Package: kitty Version: 0.26.5-4 Severity: serious Tags: security X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Hello, I was reading https://lists.debian.org/20230425190728.ga1471...@subdivi.de in mutt and that mail contains 3 shell scripts as attachments (application/x-sh). I wanted to have a look at the scripts and thus I "opened" those attachments... that open operation has been handled by Kitty due its MimeType declaration in /usr/share/applications/kitty-open.desktop [1] and the shell script has thus been fed to "kitty +open <script>" which actually executed the script. Executing the script as default open action is IMO a very bad idea because what you get by email is largely to not be trusted so I would suggest that kitty be modified to not execute scripts in its URL launcher mode (or that it gets some interactive confirmation from the user before executing it). In the mean time, it's probably a good idea to drop "application/x-sh;application/x-shellscript" from the list of supported mime type to limit the risk. (I assume that even with "text/plain" and a .sh file extension or a shebang, kitty might still decide to execute the script... so the issue is not entirely fixed, but it reduces the number of cases where "kitty +open" is invoked on shell scripts) Thank you for your work on kitty! [1] Extract of /usr/share/applications/kitty-open.desktop: Comment=Open URLs with kitty Exec=kitty +open %U MimeType=image/*;application/x-sh;application/x-shellscript;inode/directory;text/*;x-scheme-handler/kitty; -- System Information: Debian Release: 12.0 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.0.0-6-amd64 (SMP w/16 CPU threads; PREEMPT) Kernel taint flags: TAINT_WARN Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages kitty depends on: ii kitty-shell-integration 0.26.5-4 ii kitty-terminfo 0.26.5-4 ii libc6 2.36-9 ii libdbus-1-3 1.14.6-1 ii libharfbuzz0b 6.0.0+dfsg-3 ii liblcms2-2 2.14-2 ii libpng16-16 1.6.39-2 ii libpython3.11 3.11.2-6 ii librsync2 2.3.2-1+b1 ii libssl3 3.0.8-1 ii libwayland-client0 1.21.0-1 ii libx11-6 2:1.8.4-2 ii libx11-xcb1 2:1.8.4-2 ii libxkbcommon-x11-0 1.5.0-1 ii libxkbcommon0 1.5.0-1 ii python3 3.11.2-1+b1 ii python3.11 3.11.2-6 ii zlib1g 1:1.2.13.dfsg-1 Versions of packages kitty recommends: ii kitty-doc 0.26.5-4 ii libcanberra0 0.30-10 Versions of packages kitty suggests: ii imagemagick 8:6.9.11.60+dfsg-1.6 ii imagemagick-6.q16 [imagemagick] 8:6.9.11.60+dfsg-1.6 -- no debconf information -- Raphaƫl Hertzog
