Bug#1137210: kitty update for CVE fixes in stable

Thu, 21 May 2026 14:17:16 -0700 


On 22/05/26 2:25 am, Nilesh Patra wrote:
> Hi Salvatore, all,
> 
> CVE-2026-33633 and CVE-2026-33642 have been reported against kitty (see 
> #1137210), the latter
> with a 9.9/10 CVE score, and hence fixes should make it to stable on priority.
> 
> I've prepared the patches, tested the PoCs in a stable (amd64) VM, and I can 
> see kitty
> no longer crashing, and hence this should likely be good to go.
> 
> My changes are at: 
> https://salsa.debian.org/debian/kitty/-/tree/debian/trixie-security?ref_type=heads
> 
> Can I go ahead and upload to trixie-security suite? Let me know.
> 
> If I get no answers for a week, I'll consider that as a yes and will go ahead 
> and upload it.
> Not trying to be pushy but I feel this should be fixed ASAP.
I've also pushed the built artefacts here incase someone wants to test.

https://people.debian.org/~nilesh/tmp/

Also attaching a debdiff if it makes it easier to review.

Thanks
Nilesh
diff -Nru kitty-0.41.1/debian/changelog kitty-0.41.1/debian/changelog
--- kitty-0.41.1/debian/changelog       2025-06-05 11:09:21.000000000 -0400
+++ kitty-0.41.1/debian/changelog       2026-05-21 16:34:49.000000000 -0400
@@ -1,3 +1,9 @@
+kitty (0.41.1-2+deb13u1) trixie-security; urgency=medium
+
+  * Add patches to fix CVE-2026-33642 and CVE-2026-33633
+
+ -- Nilesh Patra <[email protected]>  Fri, 22 May 2026 02:04:49 +0530
+
 kitty (0.41.1-2) unstable; urgency=medium
 
   * Backport upstream patch to fixup FTBFS on s390x
diff -Nru kitty-0.41.1/debian/patches/0016-CVE-2026-33633.patch 
kitty-0.41.1/debian/patches/0016-CVE-2026-33633.patch
--- kitty-0.41.1/debian/patches/0016-CVE-2026-33633.patch       1969-12-31 
19:00:00.000000000 -0500
+++ kitty-0.41.1/debian/patches/0016-CVE-2026-33633.patch       2026-05-21 
16:34:47.000000000 -0400
@@ -0,0 +1,19 @@
+From 48ab623f594d60dbbfb1e767d9686d380ce547fb Mon Sep 17 00:00:00 2001
+From: Kovid Goyal <[email protected]>
+Date: Sat, 21 Mar 2026 17:23:06 +0530
+Subject: [PATCH] Graphics protocol: Fix crash when handling invalid PNG image
+ with direct transmission
+
+diff --git a/kitty/graphics.c b/kitty/graphics.c
+index 3cfec4ba39e..944c21dab55 100644
+--- a/kitty/graphics.c
++++ b/kitty/graphics.c
+@@ -555,7 +555,7 @@ load_image_data(GraphicsManager *self, Image *img, const 
GraphicsCommand *g, con
+         case 'd':  // direct
+             if (load_data->buf_capacity - load_data->buf_used < 
g->payload_sz) {
+                 if (load_data->buf_used + g->payload_sz > MAX_DATA_SZ || 
data_fmt != PNG) ABRT("EFBIG", "Too much data");
+-                load_data->buf_capacity = MIN(2 * load_data->buf_capacity, 
MAX_DATA_SZ);
++                load_data->buf_capacity = MAX(MIN(2 * 
load_data->buf_capacity, MAX_DATA_SZ), load_data->buf_used + g->payload_sz);
+                 load_data->buf = realloc(load_data->buf, 
load_data->buf_capacity);
+                 if (load_data->buf == NULL) {
+                     load_data->buf_capacity = 0; load_data->buf_used = 0;
diff -Nru kitty-0.41.1/debian/patches/0017-CVE-2026-33642.patch 
kitty-0.41.1/debian/patches/0017-CVE-2026-33642.patch
--- kitty-0.41.1/debian/patches/0017-CVE-2026-33642.patch       1969-12-31 
19:00:00.000000000 -0500
+++ kitty-0.41.1/debian/patches/0017-CVE-2026-33642.patch       2026-05-21 
16:34:47.000000000 -0400
@@ -0,0 +1,27 @@
+From e9661f0f3afb4e4dbffa509adfb3df3c9780ad34 Mon Sep 17 00:00:00 2001
+From: Kovid Goyal <[email protected]>
+Date: Sun, 22 Mar 2026 21:49:12 +0530
+Subject: [PATCH] Graphics protocol: Fix crash when handling invalid offset
+ values in graphics compose commands
+
+---
+ docs/changelog.rst | 2 ++
+ kitty/graphics.c   | 7 ++++---
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+--- a/kitty/graphics.c
++++ b/kitty/graphics.c
+@@ -1825,9 +1825,10 @@
+         set_command_failed_response("ENOENT", "No destination frame number %u 
exists in image id: %u\n", g->other_frame_number, img->client_id);
+         return;
+     }
+-    const unsigned int width = g->width ? g->width : img->width;
+-    const unsigned int height = g->height ? g->height : img->height;
+-    const unsigned int dest_x = g->x_offset, dest_y = g->y_offset, src_x = 
g->cell_x_offset, src_y = g->cell_y_offset;
++    // Use uint64_t to avoid overflow when testing for validity. All 
dimensions are 32bit numbers.
++    const uint64_t width = g->width ? g->width : img->width;
++    const uint64_t height = g->height ? g->height : img->height;
++    const uint64_t dest_x = g->x_offset, dest_y = g->y_offset, src_x = 
g->cell_x_offset, src_y = g->cell_y_offset;
+     if (dest_x + width > img->width || dest_y + height > img->height) {
+         set_command_failed_response("EINVAL", "The destination rectangle is 
out of bounds");
+         return;
diff -Nru kitty-0.41.1/debian/patches/series kitty-0.41.1/debian/patches/series
--- kitty-0.41.1/debian/patches/series  2025-06-05 11:08:35.000000000 -0400
+++ kitty-0.41.1/debian/patches/series  2026-05-21 16:34:47.000000000 -0400
@@ -12,3 +12,5 @@
 0013-avoid-failing-font-tests-on-ci.patch
 0014-use-disintegration-imaging.patch
 0015-backport-s390x-ftbfs-fix.patch
+0016-CVE-2026-33633.patch
+0017-CVE-2026-33642.patch

Reply via email to