Your message dated Thu, 29 Sep 2022 02:37:46 +0000
with message-id <[email protected]>
and subject line Bug#1020582: fixed in kitty 0.21.2-2
has caused the Debian Bug report #1020582,
regarding kitty: CVE-2022-41322
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1020582: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020582
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: kitty
Version: 0.21.2-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for kitty.
CVE-2022-41322[0]:
| In Kitty before 0.26.2, insufficient validation in the desktop
| notification escape sequence can lead to arbitrary code execution. The
| user must display attacker-controlled content in the terminal, then
| click on a notification popup.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-41322
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41322
[1]
https://github.com/kovidgoyal/kitty/commit/f05783e64d5fa62e1aed603e8d69aced5e49824f
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: kitty
Source-Version: 0.21.2-2
Done: James McCoy <[email protected]>
We believe that the bug you reported is fixed in the latest version of
kitty, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James McCoy <[email protected]> (supplier of updated kitty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 28 Sep 2022 21:54:22 -0400
Source: kitty
Architecture: source
Version: 0.21.2-2
Distribution: unstable
Urgency: medium
Maintainer: James McCoy <[email protected]>
Changed-By: James McCoy <[email protected]>
Closes: 1020582
Changes:
kitty (0.21.2-2) unstable; urgency=medium
.
* Remove docs/_build/ when running clean
* Use wrapper script to provide gmake binary during build
* Backport security fix
+ Sanitize notifications ids as they are retransmitted over the TTY
(Closes: #1020582, CVE-2022-41322)
Checksums-Sha1:
94dd86c4904b04455253191df2bdb8425e023ddd 2572 kitty_0.21.2-2.dsc
852d61b6515a5e4c15fd00cedef432e45a952bdc 15780 kitty_0.21.2-2.debian.tar.xz
Checksums-Sha256:
96d83ff97afba42611007e04728f452835c9ad32985f8ff2be076bde4682cb45 2572
kitty_0.21.2-2.dsc
87203fdc3426a76d10dac8343911a28eb94e46fe83c50013dc72bd4bd1193813 15780
kitty_0.21.2-2.debian.tar.xz
Files:
ca284cdd9610add28fd74ef36dee8912 2572 x11 optional kitty_0.21.2-2.dsc
b50af32f3fdad3253e2312b4b0d05d89 15780 x11 optional
kitty_0.21.2-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKoBAEBCgCSFiEEkb+/TWlWvV33ty0j3+aRrjMbo9sFAmM0/SVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDkx
QkZCRjRENjk1NkJENURGN0I3MkQyM0RGRTY5MUFFMzMxQkEzREIUHGphbWVzc2Fu
QGRlYmlhbi5vcmcACgkQ3+aRrjMbo9tR4A/+JLEyj/EdInZMIPhC0I7eqxIPl1xn
UDGJazHYHhDgMXTVA4BdbQuYciJHYGt5CjFIrpqF7j8Qcsuv790iUfUA+J0M+ZBL
k0YUii7c7mfH3a1xHIjWuFBVNFs9GuhhL1wXwcI0amWqE0k9TWsHo6NhbRieTImi
So8iDeyf3BW4BHpmJtIJYg3ulZb755x7fMxaJGOFTlX6VRIR0k9TUQt28nfHHXZa
VBd6oGW+DL6V7gBfHneZZisJ0oTU0mfMRK9sAqKObcYIIxKwoYVPN/7DEKDlZJV5
VzzGRDDtSWY31pJO97eNmk0p4ivti477710VH6FHOEyL4Yyxq81+YOUpWizfZTAC
l1E95ra3HJxE1/GTA2qM0L/t9NqjwRBjubJCUn8OIwlppq+jPhEUVfilJafbmRYR
yWjVQil3ZvFahERVaSeMWJmh1dYQJgZxf6vlXA6Dg654E/BkC69wka5jsDdPtRCO
UMsPwT04XGTamlkmqctr+5SX+chPM6mZlhtXRbZQId8susW4A7k7E7BI43ExeCV1
0uSGVWTCf1LdK31/u3YOGCea9sDzeb8lVPguP3UoVU1W/oL3066vNqa29Ch7jMte
c+tNe+RkJYO/WKXjGiY5AiOMS6ztKeY11uAfcnuTBhZ7Nn9nscL0E4xsh6G4KxyH
YSrSRs8m6V88j3U=
=XFvm
-----END PGP SIGNATURE-----
--- End Message ---
