.de - set foreground color as well; fixes xterm -rv (Bug #283984) -* Sat Sep 01 2007 mfabian@suse.de +* Fri Aug 31 2007 mfabian@suse.de - Bugzilla #306943: add xorg-x11 to BuildRequires because of ‘bdftopcf’. Let the build fail if ‘bdftopcf’ is missing. - change app-defaults to use these fonts for wide characters @@ -427,7 +481,7 @@ (Bug #283984) * Thu Mar 29 2007 dmueller@suse.de - add ncurses-devel BuildRequires -* Sun Mar 25 2007 sndirsch@suse.de +* Sat Mar 24 2007 sndirsch@suse.de - Patch #225 - 2007/3/24: * add useClipping resource to allow clipping to be disabled. * use XftDrawSetClipRectangles to work around Xft pixel-trash @@ -815,7 +869,7 @@ - adjusted p_xterm-settings.diff * Thu Mar 24 2005 sndirsch@suse.de - added missing xterm/resize manual pages (Bug #74467) -* Mon Feb 07 2005 sndirsch@suse.de +* Sun Feb 06 2005 sndirsch@suse.de - updated to xterm-200 * Fri Jan 28 2005 sndirsch@suse.de - updated to xterm-199 ++++++ bugzilla-293793-do-not-insist-on-iso8859-fonts-for-the-menu.patch ++++++ --- /var/tmp/diff_new_pack.N16345/_old 2009-01-09 02:10:54.000000000 +0100 +++ /var/tmp/diff_new_pack.N16345/_new 2009-01-09 02:10:54.000000000 +0100 @@ -1,7 +1,6 @@ -diff -ru xterm-228.orig/XTerm.ad xterm-228/XTerm.ad ---- xterm-228.orig/XTerm.ad 2007-03-18 23:41:40.000000000 +0100 -+++ xterm-228/XTerm.ad 2007-07-24 17:30:25.000000000 +0200 -@@ -4,7 +4,7 @@ +--- xterm-238/XTerm.ad ++++ xterm-238/XTerm.ad +@@ -3,7 +3,7 @@ *saveLines: 1024 *SimpleMenu*BackingStore: NotUseful ++++++ xterm-disallow-window-and-fonts-ops.patch ++++++ --- XTerm.ad +++ XTerm.ad @@ -209,6 +209,11 @@ ! Alternatively, !*on2Clicks: regex [[:alpha:]]+://([[:alnum:]!#+,./=?@_~-]|(%[[:xdigit:]][[:xdigit:]]))+ +! Security: Disallow operations that might allow raw text being pasted to xterm to +! execute code. +*allowWindowOps: false +*allowFontOps: false + !! We want a 8bit clean xterm *eightBitInput: true *eightBitOutput: true --- xterm.man +++ xterm.man @@ -1449,7 +1449,7 @@ .TP .B "allowFontOps (\fPclass\fB AllowFontOps)" Specifies whether control sequences that set/query the font should be allowed. -The default is ``true.'' +The default is ``false.'' .TP 8 .B "allowSendEvents (\fPclass\fB AllowSendEvents)" Specifies whether or not synthetic key and button events (generated using @@ -1473,7 +1473,7 @@ .B "allowWindowOps (\fPclass\fB AllowWindowOps)" Specifies whether extended window control sequences (as used in dtterm) should be allowed. -The default is ``true.'' +The default is ``false.'' .TP 8 .B "altIsNotMeta (\fPclass\fB AltIsNotMeta\fP)" If ``true'', treat the Alt-key as if it were the Meta-key. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org