CVE-2021-33477

NameCVE-2021-33477
Descriptionrxvt-unicode 9.22, rxvt 2.7.10, mrxvt 0.5.4, and Eterm 0.9.7 allow (potentially remote) code execution because of improper handling of certain escape sequences (ESC G Q). A response is terminated by a newline.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2671-1, DLA-2681-1, DLA-2682-1, DLA-2683-1
Debian Bugs988763, 989041

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
eterm (PTS)jessie0.9.6-1+deb8u1vulnerable
stretch (security), stretch (lts), stretch0.9.6-5+deb9u1fixed
buster0.9.6-5+deb10u1fixed
bullseye0.9.6-6.1fixed
bookworm0.9.6-7fixed
sid0.9.6-7.2fixed
mrxvt (PTS)jessie0.5.4-1.1vulnerable
stretch (security), stretch (lts), stretch0.5.4-2+deb9u1fixed
rxvt (PTS)jessie1:2.7.10-6vulnerable
stretch (security), stretch (lts), stretch1:2.7.10-7+deb9u2fixed
rxvt-unicode (PTS)jessie9.20-1vulnerable
stretch (security), stretch (lts), stretch9.22-1+deb9u1fixed
buster9.22-6+deb10u1fixed
bullseye9.22-11fixed
bookworm9.30-2fixed
sid, trixie9.31-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
etermsourcejessie(unfixed)end-of-life
etermsourcestretch0.9.6-5+deb9u1DLA-2681-1
etermsourcebuster0.9.6-5+deb10u1
etermsource(unstable)0.9.6-6.1989041
mrxvtsourcejessie(unfixed)end-of-life
mrxvtsourcestretch0.5.4-2+deb9u1DLA-2682-1
mrxvtsource(unstable)(unfixed)
rxvtsourcejessie(unfixed)end-of-life
rxvtsourcestretch1:2.7.10-7+deb9u2DLA-2683-1
rxvtsource(unstable)(unfixed)
rxvt-unicodesourcejessie(unfixed)end-of-life
rxvt-unicodesourcestretch9.22-1+deb9u1DLA-2671-1
rxvt-unicodesourcebuster9.22-6+deb10u1
rxvt-unicodesource(unstable)9.22-11988763

Notes

https://www.openwall.com/lists/oss-security/2021/05/17/1
Mentioned first in: https://www.openwall.com/lists/oss-security/2017/05/01/20
Fixed by: http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.582&r2=1.583
Disabled problematic code in: http://cvs.schmorp.de/rxvt-unicode/src/command.C?view=log#rev1.585

Search for package or bug name: Reporting problems