DescriptionThe rxvt-unicode package is vulnerable to a remote code execution, in the Perl background extension, when an attacker can control the data written to the user's terminal and certain options are set.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs1025489

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rxvt-unicode (PTS)buster9.22-6+deb10u1fixed
bookworm, sid9.30-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
rxvt-unicodesourcebuster(not affected)
rxvt-unicodesourcebullseye(not affected)


[bookworm] - rxvt-unicode <no-dsa> (Minor issue)
[bullseye] - rxvt-unicode <not-affected> (Vulnerable code introduced later)
[buster] - rxvt-unicode <not-affected> (Vulnerable code introduced later)
Not exploitable due to a bug since 9.30 upstream

Search for package or bug name: Reporting problems