Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 790782 - <x11-terms/rxvt-unicode-9.22-r9: improper handling of certain escape sequences (CVE-2021-33477)
Summary: <x11-terms/rxvt-unicode-9.22-r9: improper handling of certain escape sequence...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa+ cve]
Depends on:
Blocks: CVE-2021-33477
  Show dependency tree
Reported: 2021-05-18 07:26 UTC by Roman 'gryf' Dobosz
Modified: 2021-05-26 08:58 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---
nattka: sanity-check+

A workaround for x11-terms/mrxvt (mrxvt-workaround-bug790782.patch,1.23 KB, patch)
2021-05-18 13:33 UTC, Tee KOBAYASHI
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Roman 'gryf' Dobosz 2021-05-18 07:26:56 UTC
There is a security flaw in using ANSI escape sequence for querying
graphics mode in rxvt-unicode-9.22 which can lead to remote code
execution, as demonstrated in url above.

Reproducible: Always

Steps to Reproduce:
1. printf "\eGQ"

Actual Results:  
$ bash: 0: command not found

Expected Results:  
Should not execute anything by filling up the prompt and sending "\n". This is already fixed in upstream in version 9.25 and up. Now, this sequence will do nothing:

$ printf "\eGQ"
Q ~ $ 

Quering graphic mode leaves data on the terminal AND provide newline character, which is the main flaw in the described scenario.
Comment 1 Tee KOBAYASHI 2021-05-18 13:33:02 UTC
Created attachment 709668 [details, diff]
A workaround for x11-terms/mrxvt

This does also affect x11-terms/mrxvt-0.5.4, for which a patch is attached.
Comment 2 Larry the Git Cow gentoo-dev 2021-05-18 15:50:10 UTC
The bug has been referenced in the following commit(s):

commit 7754b4970254a816210ca814289256a43d7625f7
Author:     Marek Szuba <>
AuthorDate: 2021-05-18 15:25:01 +0000
Commit:     Marek Szuba <>
CommitDate: 2021-05-18 15:33:09 +0000

    x11-terms/rxvt-unicode-9.22: mark ANSI sequence ESC G Q as insecure
    Can in theory be used to perform remote code execution, see . This was fixed upstream in 2017
    so 9.26 is not vulnerable, that said 9.22 will likely not go away any
    time soon (if only because of 24-bit colour support) so let's backport
    Reported-by: Roman Dobosz <>
    Signed-off-by: Marek Szuba <>

 ...rxvt-unicode-9.22-query-graphics-insecure.patch |  11 ++
 x11-terms/rxvt-unicode/rxvt-unicode-9.22-r9.ebuild | 120 +++++++++++++++++++++
 2 files changed, 131 insertions(+)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-18 17:22:26 UTC
We should probably do a new bug for mrxvt.
Comment 4 Agostino Sarubbo gentoo-dev 2021-05-19 09:46:39 UTC
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2021-05-19 09:48:03 UTC
sparc stable
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-19 17:26:14 UTC
arm done
Comment 7 Agostino Sarubbo gentoo-dev 2021-05-19 20:06:43 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2021-05-19 20:07:50 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2021-05-19 20:09:23 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 10 Larry the Git Cow gentoo-dev 2021-05-22 15:09:32 UTC
The bug has been referenced in the following commit(s):

commit d98e1e17ede4b7ce1344499138c1563c2805a80a
Author:     Marek Szuba <>
AuthorDate: 2021-05-22 15:06:52 +0000
Commit:     Marek Szuba <>
CommitDate: 2021-05-22 15:09:22 +0000

    x11-terms/rxvt-unicode: drop 9.22-r8
    No versions vulnerable to the issue at hand left in the tree.
    Signed-off-by: Marek Szuba <>

 x11-terms/rxvt-unicode/rxvt-unicode-9.22-r8.ebuild | 119 ---------------------
 1 file changed, 119 deletions(-)
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-05-22 18:04:29 UTC
Comment 12 Thomas Deutschmann gentoo-dev 2021-05-24 15:10:20 UTC
New GLSA request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 08:58:16 UTC
This issue was resolved and addressed in
 GLSA 202105-17 at
by GLSA coordinator Thomas Deutschmann (whissi).