Headline
CVE-2022-41322: Comparing v0.26.1...v0.26.2 · kovidgoyal/kitty
In Kitty before 0.26.2, insufficient validation in the desktop notification escape sequence can lead to arbitrary code execution. The user must display attacker-controlled content in the terminal, then click on a notification popup.
Permalink
Comparing changes
Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also .
Open a pull request
Create a new pull request by comparing changes across two branches. If you need to, you can also .
base repository: kovidgoyal/kitty base: v0.26.1
head repository: kovidgoyal/kitty compare: v0.26.2
Related news
An issue in Mintty v.3.6.4 and before allows a remote attacker to execute arbitrary code via crafted commands to the terminal.
Terminal character injection in Mintty before 3.6.3 allows code execution via unescaped output to the terminal.
Ubuntu Security Notice 5659-1 - Stephane Chauveau discovered that kitty incorrectly handled image filenames with special characters in error messages. A remote attacker could possibly use this to execute arbitrary commands. This issue only affected Ubuntu 20.04 LTS. Carter Sande discovered that kitty incorrectly handled escape sequences in desktop notifications. A remote attacker could possibly use this to execute arbitrary commands. This issue only affected Ubuntu 22.04 LTS.
Gentoo Linux Security Advisory 202209-22 - A vulnerability has been found in Kitty which could allow for arbitrary code execution with user input. Versions less than 0.26.2 are affected.