Hello,

You said kitty was moved to dsa-needed. Did someone get to review it? Can I
view the comments anywhere?

On 14/06/26 10:19 pm, Nilesh Patra wrote:
> On 14/06/26 12:50 am, Nilesh Patra wrote:
>> Quick notes:
>>
>> - There is no PoC mentioned for CVE-2026-54055, just a vague description, 
>> and hence
>> I did not test this. But this is a medium severity CVE with a simple fix to 
>> just add
>> in `O_NOFOLLOW` and this should be good enough.
>>
>> - Fix for CVE-2026-42851 is not an exact backport of upstream commit, but 
>> some partial
>> change along with a fix suggested on the github advisory. The reason is that 
>> the upstream
>> fix is not easily backportable. But the fix does work as I tested.
> 
> So upstream says in https://github.com/kovidgoyal/kitty/issues/10139 that 
> this can lead
> to loss of functionality, and indeed, `kitten edit-in-kitty --color 
> background=black /tmp/test.txt`
> will not render it with a properly colored terminal with the CVE fix.
> 
> The other option is to have a slightly longer patch which also fixes the CVE 
> but drops
> the `--color` option altogether. The patch is patsed in upstream comment here 
> incase the
> author comments on it.
> 
> https://github.com/kovidgoyal/kitty/issues/10139#issuecomment-4702399087
> 
> Please take a look and let me know if you prefer this instead.
> 
> I'm also thinking if it makes sense to drop the color and env option in the 
> previous patch as well
> if that is more preferable.
> 
> Anyway, please let me know.
> 
> Thanks
> Nilesh

Reply via email to