| Name | CVE-2021-33477 |
| Description | rxvt-unicode 9.22, rxvt 2.7.10, mrxvt 0.5.4, and Eterm 0.9.7 allow (potentially remote) code execution because of improper handling of certain escape sequences (ESC G Q). A response is terminated by a newline. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-2671-1, DLA-2681-1, DLA-2682-1, DLA-2683-1 |
| Debian Bugs | 988763, 989041 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| eterm (PTS) | jessie | 0.9.6-1+deb8u1 | vulnerable |
| stretch (security), stretch (lts), stretch | 0.9.6-5+deb9u1 | fixed | |
| buster | 0.9.6-5+deb10u1 | fixed | |
| bullseye | 0.9.6-6.1 | fixed | |
| bookworm | 0.9.6-7 | fixed | |
| sid | 0.9.6-7.1 | fixed | |
| mrxvt (PTS) | jessie | 0.5.4-1.1 | vulnerable |
| stretch (security), stretch (lts), stretch | 0.5.4-2+deb9u1 | fixed | |
| rxvt (PTS) | jessie | 1:2.7.10-6 | vulnerable |
| stretch (security), stretch (lts), stretch | 1:2.7.10-7+deb9u2 | fixed | |
| rxvt-unicode (PTS) | jessie | 9.20-1 | vulnerable |
| stretch (security), stretch (lts), stretch | 9.22-1+deb9u1 | fixed | |
| buster | 9.22-6+deb10u1 | fixed | |
| bullseye | 9.22-11 | fixed | |
| bookworm | 9.30-2 | fixed | |
| sid, trixie | 9.31-3 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| eterm | source | jessie | (unfixed) | end-of-life | ||
| eterm | source | stretch | 0.9.6-5+deb9u1 | DLA-2681-1 | ||
| eterm | source | buster | 0.9.6-5+deb10u1 | |||
| eterm | source | (unstable) | 0.9.6-6.1 | 989041 | ||
| mrxvt | source | jessie | (unfixed) | end-of-life | ||
| mrxvt | source | stretch | 0.5.4-2+deb9u1 | DLA-2682-1 | ||
| mrxvt | source | (unstable) | (unfixed) | |||
| rxvt | source | jessie | (unfixed) | end-of-life | ||
| rxvt | source | stretch | 1:2.7.10-7+deb9u2 | DLA-2683-1 | ||
| rxvt | source | (unstable) | (unfixed) | |||
| rxvt-unicode | source | jessie | (unfixed) | end-of-life | ||
| rxvt-unicode | source | stretch | 9.22-1+deb9u1 | DLA-2671-1 | ||
| rxvt-unicode | source | buster | 9.22-6+deb10u1 | |||
| rxvt-unicode | source | (unstable) | 9.22-11 | 988763 |
https://www.openwall.com/lists/oss-security/2021/05/17/1
Mentioned first in: https://www.openwall.com/lists/oss-security/2017/05/01/20
Fixed by: http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.582&r2=1.583
Disabled problematic code in: http://cvs.schmorp.de/rxvt-unicode/src/command.C?view=log#rev1.585