Your message dated Sat, 13 Jun 2026 14:36:26 +0000
with message-id <[email protected]>
and subject line Bug#1139898: fixed in kitty 0.47.3-1
has caused the Debian Bug report #1139898,
regarding kitty: CVE-2026-42850 CVE-2026-42851 CVE-2026-54055 CVE-2026-54056
CVE-2026-54057
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1139898: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139898
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: kitty
Version: 0.47.0-3
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for kitty.
CVE-2026-42850[0]:
| Kitty is a cross-platform GPU based terminal. In versions prior to
| 0.47.0, it is possible to inject commands within the subshell
| through kitty error. A special escape code will make kitty return an
| error, this error is not escaped and will be correctly echoed back
| to the terminal with CRLF, as such it will be run by the shell in
| use. To exploit this bug, the victim must use a netcat or a similar
| program to connect to the attacker, or else listening for someone to
| connect. Once this condition is set, an attacker could pwn the
| computer of the victim using a special kitty's escape code that will
| run a command in the shell in use. Version 04.7.0 fixes the issue.
CVE-2026-42851[1]:
| Kitty is a cross-platform GPU based terminal. In versions prior to
| 0.47.0, a program able to write bytes to a kitty terminal — a remote
| SSH peer, a downloaded file viewed with `cat`, a log line, an email
| body rendered in `less`, an issue body in a TUI, etc. — can cause
| kitty to execute attacker-supplied Python inside the running kitty
| process, with the user's full privileges. There is no approval
| prompt, no remote-control permission requirement, no shell-
| integration interaction, no clipboard touch, and no editor
| interaction. Version 0.47.0 fixes the issue.
CVE-2026-54055[2]:
| Kitty is a cross-platform GPU based terminal. In versions prior to
| 0.47.2, a local privilege escalation vulnerability exists in kitty's
| file transmission protocol where a child process running in the
| terminal can write to arbitrary files on the filesystem by
| exploiting a TOCTOU (Time-of-Check-Time-of-Use) race condition
| between symlink validation and file creation. The `os.open()` call
| used to create files does not use `O_NOFOLLOW`, allowing an attacker
| to create a symlink between the initial stat check and the actual
| file open, causing the write to follow the symlink to an arbitrary
| destination. Version 0.47.2 fixes the issue.
CVE-2026-54056[3]:
| Kitty is a cross-platform GPU based terminal. In versions 0.47.0 and
| 0.47.1, `kitten dnd` can allow a malicious remote drag-and-drop
| source to overwrite or truncate arbitrary files writable by the
| local kitty user. Remote `text/uri-list` drops are staged in a
| temporary directory, but on case-sensitive filesystems duplicate
| remote basenames are not de-duplicated. An attacker can first create
| a staged symlink and then send a same-name regular-file entry. The
| regular-file write uses `utils.CreateAt()` /
| `openat(O_RDWR|O_CREAT|O_TRUNC)` without `O_NOFOLLOW`, so it follows
| the attacker-created symlink and writes outside the staging
| directory before final overwrite confirmation runs. This appears
| related in class to the file-transfer symlink advisory, but it is a
| different bug: it affects `kitten dnd` remote drag-and-drop staging,
| uses different vulnerable code (`kittens/dnd/drop.go` and
| `tools/utils/file_at_fd.go`), and reproduces on commit
| `4aa4a5c0567a92553a8c20a88a4352da637fca5d`, after the file-transfer
| `O_NOFOLLOW` fix. Version 0.47.2 patches the issue.
CVE-2026-54057[4]:
| Kitty is a cross-platform GPU based terminal. In versions prior to
| 0.47.3, kitty's OSC 21 (color-control) query reply reflects
| attacker-controlled bytes, including newlines, into the shell's
| input without sanitization. Version 0.47.3 fixes the issue.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-42850
https://www.cve.org/CVERecord?id=CVE-2026-42850
[1] https://security-tracker.debian.org/tracker/CVE-2026-42851
https://www.cve.org/CVERecord?id=CVE-2026-42851
[2] https://security-tracker.debian.org/tracker/CVE-2026-54055
https://www.cve.org/CVERecord?id=CVE-2026-54055
[3] https://security-tracker.debian.org/tracker/CVE-2026-54056
https://www.cve.org/CVERecord?id=CVE-2026-54056
[4] https://security-tracker.debian.org/tracker/CVE-2026-54057
https://www.cve.org/CVERecord?id=CVE-2026-54057
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: kitty
Source-Version: 0.47.3-1
Done: Nilesh Patra <[email protected]>
We believe that the bug you reported is fixed in the latest version of
kitty, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nilesh Patra <[email protected]> (supplier of updated kitty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 13 Jun 2026 17:51:32 +0530
Source: kitty
Architecture: source
Version: 0.47.3-1
Distribution: unstable
Urgency: medium
Maintainer: Nilesh Patra <[email protected]>
Changed-By: Nilesh Patra <[email protected]>
Closes: 1139898
Changes:
kitty (0.47.3-1) unstable; urgency=medium
.
* New upstream version 0.47.3 (Re-diff patches)
Closes: #1139898
Fixes CVEs: CVE-2026-42850 CVE-2026-42851 CVE-2026-54055
CVE-2026-54056 CVE-2026-54057
* Add patch to skip TestWatchForConfigChanges
Checksums-Sha1:
d4b3b3951846fb738dfb2517727a841ef2f8defe 2750 kitty_0.47.3-1.dsc
d921ea3d706d34a521857cddf9d26b1297724d16 9469485 kitty_0.47.3.orig.tar.gz
9530685c2f431129233f8dd45edf382eb87b3d9d 1318476 kitty_0.47.3-1.debian.tar.xz
48e53652ff90ecb9cdd9db908813195255a954f3 16803 kitty_0.47.3-1_amd64.buildinfo
Checksums-Sha256:
fdf57a13345722801b23861a4a37f3ad6c0ef2a1faf21a63b86b9ae877728ef6 2750
kitty_0.47.3-1.dsc
7974ef5c16f07d3e973d9bef38062e40ca87733a84183a8cabfa1d048b9a55a1 9469485
kitty_0.47.3.orig.tar.gz
ac26e8d67012062d0a2976b10171ec825d45986601e1ad5f5ab66a824b993c67 1318476
kitty_0.47.3-1.debian.tar.xz
1a218490733a6921651ce88bfc60d75742b0f61a544fce0f6023a4a9be3a685e 16803
kitty_0.47.3-1_amd64.buildinfo
Files:
2fce7ba19cd020f48987e0812f815bf0 2750 x11 optional kitty_0.47.3-1.dsc
39030128fff9004b4da0760abf02c7d1 9469485 x11 optional kitty_0.47.3.orig.tar.gz
b6ccf9b2787572078a2b3b756a10a102 1318476 x11 optional
kitty_0.47.3-1.debian.tar.xz
23f96dd273a96b8aefa387fe0cf40602 16803 x11 optional
kitty_0.47.3-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iIgEARYKADAWIQSglbZu4JAkvuai8HIqJ5BL1yQ+2gUCai1eHRIcbmlsZXNoQGRl
Ymlhbi5vcmcACgkQKieQS9ckPtroOQD/ae9LpNwqZO8rgQfJEL9Ox6QhLzJptJKo
H7W+CZPveNoBAMR+KU88PNHmHYWAVMTe7K+bzVPRHjuSlXjlACVOlWgD
=+a4G
-----END PGP SIGNATURE-----
pgpjJ_WL5EoRO.pgp
Description: PGP signature
--- End Message ---
