Your message dated Thu, 21 May 2026 19:34:36 +0000
with message-id <[email protected]>
and subject line Bug#1137210: fixed in kitty 0.47.0-1
has caused the Debian Bug report #1137210,
regarding kitty: CVE-2026-33633 CVE-2026-33642
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1137210: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137210
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: kitty
Version: 0.46.2-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for kitty.
CVE-2026-33633[0]:
| Kitty is a cross-platform GPU based terminal. Versions 0.46.2 and
| below contain a heap buffer overflow in load_image_data() that
| allows any process which can write to the terminal's stdin to crash
| kitty immediately. The vulnerability is triggered by a single APC
| graphics protocol command with a PNG format declaration (f=100)
| whose payload exceeds twice the initial buffer capacity. The
| overflow is attacker-controlled in both length and content, causing
| DoS and potentially escalation to RCE itself. This issue has been
| fixed in version 0.47.0.
CVE-2026-33642[1]:
| Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and
| below, the handle_compose_command() function in kitty/graphics.c
| performs bounds validation on composition offsets using unsigned
| 32-bit arithmetic that is subject to integer wrapping, potentially
| leading to Heap Buffer Over-Read/Write. An attacker who can write
| escape sequences to a kitty terminal (e.g., via a malicious file,
| SSH login banner, or piped content) can supply crafted
| x_offset/y_offset values that pass the bounds check after wrapping
| but cause massive out-of-bounds heap memory access in
| compose_rectangles(). No user interaction is required. No non-
| default configuration is required. The attacker only needs the
| ability to produce output in a kitty terminal window. This issue has
| been fixed in version 0.47.0.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-33633
https://www.cve.org/CVERecord?id=CVE-2026-33633
https://github.com/kovidgoyal/kitty/security/advisories/GHSA-j68c-v8x4-269g
[1] https://security-tracker.debian.org/tracker/CVE-2026-33642
https://www.cve.org/CVERecord?id=CVE-2026-33642
https://github.com/kovidgoyal/kitty/security/advisories/GHSA-qfgm-2c64-6x3x
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: kitty
Source-Version: 0.47.0-1
Done: Nilesh Patra <[email protected]>
We believe that the bug you reported is fixed in the latest version of
kitty, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nilesh Patra <[email protected]> (supplier of updated kitty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 22 May 2026 00:06:36 +0530
Source: kitty
Architecture: source
Version: 0.47.0-1
Distribution: unstable
Urgency: high
Maintainer: Nilesh Patra <[email protected]>
Changed-By: Nilesh Patra <[email protected]>
Closes: 1137210
Changes:
kitty (0.47.0-1) unstable; urgency=high
.
* New upstream version 0.47.0 (Refresh patches)
Closes: #1137210
Fixes CVEs: CVE-2026-33633 CVE-2026-33642
* Vendor github.com/emmansun/base64 and github.com/sgtdi/fswatcher
for now.
* Add patch to skip TestMachineId
Checksums-Sha1:
c3e20731a7222a39ee50d0a283b18eaa27899446 2750 kitty_0.47.0-1.dsc
0ea8d22eb9664e9a675bc2304567d9d1be396813 9474791 kitty_0.47.0.orig.tar.gz
0dcd456c9cc316ac3b72b8d4b9796bdb39504b64 1317904 kitty_0.47.0-1.debian.tar.xz
33c0fd943d673b0bf3b9633d239975c823b96cbe 16741 kitty_0.47.0-1_amd64.buildinfo
Checksums-Sha256:
322c89f3347e0a76c486e67044998e1bdacc6fcfd64571ccf0091ce6dad8c0cf 2750
kitty_0.47.0-1.dsc
2fbd14b01a914b16795ab2aaf3121fbc11926fb13e610fc88316527dfcf0a1b0 9474791
kitty_0.47.0.orig.tar.gz
c5054c9688395f2eb01fd543cd0310aa7b17f9dd50c89e814dd12e928df8d210 1317904
kitty_0.47.0-1.debian.tar.xz
0326b766ed69c1e42e7b8446abb2c7623fde666d1c62bc8b413d35c6485c473a 16741
kitty_0.47.0-1_amd64.buildinfo
Files:
bcb6fdc77e13a2958610d80ebc71740b 2750 x11 optional kitty_0.47.0-1.dsc
a60eac47865214cd9e7fa440516f2bd5 9474791 x11 optional kitty_0.47.0.orig.tar.gz
efc9812e704ed07c7d359b6d4b5dc324 1317904 x11 optional
kitty_0.47.0-1.debian.tar.xz
1f1630551e954fecc78bfddccf834269 16741 x11 optional
kitty_0.47.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iIgEARYKADAWIQSglbZu4JAkvuai8HIqJ5BL1yQ+2gUCag9aMRIcbmlsZXNoQGRl
Ymlhbi5vcmcACgkQKieQS9ckPtr+wAD9FJ/cBc9fW6+lPsFROBGN+VHzekiIP8Ee
DGrZhMdPWJ0A/iTlycaemADekO61uaXkk+dL2GEVaTYpuceSXW73IjYG
=dIkZ
-----END PGP SIGNATURE-----
pgp5C6CzEo5VC.pgp
Description: PGP signature
--- End Message ---
