CVE-2021-33477

NameCVE-2021-33477
Descriptionrxvt-unicode 9.22, rxvt 2.7.10, mrxvt 0.5.4, and Eterm 0.9.7 allow (potentially remote) code execution because of improper handling of certain escape sequences (ESC G Q). A response is terminated by a newline.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2671-1, DLA-2681-1, DLA-2682-1, DLA-2683-1
Debian Bugs988763, 989041

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
eterm (PTS)buster0.9.6-5+deb10u1fixed
bullseye0.9.6-6.1fixed
bookworm0.9.6-7fixed
sid, trixie0.9.6-7.1fixed
rxvt-unicode (PTS)buster9.22-6+deb10u1fixed
bullseye9.22-11fixed
bookworm9.30-2fixed
sid, trixie9.31-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
etermsourcestretch0.9.6-5+deb9u1DLA-2681-1
etermsourcebuster0.9.6-5+deb10u1
etermsource(unstable)0.9.6-6.1989041
mrxvtsourcestretch0.5.4-2+deb9u1DLA-2682-1
mrxvtsource(unstable)(unfixed)
rxvtsourcestretch1:2.7.10-7+deb9u2DLA-2683-1
rxvtsource(unstable)(unfixed)
rxvt-unicodesourcestretch9.22-1+deb9u1DLA-2671-1
rxvt-unicodesourcebuster9.22-6+deb10u1
rxvt-unicodesource(unstable)9.22-11988763

Notes

https://www.openwall.com/lists/oss-security/2021/05/17/1
Mentioned first in: https://www.openwall.com/lists/oss-security/2017/05/01/20
Fixed by: http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.582&r2=1.583
Disabled problematic code in: http://cvs.schmorp.de/rxvt-unicode/src/command.C?view=log#rev1.585

Search for package or bug name: Reporting problems