rxvt-unicode: Execute arbitrary code/commands - Existing account

===========================================================================
                         ZMCIRT Vulnerability Bulletin

                             ZMC-2021.06.1.1000
                      rxvt-unicode: Execute arbitrary code/commands - Existing account
                               1st June 2021

===========================================================================
Product:           rxvt-unicode
Publisher:         Debian
Operating System:  Debian GNU/Linux
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-33477  

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2021/05/msg00026.html

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running rxvt-unicode check for an updated version of the software 
         for their operating system.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -----------------------------------------------------------------------
Debian LTS Advisory DLA-2671-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
May 30, 2021                                https://wiki.debian.org/LTS
- - -----------------------------------------------------------------------

Package        : rxvt-unicode
Version        : 9.22-1+deb9u1
CVE ID         : CVE-2021-33477
Debian Bug     : 988763

rxvt-unicode allow (potentially remote) code execution because of
improper handling of certain escape sequences (ESC G Q). A response is
terminated by a newline.

For Debian 9 stretch, this problem has been fixed in version
9.22-1+deb9u1.

We recommend that you upgrade your rxvt-unicode packages.

For the detailed security status of rxvt-unicode please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/rxvt-unicode


 
ZMCIRT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. ZMCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Internet Email: report@cirt.zm     
Telephone:     7070 
                ZMCIRT personnel answer during Zambian business hours 
                which are 8am to 5pm.
                On call after hours for member emergencies only.
===========================================================================