Hi Salvatore, On 23/05/26 1:14 am, Nilesh Patra wrote: > On 22/05/26 9:24 pm, Salvatore Bonaccorso wrote: >> Debian bookworm is still supported for one month, can you prepare as >> well an update for it, please? Note there is as well a no-dsa CVE for >> kitty: CVE-2025-43929, can you check its backportability and include >> this one as well for the bookworm-security update? > > I'm quite short on time, to be honest and not sure if I can manage cycles > for this.
Unfortunately I really won't be able to squeeze in time for this. Really, really can't. But I do have some updates to share, if it helps LTS team. I tried to repro the CVEs on bookworm. 1. CVE-2026-33633 - does not seem to crash the terminal, but I do see an infinite hang. 2. CVE-2026-33642 - also does not seem to crash kitty, and I'm able to cat the file just fine; no anomaly. I tried with the patches backported which did not change behavior wrt either CVE. Hence this needs more investigation, and one would need to check the code that gets/does not get hit for old-stable and probably also if these CVEs are even relevant for old-stable. For CVE-2025-43929: This is non-trivial to backport. We will need to backport at least https://github.com/kovidgoyal/kitty/commit/537cabca710f64b838d3b8b1dc986db596fb29d4 and for safety https://github.com/kovidgoyal/kitty/commit/ca1555d12ef99e930dfa55a9268675ec3b032a1a https://github.com/kovidgoyal/kitty/commit/ce5cfdd9caf44c538af800a07162e1f49bd53c35 as well. The first patch out of this series does not apply as there have been quite a few changes that have happened between this 0.26.5-5 and this commit. HTH. Thanks Nilesh
