CVE-2021-33477

NameCVE-2021-33477
Descriptionrxvt-unicode 9.22, rxvt 2.7.10, mrxvt 0.5.4, and Eterm 0.9.7 allow (potentially remote) code execution because of improper handling of certain escape sequences (ESC G Q). A response is terminated by a newline.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2671-1, DLA-2681-1, DLA-2682-1, DLA-2683-1
NVD severitymedium
Debian Bugs988763, 989041

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
eterm (PTS)stretch0.9.6-5vulnerable
stretch (security)0.9.6-5+deb9u1fixed
buster0.9.6-5+deb10u1fixed
bullseye, sid0.9.6-6.1fixed
mrxvt (PTS)stretch0.5.4-2vulnerable
stretch (security)0.5.4-2+deb9u1fixed
rxvt (PTS)stretch1:2.7.10-7vulnerable
stretch (security)1:2.7.10-7+deb9u2fixed
rxvt-unicode (PTS)stretch9.22-1vulnerable
stretch (security)9.22-1+deb9u1fixed
buster9.22-6+deb10u1fixed
bullseye, sid9.22-11fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
etermsourcestretch0.9.6-5+deb9u1DLA-2681-1
etermsourcebuster0.9.6-5+deb10u1
etermsource(unstable)0.9.6-6.1989041
mrxvtsourcestretch0.5.4-2+deb9u1DLA-2682-1
mrxvtsource(unstable)(unfixed)
rxvtsourcestretch1:2.7.10-7+deb9u2DLA-2683-1
rxvtsource(unstable)(unfixed)
rxvt-unicodesourcestretch9.22-1+deb9u1DLA-2671-1
rxvt-unicodesourcebuster9.22-6+deb10u1
rxvt-unicodesource(unstable)9.22-11988763

Notes

https://www.openwall.com/lists/oss-security/2021/05/17/1
Mentioned first in: https://www.openwall.com/lists/oss-security/2017/05/01/20
Fixed by: http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.582&r2=1.583
Disabled problematic code in: http://cvs.schmorp.de/rxvt-unicode/src/command.C?view=log#rev1.585

Search for package or bug name: Reporting problems