Source: kitty Version: 0.47.0-3 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for kitty. CVE-2026-42850[0]: | Kitty is a cross-platform GPU based terminal. In versions prior to | 0.47.0, it is possible to inject commands within the subshell | through kitty error. A special escape code will make kitty return an | error, this error is not escaped and will be correctly echoed back | to the terminal with CRLF, as such it will be run by the shell in | use. To exploit this bug, the victim must use a netcat or a similar | program to connect to the attacker, or else listening for someone to | connect. Once this condition is set, an attacker could pwn the | computer of the victim using a special kitty's escape code that will | run a command in the shell in use. Version 04.7.0 fixes the issue. CVE-2026-42851[1]: | Kitty is a cross-platform GPU based terminal. In versions prior to | 0.47.0, a program able to write bytes to a kitty terminal — a remote | SSH peer, a downloaded file viewed with `cat`, a log line, an email | body rendered in `less`, an issue body in a TUI, etc. — can cause | kitty to execute attacker-supplied Python inside the running kitty | process, with the user's full privileges. There is no approval | prompt, no remote-control permission requirement, no shell- | integration interaction, no clipboard touch, and no editor | interaction. Version 0.47.0 fixes the issue. CVE-2026-54055[2]: | Kitty is a cross-platform GPU based terminal. In versions prior to | 0.47.2, a local privilege escalation vulnerability exists in kitty's | file transmission protocol where a child process running in the | terminal can write to arbitrary files on the filesystem by | exploiting a TOCTOU (Time-of-Check-Time-of-Use) race condition | between symlink validation and file creation. The `os.open()` call | used to create files does not use `O_NOFOLLOW`, allowing an attacker | to create a symlink between the initial stat check and the actual | file open, causing the write to follow the symlink to an arbitrary | destination. Version 0.47.2 fixes the issue. CVE-2026-54056[3]: | Kitty is a cross-platform GPU based terminal. In versions 0.47.0 and | 0.47.1, `kitten dnd` can allow a malicious remote drag-and-drop | source to overwrite or truncate arbitrary files writable by the | local kitty user. Remote `text/uri-list` drops are staged in a | temporary directory, but on case-sensitive filesystems duplicate | remote basenames are not de-duplicated. An attacker can first create | a staged symlink and then send a same-name regular-file entry. The | regular-file write uses `utils.CreateAt()` / | `openat(O_RDWR|O_CREAT|O_TRUNC)` without `O_NOFOLLOW`, so it follows | the attacker-created symlink and writes outside the staging | directory before final overwrite confirmation runs. This appears | related in class to the file-transfer symlink advisory, but it is a | different bug: it affects `kitten dnd` remote drag-and-drop staging, | uses different vulnerable code (`kittens/dnd/drop.go` and | `tools/utils/file_at_fd.go`), and reproduces on commit | `4aa4a5c0567a92553a8c20a88a4352da637fca5d`, after the file-transfer | `O_NOFOLLOW` fix. Version 0.47.2 patches the issue. CVE-2026-54057[4]: | Kitty is a cross-platform GPU based terminal. In versions prior to | 0.47.3, kitty's OSC 21 (color-control) query reply reflects | attacker-controlled bytes, including newlines, into the shell's | input without sanitization. Version 0.47.3 fixes the issue. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-42850 https://www.cve.org/CVERecord?id=CVE-2026-42850 [1] https://security-tracker.debian.org/tracker/CVE-2026-42851 https://www.cve.org/CVERecord?id=CVE-2026-42851 [2] https://security-tracker.debian.org/tracker/CVE-2026-54055 https://www.cve.org/CVERecord?id=CVE-2026-54055 [3] https://security-tracker.debian.org/tracker/CVE-2026-54056 https://www.cve.org/CVERecord?id=CVE-2026-54056 [4] https://security-tracker.debian.org/tracker/CVE-2026-54057 https://www.cve.org/CVERecord?id=CVE-2026-54057 Regards, Salvatore
