strchriscntrl: reject C1 control bytes (0x80-0x9F)

strchriscntrl: reject C1 control bytes (0x80-0x9F)

glibc's iscntrl() does not classify C1 control bytes as control
characters in any locale. The iscntrl() check was added as part of the
fix for CVE-2023-29383, which blocked C0 control characters, but C1
bytes were never considered.

The byte 0x9B is the C1 encoding of CSI (Control Sequence Introducer),
equivalent to ESC [. On terminals that interpret C1 codes (VTE-based
terminals such as GNOME Terminal, Tilix, Terminator, XFCE Terminal),
an attacker can inject terminal escape sequences into GECOS fields via
chfn. This allows visual spoofing of /etc/passwd output, for example
making a user's UID appear as 0 when viewed with cat.

Explicitly check for bytes in the 0x80-0x9F range in strchriscntrl()
so that valid_field() returns -1 (rejected) instead of 1 (non-ASCII
warning) for these bytes.

Before (unpatched chfn accepts C1 bytes and writes them to /etc/passwd):

  $ cat /etc/passwd | grep ubuntu
  ubuntu:x:1000:1000:ubuntu,,,:/home/ubuntu:/bin/bash
  $ chfn -r $'\xc2\x9b17D0\xc2\x9b3P\xc2\x9b1C0\xc2\x9b3P\xc2\x9b1Croot\xc2\x9b8m'
  Password:
  chfn: room number with non-ASCII characters: [...]
  $ cat /etc/passwd | grep ubuntu
  ubuntu:x:0:0:root,,:/home/ubuntu:/bin/bash

After (patched chfn rejects C1 bytes, /etc/passwd unchanged):

  $ chfn -r $'\xc2\x9b17D0\xc2\x9b3P\xc2\x9b1C0\xc2\x9b3P\xc2\x9b1Croot\xc2\x9b8m'
  Password:
  chfn: invalid room number: [...]
  $ cat /etc/passwd | grep ubuntu
  ubuntu:x:1000:1000:ubuntu,,,:/home/ubuntu:/bin/bash

Tested on Shadow 4.17.4-2ubuntu2 (Ubuntu 25.10, aarch64).