Hi Salvatore, I've fixed this in unstable - had a couple of comments and also wanted to coordinate an upload for stable. See below.
On 13/06/26 2:10 pm, Salvatore Bonaccorso wrote: > Source: kitty > Version: 0.47.0-3 > Severity: grave > Tags: security upstream > Justification: user security hole > X-Debbugs-Cc: [email protected], Debian Security Team > <[email protected]> > > Hi, > > The following vulnerabilities were published for kitty. > > CVE-2026-42850[0]: > | Kitty is a cross-platform GPU based terminal. In versions prior to > | 0.47.0, it is possible to inject commands within the subshell > | through kitty error. A special escape code will make kitty return an > | error, this error is not escaped and will be correctly echoed back > | to the terminal with CRLF, as such it will be run by the shell in > | use. To exploit this bug, the victim must use a netcat or a similar > | program to connect to the attacker, or else listening for someone to > | connect. Once this condition is set, an attacker could pwn the > | computer of the victim using a special kitty's escape code that will > | run a command in the shell in use. Version 04.7.0 fixes the issue. That's a typo (it should be 0.47.0) > > CVE-2026-42851[1]: > | Kitty is a cross-platform GPU based terminal. In versions prior to > | 0.47.0, a program able to write bytes to a kitty terminal — a remote > | SSH peer, a downloaded file viewed with `cat`, a log line, an email > | body rendered in `less`, an issue body in a TUI, etc. — can cause > | kitty to execute attacker-supplied Python inside the running kitty > | process, with the user's full privileges. There is no approval > | prompt, no remote-control permission requirement, no shell- > | integration interaction, no clipboard touch, and no editor > | interaction. Version 0.47.0 fixes the issue. Although these 2 are fixed in 0.47.0 itself, they were discovered after 0.47.0 was released to unstable. Hence I have mentioned them in the upload entries for 0.47.3-1. The security tracker should probably be adjusted. > CVE-2026-54055[2]: > | Kitty is a cross-platform GPU based terminal. In versions prior to > | 0.47.2, a local privilege escalation vulnerability exists in kitty's > | file transmission protocol where a child process running in the > | terminal can write to arbitrary files on the filesystem by > | exploiting a TOCTOU (Time-of-Check-Time-of-Use) race condition > | between symlink validation and file creation. The `os.open()` call > | used to create files does not use `O_NOFOLLOW`, allowing an attacker > | to create a symlink between the initial stat check and the actual > | file open, causing the write to follow the symlink to an arbitrary > | destination. Version 0.47.2 fixes the issue. > > ... > > CVE-2026-54056[3]: > | Kitty is a cross-platform GPU based terminal. In versions 0.47.0 and > | 0.47.1, `kitten dnd` can allow a malicious remote drag-and-drop > | source to overwrite or truncate arbitrary files writable by the > | local kitty user. Remote `text/uri-list` drops are staged in a > | temporary directory, but on case-sensitive filesystems duplicate > | remote basenames are not de-duplicated. An attacker can first create > | a staged symlink and then send a same-name regular-file entry. The > | regular-file write uses `utils.CreateAt()` / > | `openat(O_RDWR|O_CREAT|O_TRUNC)` without `O_NOFOLLOW`, so it follows > | the attacker-created symlink and writes outside the staging > | directory before final overwrite confirmation runs. This appears > | related in class to the file-transfer symlink advisory, but it is a > | different bug: it affects `kitten dnd` remote drag-and-drop staging, > | uses different vulnerable code (`kittens/dnd/drop.go` and > | `tools/utils/file_at_fd.go`), and reproduces on commit > | `4aa4a5c0567a92553a8c20a88a4352da637fca5d`, after the file-transfer > | `O_NOFOLLOW` fix. Version 0.47.2 patches the issue. https://github.com/kovidgoyal/kitty/security/advisories/GHSA-r892-cv7q-fw8x Says this is in "Affected versions >= 0.47.0, <= 0.47.1" so I am ignoring CVE-2026-54056 for stable release. > CVE-2026-54057[4]: > | Kitty is a cross-platform GPU based terminal. In versions prior to > | 0.47.3, kitty's OSC 21 (color-control) query reply reflects > | attacker-controlled bytes, including newlines, into the shell's > | input without sanitization. Version 0.47.3 fixes the issue. I've prepared a stable release update fixing CVE-2026-42850, CVE-2026-42851, CVE-2026-54055 and CVE-2026-54057. The debdiff is attached with this email. Please take a look. I've also pushed my changes to salsa if this is easier to review https://salsa.debian.org/debian/kitty/-/tree/debian/trixie-security?ref_type=heads I've tested the fixes against the PoCs mentioned in the github advisories, and could see exploits working with the current version in trixie and fail with the version I prepared -- so that means the fixes should be in order. Quick notes: - There is no PoC mentioned for CVE-2026-54055, just a vague description, and hence I did not test this. But this is a medium severity CVE with a simple fix to just add in `O_NOFOLLOW` and this should be good enough. - Fix for CVE-2026-42851 is not an exact backport of upstream commit, but some partial change along with a fix suggested on the github advisory. The reason is that the upstream fix is not easily backportable. But the fix does work as I tested. Please let me know if I should proceed ahead with an upload to trixie-security? > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2026-42850 > https://www.cve.org/CVERecord?id=CVE-2026-42850 > [1] https://security-tracker.debian.org/tracker/CVE-2026-42851 > https://www.cve.org/CVERecord?id=CVE-2026-42851 > [2] https://security-tracker.debian.org/tracker/CVE-2026-54055 > https://www.cve.org/CVERecord?id=CVE-2026-54055 > [3] https://security-tracker.debian.org/tracker/CVE-2026-54056 > https://www.cve.org/CVERecord?id=CVE-2026-54056 > [4] https://security-tracker.debian.org/tracker/CVE-2026-54057 > https://www.cve.org/CVERecord?id=CVE-2026-54057 If you could, please, in future reports also link up github advisories. That is extremely helpful, as I don't have to open mitre multiple times, click on github links, scan through the commits, dig through it locally and then get confused with the CVE number eventually and have to backtrack :) Best, Nilesh
diff -Nru kitty-0.41.1/debian/changelog kitty-0.41.1/debian/changelog --- kitty-0.41.1/debian/changelog 2026-05-23 00:54:52.000000000 +0530 +++ kitty-0.41.1/debian/changelog 2026-06-13 22:50:48.000000000 +0530 @@ -1,3 +1,14 @@ +kitty (0.41.1-2+deb13u2) trixie-security; urgency=medium + + * Re-diff 0016-CVE-2026-33633 patch + * Fixing following CVEs: (Closes: #1139898) + - CVE-2026-42850 + - CVE-2026-42851 + - CVE-2026-54055 + - CVE-2026-54057 + + -- Nilesh Patra <[email protected]> Sat, 13 Jun 2026 22:50:48 +0530 + kitty (0.41.1-2+deb13u1) trixie-security; urgency=medium * Add patches to fix CVE-2026-33642 and CVE-2026-33633 diff -Nru kitty-0.41.1/debian/patches/0016-CVE-2026-33633.patch kitty-0.41.1/debian/patches/0016-CVE-2026-33633.patch --- kitty-0.41.1/debian/patches/0016-CVE-2026-33633.patch 2026-05-23 00:54:19.000000000 +0530 +++ kitty-0.41.1/debian/patches/0016-CVE-2026-33633.patch 2026-06-13 22:50:48.000000000 +0530 @@ -4,11 +4,9 @@ Subject: [PATCH] Graphics protocol: Fix crash when handling invalid PNG image with direct transmission -diff --git a/kitty/graphics.c b/kitty/graphics.c -index 3cfec4ba39e..944c21dab55 100644 --- a/kitty/graphics.c +++ b/kitty/graphics.c -@@ -555,7 +555,7 @@ load_image_data(GraphicsManager *self, Image *img, const GraphicsCommand *g, con +@@ -548,7 +548,7 @@ case 'd': // direct if (load_data->buf_capacity - load_data->buf_used < g->payload_sz) { if (load_data->buf_used + g->payload_sz > MAX_DATA_SZ || data_fmt != PNG) ABRT("EFBIG", "Too much data"); diff -Nru kitty-0.41.1/debian/patches/0018-CVE-2026-42850.patch kitty-0.41.1/debian/patches/0018-CVE-2026-42850.patch --- kitty-0.41.1/debian/patches/0018-CVE-2026-42850.patch 1970-01-01 05:30:00.000000000 +0530 +++ kitty-0.41.1/debian/patches/0018-CVE-2026-42850.patch 2026-06-13 22:50:48.000000000 +0530 @@ -0,0 +1,27 @@ +From e4144832645aa437e9cfb4914ca0a358ae74724d Mon Sep 17 00:00:00 2001 +From: Kovid Goyal <[email protected]> +Date: Fri, 24 Apr 2026 17:25:00 +0530 +Subject: [PATCH] Sanitize ssh kitten shm open error message when sending over + tty + +This prevents sending attacker controlled data over the tty where it +might end up getting evaled by the shell if the user is doing something +like cat of unsanitized data into the terminal (something that should +never be done). +--- + kittens/ssh/utils.py | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/kittens/ssh/utils.py ++++ b/kittens/ssh/utils.py +@@ -136,7 +136,9 @@ + raise ValueError(f'Incorrect request id: {rq_id!r} expecting the KITTY_PID-KITTY_WINDOW_ID for the current kitty window') + except Exception as e: + traceback.print_exc() +- yield f'{e}\n'.encode() ++ import re ++ msg = re.sub(r'[^a-zA-Z0-9 ]+', '_', str(e)) ++ yield f'{msg}\n'.encode() + else: + yield b'OK\n' + encoded_data = memoryview(env_data['tarfile'].encode('ascii')) diff -Nru kitty-0.41.1/debian/patches/0019-CVE-2026-42851.patch kitty-0.41.1/debian/patches/0019-CVE-2026-42851.patch --- kitty-0.41.1/debian/patches/0019-CVE-2026-42851.patch 1970-01-01 05:30:00.000000000 +0530 +++ kitty-0.41.1/debian/patches/0019-CVE-2026-42851.patch 2026-06-13 22:50:48.000000000 +0530 @@ -0,0 +1,23 @@ +From 8bf1bd479b0e75c9010800d135c8d90690d94645 Mon Sep 17 00:00:00 2001 +From: Kovid Goyal <[email protected]> +Date: Sat, 4 Apr 2026 08:42:06 +0530 +Subject: [PATCH] edit-in-kitty: Ignore environment variables as some editors + execute code present in env vars + +--- a/kitty/launch.py ++++ b/kitty/launch.py +@@ -994,6 +994,14 @@ + return + cmdline = get_editor(path_to_edit=c.file_localpath, line_number=c.line_number) + c.opts.source_window = c.opts.next_to = f'id:{window.id}' ++ # We ignore env vars as some editors execute code present in env vars such as VIMINIT ++ c.opts.env = () ++ c.opts.copy_env = False ++ # We ignore color specs because color values containing '=' are re-parsed ++ # as inline kitty config (kitty/colors.py:parse_colors) and the config ++ # language honours `geninclude`, which executes attacker-controlled .py ++ # via runpy.run_path. The edit DCS path is unauthenticated. ++ c.opts.color = () + w = launch(get_boss(), c.opts, cmdline) + if w is not None: + c.source_window_id = window.id diff -Nru kitty-0.41.1/debian/patches/0020-CVE-2026-54055.patch kitty-0.41.1/debian/patches/0020-CVE-2026-54055.patch --- kitty-0.41.1/debian/patches/0020-CVE-2026-54055.patch 1970-01-01 05:30:00.000000000 +0530 +++ kitty-0.41.1/debian/patches/0020-CVE-2026-54055.patch 2026-06-13 22:50:48.000000000 +0530 @@ -0,0 +1,17 @@ +From 4aa4a5c0567a92553a8c20a88a4352da637fca5d Mon Sep 17 00:00:00 2001 +From: Kovid Goyal <[email protected]> +Date: Wed, 3 Jun 2026 06:18:31 +0530 +Subject: [PATCH] File transfer protocol: use O_NOFOLLOW when opening regular + files + +--- a/kitty/file_transmission.py ++++ b/kitty/file_transmission.py +@@ -546,7 +546,7 @@ + if self.actual_file is None: + self.make_parent_dirs() + self.unlink_existing_if_needed() +- flags = os.O_RDWR | os.O_CREAT | os.O_TRUNC | getattr(os, 'O_CLOEXEC', 0) | getattr(os, 'O_BINARY', 0) ++ flags = os.O_RDWR | os.O_CREAT | os.O_TRUNC | getattr(os, 'O_CLOEXEC', 0) | getattr(os, 'O_BINARY', 0) | getattr(os, 'O_NOFOLLOW', 0) + self.actual_file = open(os.open(self.name, flags, self.permissions), mode='r+b', closefd=True) + af = self.actual_file + if decompressed or is_last: diff -Nru kitty-0.41.1/debian/patches/0021-CVE-2026-54057.patch kitty-0.41.1/debian/patches/0021-CVE-2026-54057.patch --- kitty-0.41.1/debian/patches/0021-CVE-2026-54057.patch 1970-01-01 05:30:00.000000000 +0530 +++ kitty-0.41.1/debian/patches/0021-CVE-2026-54057.patch 2026-06-13 22:50:48.000000000 +0530 @@ -0,0 +1,21 @@ +From 424fe9991b5ad61422ca5d1b0ff9b8e01465e6f5 Mon Sep 17 00:00:00 2001 +From: Kovid Goyal <[email protected]> +Date: Tue, 9 Jun 2026 06:21:15 +0530 +Subject: [PATCH] Sanitise color control responses for shells that still dont + use the kitty keyboard protocol + +--- + kitty/window.py | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kitty/window.py ++++ b/kitty/window.py +@@ -486,6 +486,8 @@ + if isinstance(value, (bytes, memoryview)): + value = str(value, 'utf-8', 'replace') + responses: dict[str, str] = {} ++ # Only printable ASCII payload allowed as it is echoed back ++ value = re.sub(r'[^ -~]', '', value) + for rec in value.split(';'): + key, sep, val = rec.partition('=') + if key.startswith('transparent_background_color'): diff -Nru kitty-0.41.1/debian/patches/series kitty-0.41.1/debian/patches/series --- kitty-0.41.1/debian/patches/series 2026-05-23 00:54:19.000000000 +0530 +++ kitty-0.41.1/debian/patches/series 2026-06-13 22:50:48.000000000 +0530 @@ -14,3 +14,7 @@ 0015-backport-s390x-ftbfs-fix.patch 0016-CVE-2026-33633.patch 0017-CVE-2026-33642.patch +0018-CVE-2026-42850.patch +0019-CVE-2026-42851.patch +0020-CVE-2026-54055.patch +0021-CVE-2026-54057.patch
