Kitty: Arbitrary Code Execution — GLSA 202209-22

A vulnerability has been found in Kitty which could allow for arbitrary code execution with user input.

Affected packages

x11-terms/kitty on all architectures
Affected versions < 0.26.2
Unaffected versions >= 0.26.2

Background

Kitty is a fast, feature-rich, GPU-based terminal.

Description

Carter Sande discovered that maliciously constructed control sequences can cause Kitty to display a notification that, when clicked, can cause Kitty to execute arbitrary commands.

Impact

Kitty can produce notifications that, when clicked, can execute arbitrary commands.

Workaround

Avoid clicking unexpected notifications.

Resolution

All Kitty users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=x11-terms/kitty-0.26.2"
 

References

Release date
September 29, 2022

Latest revision
September 29, 2022: 1

Severity
normal

Exploitable
remote

Bugzilla entries