Hello, You said kitty was moved to dsa-needed. Did someone get to review it? Can I view the comments anywhere?
On 14/06/26 10:19 pm, Nilesh Patra wrote: > On 14/06/26 12:50 am, Nilesh Patra wrote: >> Quick notes: >> >> - There is no PoC mentioned for CVE-2026-54055, just a vague description, >> and hence >> I did not test this. But this is a medium severity CVE with a simple fix to >> just add >> in `O_NOFOLLOW` and this should be good enough. >> >> - Fix for CVE-2026-42851 is not an exact backport of upstream commit, but >> some partial >> change along with a fix suggested on the github advisory. The reason is that >> the upstream >> fix is not easily backportable. But the fix does work as I tested. > > So upstream says in https://github.com/kovidgoyal/kitty/issues/10139 that > this can lead > to loss of functionality, and indeed, `kitten edit-in-kitty --color > background=black /tmp/test.txt` > will not render it with a properly colored terminal with the CVE fix. > > The other option is to have a slightly longer patch which also fixes the CVE > but drops > the `--color` option altogether. The patch is patsed in upstream comment here > incase the > author comments on it. > > https://github.com/kovidgoyal/kitty/issues/10139#issuecomment-4702399087 > > Please take a look and let me know if you prefer this instead. > > I'm also thinking if it makes sense to drop the color and env option in the > previous patch as well > if that is more preferable. > > Anyway, please let me know. > > Thanks > Nilesh

