Hi Nilesh, On Sat, May 23, 2026 at 10:15:20PM +0530, Nilesh Patra wrote: > Hi Salvatore, > > On 23/05/26 1:14 am, Nilesh Patra wrote: > > On 22/05/26 9:24 pm, Salvatore Bonaccorso wrote: > >> Debian bookworm is still supported for one month, can you prepare as > >> well an update for it, please? Note there is as well a no-dsa CVE for > >> kitty: CVE-2025-43929, can you check its backportability and include > >> this one as well for the bookworm-security update? > > > > I'm quite short on time, to be honest and not sure if I can manage cycles > > for this. > > Unfortunately I really won't be able to squeeze in time for this. Really, > really can't. > But I do have some updates to share, if it helps LTS team. > > I tried to repro the CVEs on bookworm. > > 1. CVE-2026-33633 - does not seem to crash the terminal, but I do see an > infinite hang. > 2. CVE-2026-33642 - also does not seem to crash kitty, and I'm able to cat > the file just fine; no anomaly. > > I tried with the patches backported which did not change behavior wrt either > CVE. Hence this needs more > investigation, and one would need to check the code that gets/does not get > hit for old-stable and probably > also if these CVEs are even relevant for old-stable. > > For CVE-2025-43929: > > This is non-trivial to backport. We will need to backport at least > > https://github.com/kovidgoyal/kitty/commit/537cabca710f64b838d3b8b1dc986db596fb29d4 > > and for safety > > https://github.com/kovidgoyal/kitty/commit/ca1555d12ef99e930dfa55a9268675ec3b032a1a > https://github.com/kovidgoyal/kitty/commit/ce5cfdd9caf44c538af800a07162e1f49bd53c35 > > as well. > > The first patch out of this series does not apply as there have been quite a > few changes that have happened > between this 0.26.5-5 and this commit.
I will try to have a look at the above tomorrow and then we come back to you. thanks for your work so far! Regards, Salvatore
