Headline
Gentoo Linux Security Advisory 202209-22
Gentoo Linux Security Advisory 202209-22 - A vulnerability has been found in Kitty which could allow for arbitrary code execution with user input. Versions less than 0.26.2 are affected.
Gentoo Linux Security Advisory GLSA 202209-22
https://security.gentoo.org/
Severity: Normal
Title: Kitty: Arbitrary Code Execution
Date: September 29, 2022
Bugs: #868543
ID: 202209-22
Synopsis
A vulnerability has been found in Kitty which could allow for arbitrary
code execution with user input.
Background
Kitty is a fast, feature-rich, GPU-based terminal.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 x11-terms/kitty < 0.26.2 >= 0.26.2
Description
Carter Sande discovered that maliciously constructed control sequences
can cause Kitty to display a notification that, when clicked, can cause
Kitty to execute arbitrary commands.
Impact
Kitty can produce notifications that, when clicked, can execute
arbitrary commands.
Workaround
Avoid clicking unexpected notifications.
Resolution
All Kitty users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose “>=x11-terms/kitty-0.26.2”
References
[ 1 ] CVE-2022-41322
https://nvd.nist.gov/vuln/detail/CVE-2022-41322
Availability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202209-22
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
Copyright 2022 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
Related news
An issue in Mintty v.3.6.4 and before allows a remote attacker to execute arbitrary code via crafted commands to the terminal.
Terminal character injection in Mintty before 3.6.3 allows code execution via unescaped output to the terminal.
Ubuntu Security Notice 5659-1 - Stephane Chauveau discovered that kitty incorrectly handled image filenames with special characters in error messages. A remote attacker could possibly use this to execute arbitrary commands. This issue only affected Ubuntu 20.04 LTS. Carter Sande discovered that kitty incorrectly handled escape sequences in desktop notifications. A remote attacker could possibly use this to execute arbitrary commands. This issue only affected Ubuntu 22.04 LTS.
In Kitty before 0.26.2, insufficient validation in the desktop notification escape sequence can lead to arbitrary code execution. The user must display attacker-controlled content in the terminal, then click on a notification popup.