Bug 30930 - kitty new security issue CVE-2022-41322
Summary: kitty new security issue CVE-2022-41322
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-10-03 16:29 CEST by David Walser
Modified: 2022-10-08 22:23 CEST (History)
5 users (show)

See Also:
Source RPM: kitty-0.19.3-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-10-03 16:29:20 CEST
Fedora has issued an advisory on October 2:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/47RK7MBSVY5BWDUTYMJUFPBAYFSWMTOI/

The issue is fixed upstream in 0.26.2.
David Walser 2022-10-03 16:29:37 CEST

Status comment: (none) => Fixed upstream in 0.26.2

Comment 1 Lewis Smith 2022-10-03 20:45:44 CEST
Assigning to Stig, registered & active maintainer.

Assignee: bugsquad => smelror

Comment 2 Stig-Ørjan Smelror 2022-10-03 21:31:59 CEST
Advisory
========

Kitty has been updated to version 0.26.3 to fix CVE-2022-41322.

CVE-2022-41322: In Kitty before 0.26.2, insufficient validation in the desktop notification escape sequence can lead to arbitrary code execution. The user must display attacker-controlled content in the terminal, then click on a notification popup.

References
==========
https://nvd.nist.gov/vuln/detail/CVE-2022-41322
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/47RK7MBSVY5BWDUTYMJUFPBAYFSWMTOI/
https://sw.kovidgoyal.net/kitty/changelog/#id2


Files
=====

Uploaded to core/updates_testing

kitty-terminfo-0.26.3-1.mga8
kitty-docs-0.26.3-1.mga8
kitty-0.26.3-1.mga8

from kitty-0.26.3-1.mga8.src.rpm

Assignee: smelror => qa-bugs

David Walser 2022-10-06 14:33:44 CEST

CC: (none) => smelror
Status comment: Fixed upstream in 0.26.2 => (none)

Comment 3 Len Lawrence 2022-10-06 19:23:06 CEST
Having a look at this.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2022-10-06 21:13:13 CEST
mga8, x86_64
Installed the core packages and experimented a bit.

website: https://sw.kovidgoyal.net/kitty/conf/

The system level kitty configuration is /etc/xdg/kitty/kitty.conf.
Browser based documentation for kittens is in /usr/share/doc/kitty/html/kittens/
The man page is comprehensive.

Modified kitty.conf to allow reading from the clipboard, changed terminal opacity and specified size as 960x640.  That worked fine (after closing and reopening the terminal) but it could also be resized by dragging.
Minimizing removed it from the desktop - recovered using window selector in panel.

Examples:
$ echo hooray | kitty +kitten clipboard
$ kitty +kitten clipboard --get-clipboard
hooray

That did not work by default because reading is not enabled at installation time.
$ kitty +kitten icat ~/images/ladybug.png
That displayed a ladybird icon in the centre of following lines.
All images are displayed faithfully and oversized images can be scrolled vertically.  If both axes are oversized the image is resized to fit in the available space.
Copy and paste works fine for text.

Copied the system configuration file to <user>/.config/kitty/ and altered the opacity setting.  Used the --config cli option to launch kitty but have not figured out yet whether this works or not.  The named configuration is supposed to blend with the system file and override options which have been changed in the user file.
----------------------------------------------------------------------------
Updated the packages and tried out the functions used earlier.

Changed the font family in the user config file:
font_family      Martian Mono

Restarting kitty using '--config option' worked - the font was replaced with Martian Mono.
$ kitty list-fonts
Andale Mono
    Andale Mono

Bitstream Vera Sans Mono
    Bitstream Vera Sans Mono
    Bitstream Vera Sans Mono Bold
.....

The icat and clipboard kitten modules worked as before.
Tried a few more things without seeing any regressions.  There are many more facilities but these few show that the application works in general.

Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2022-10-07 03:10:38 CEST
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-10-08 19:08:21 CEST

CC: (none) => davidwhodgins

Dave Hodgins 2022-10-08 19:12:28 CEST

Keywords: (none) => advisory

Comment 6 Mageia Robot 2022-10-08 22:23:56 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0364.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.