On 14/06/26 12:50 am, Nilesh Patra wrote: > Quick notes: > > - There is no PoC mentioned for CVE-2026-54055, just a vague description, and > hence > I did not test this. But this is a medium severity CVE with a simple fix to > just add > in `O_NOFOLLOW` and this should be good enough. > > - Fix for CVE-2026-42851 is not an exact backport of upstream commit, but > some partial > change along with a fix suggested on the github advisory. The reason is that > the upstream > fix is not easily backportable. But the fix does work as I tested.
So upstream says in https://github.com/kovidgoyal/kitty/issues/10139 that this can lead to loss of functionality, and indeed, `kitten edit-in-kitty --color background=black /tmp/test.txt` will not render it with a properly colored terminal with the CVE fix. The other option is to have a slightly longer patch which also fixes the CVE but drops the `--color` option altogether. The patch is patsed in upstream comment here incase the author comments on it. https://github.com/kovidgoyal/kitty/issues/10139#issuecomment-4702399087 Please take a look and let me know if you prefer this instead. I'm also thinking if it makes sense to drop the color and env option in the previous patch as well if that is more preferable. Anyway, please let me know. Thanks Nilesh
