Security
Headlines
HeadlinesLatestCVEs

Headline

Gentoo Linux Security Advisory 202209-22

Gentoo Linux Security Advisory 202209-22 - A vulnerability has been found in Kitty which could allow for arbitrary code execution with user input. Versions less than 0.26.2 are affected.

Packet Storm
Open in Source
#vulnerability#web#mac#linux

Gentoo Linux Security Advisory GLSA 202209-22

                                       https://security.gentoo.org/

Severity: Normal
Title: Kitty: Arbitrary Code Execution
Date: September 29, 2022
Bugs: #868543
ID: 202209-22

Synopsis

A vulnerability has been found in Kitty which could allow for arbitrary
code execution with user input.

Background

Kitty is a fast, feature-rich, GPU-based terminal.

Affected packages

-------------------------------------------------------------------  
 Package              /     Vulnerable     /            Unaffected  
-------------------------------------------------------------------

1 x11-terms/kitty < 0.26.2 >= 0.26.2

Description

Carter Sande discovered that maliciously constructed control sequences
can cause Kitty to display a notification that, when clicked, can cause
Kitty to execute arbitrary commands.

Impact

Kitty can produce notifications that, when clicked, can execute
arbitrary commands.

Workaround

Avoid clicking unexpected notifications.

Resolution

All Kitty users should upgrade to the latest version:

emerge --sync

emerge --ask --oneshot --verbose “>=x11-terms/kitty-0.26.2”

References

[ 1 ] CVE-2022-41322
https://nvd.nist.gov/vuln/detail/CVE-2022-41322

Availability

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202209-22

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
https://bugs.gentoo.org.

License

Copyright 2022 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Related news

CVE-2023-39726: ""?! ANSI Terminal security in 2023 and finding 10 CVEs

An issue in Mintty v.3.6.4 and before allows a remote attacker to execute arbitrary code via crafted commands to the terminal.

Ubuntu Security Notice USN-5659-1

Ubuntu Security Notice 5659-1 - Stephane Chauveau discovered that kitty incorrectly handled image filenames with special characters in error messages. A remote attacker could possibly use this to execute arbitrary commands. This issue only affected Ubuntu 20.04 LTS. Carter Sande discovered that kitty incorrectly handled escape sequences in desktop notifications. A remote attacker could possibly use this to execute arbitrary commands. This issue only affected Ubuntu 22.04 LTS.

CVE-2022-41322: Comparing v0.26.1...v0.26.2 · kovidgoyal/kitty

In Kitty before 0.26.2, insufficient validation in the desktop notification escape sequence can lead to arbitrary code execution. The user must display attacker-controlled content in the terminal, then click on a notification popup.

Packet Storm: Latest News

Microsoft Windows TOCTOU Local Privilege Escalation
Packet Storm