Hi Nilesh, [Add the Debian security team alias to CC]
On Fri, May 22, 2026 at 02:45:33AM +0530, Nilesh Patra wrote: > > > On 22/05/26 2:25 am, Nilesh Patra wrote: > > Hi Salvatore, all, > > > > CVE-2026-33633 and CVE-2026-33642 have been reported against kitty (see > > #1137210), the latter > > with a 9.9/10 CVE score, and hence fixes should make it to stable on > > priority. > > > > I've prepared the patches, tested the PoCs in a stable (amd64) VM, and I > > can see kitty > > no longer crashing, and hence this should likely be good to go. > > > > My changes are at: > > https://salsa.debian.org/debian/kitty/-/tree/debian/trixie-security?ref_type=heads > > > > Can I go ahead and upload to trixie-security suite? Let me know. > > > > If I get no answers for a week, I'll consider that as a yes and will go > > ahead and upload it. > > Not trying to be pushy but I feel this should be fixed ASAP. > I've also pushed the built artefacts here incase someone wants to test. Remark: No you never would upload just because not hearing anything ;-) That does not help, the uploads won't be published without review and manual intervention to release the DSA. That said, I had a look. > https://people.debian.org/~nilesh/tmp/ > > Also attaching a debdiff if it makes it easier to review. > > Thanks > Nilesh > diff -Nru kitty-0.41.1/debian/changelog kitty-0.41.1/debian/changelog > --- kitty-0.41.1/debian/changelog 2025-06-05 11:09:21.000000000 -0400 > +++ kitty-0.41.1/debian/changelog 2026-05-21 16:34:49.000000000 -0400 > @@ -1,3 +1,9 @@ > +kitty (0.41.1-2+deb13u1) trixie-security; urgency=medium > + > + * Add patches to fix CVE-2026-33642 and CVE-2026-33633 Debdiffs looks good to me, thanks for preparing them. Can you add here please as well the bug closer? Then please upload to security-master, and make sure to build with -sa. Debian bookworm is still supported for one month, can you prepare as well an update for it, please? Note there is as well a no-dsa CVE for kitty: CVE-2025-43929, can you check its backportability and include this one as well for the bookworm-security update? Regards, Salvatore
