Bug#1136172: marked as done (kdenlive: CVE-2026-45184)

[Debian Bug Tracking System]

Your message dated Wed, 27 May 2026 07:47:37 +0000
with message-id <e1ws8zj-0000000bdqi-0...@fasolo.debian.org>
and subject line Bug#1136172: fixed in kdenlive 24.12.3-2+deb13u1
has caused the Debian Bug report #1136172,
regarding kdenlive: CVE-2026-45184
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1136172: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136172
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: kdenlive
Version: 26.04.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for kdenlive.

I'm still marking it as RC level at least so for forky it ensured to
make sure it is fixed before the release (still long way), although it
is likely a good idea to not just popen untrusted projects.

CVE-2026-45184[0]:
| Kdenlive before 26.04.1 allows dangerous proxy parameters when an
| attacker-controlled project file is used.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-45184
    https://www.cve.org/CVERecord?id=CVE-2026-45184
[1] https://kde.org/info/security/advisory-20260508-1.txt

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: kdenlive
Source-Version: 24.12.3-2+deb13u1
Done: Patrick Matthäi <pmatth...@debian.org>

We believe that the bug you reported is fixed in the latest version of
kdenlive, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1136...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Matthäi <pmatth...@debian.org> (supplier of updated kdenlive package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 21 May 2026 10:43:39 +0200
Source: kdenlive
Binary: kdenlive kdenlive-data kdenlive-dbgsym
Architecture: source all amd64
Version: 24.12.3-2+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Patrick Matthäi <pmatth...@debian.org>
Changed-By: Patrick Matthäi <pmatth...@debian.org>
Description:
 kdenlive   - non-linear video editor
 kdenlive-data - non-linear video editor (data files)
Closes: 1136172
Changes:
 kdenlive (24.12.3-2+deb13u1) trixie-security; urgency=high
 .
   * Add patch 02-CVE-2026-45184: Dangerous proxy parameters, when an
     attacker-controlled project file is used.
     Closes: #1136172
Checksums-Sha1:
 3f4f74274d9d1fde2848c5e03e17a90a25a4ccdd 2741 kdenlive_24.12.3-2+deb13u1.dsc
 5841a03b12fb9a53149aecdfd73d1e0db1c98da7 13155344 kdenlive_24.12.3.orig.tar.xz
 1003f10bf98c0cc060774bce32fd396279d0b0a9 833 kdenlive_24.12.3.orig.tar.xz.asc
 d1f683258475234f668e9ab97a643cc0e5f25af6 19804 
kdenlive_24.12.3-2+deb13u1.debian.tar.xz
 68ea71008805c77f9547b7186bfcac55a245c50a 10247476 
kdenlive-data_24.12.3-2+deb13u1_all.deb
 3ac47f84aa779ffea8509c62166389fc3e57ae9e 90004692 
kdenlive-dbgsym_24.12.3-2+deb13u1_amd64.deb
 3cf3e7ba82fc9ac4fa82edfa72f81bda802e4b64 32219 
kdenlive_24.12.3-2+deb13u1_amd64.buildinfo
 bed625c9e0214a5659d2d4146eaab5006c24ba2a 4029672 
kdenlive_24.12.3-2+deb13u1_amd64.deb
Checksums-Sha256:
 749b1dccc1a876c26ee04381e26d27451fe925725931f35f6b293e7420e78854 2741 
kdenlive_24.12.3-2+deb13u1.dsc
 449c7e53d9501f434b955f228dcb29f3cb42642c41b053dd8e4cd30b8861843e 13155344 
kdenlive_24.12.3.orig.tar.xz
 0b6a2fbc5a3d3aad64da686ac8f96c136b89fa504a913c68b3ca789c95ae9c13 833 
kdenlive_24.12.3.orig.tar.xz.asc
 5a6c42b252eb6f6a3a06ce4f10f43cde77e40ce15a075afa0d00777f19ed3f86 19804 
kdenlive_24.12.3-2+deb13u1.debian.tar.xz
 951f6390a03eea87adefc361cf710f150d4d5dbf9fe94aae0f1719553c7a231e 10247476 
kdenlive-data_24.12.3-2+deb13u1_all.deb
 07df3cbf7be8bfaf58fe476abe8521513f3c8def8d49908ee3eb970382996188 90004692 
kdenlive-dbgsym_24.12.3-2+deb13u1_amd64.deb
 02cf3c86b3afaaf3d3ce6df396868b03f8ef9460d72426df903804b25ececf58 32219 
kdenlive_24.12.3-2+deb13u1_amd64.buildinfo
 b6e636a35dc3d9ab08bb4d4f62adf334c304df14a012498f0a828d88f5724201 4029672 
kdenlive_24.12.3-2+deb13u1_amd64.deb
Files:
 fb95d2a48da87d9cd0a013031c8bb280 2741 video optional 
kdenlive_24.12.3-2+deb13u1.dsc
 23b20bb928247267822c58b4e9d5accc 13155344 video optional 
kdenlive_24.12.3.orig.tar.xz
 fc6c7c70d82368fb2b869fa474489606 833 video optional 
kdenlive_24.12.3.orig.tar.xz.asc
 7c19bf7e036d864ba254d3fa7a181a3c 19804 video optional 
kdenlive_24.12.3-2+deb13u1.debian.tar.xz
 251f6b3f83b4c01ef57ddf41addf8364 10247476 video optional 
kdenlive-data_24.12.3-2+deb13u1_all.deb
 56928fa2cb04645fb486225878291b1a 90004692 debug optional 
kdenlive-dbgsym_24.12.3-2+deb13u1_amd64.deb
 ea653206953f3a6d6c22b8b82cb64ad1 32219 video optional 
kdenlive_24.12.3-2+deb13u1_amd64.buildinfo
 3dd0176a80fd41c68b72b20495c67b54 4029672 video optional 
kdenlive_24.12.3-2+deb13u1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAmoQb6oACgkQEtmwSpDL
2OTxxg//Qn9SjTZvqMRVIwYc7OuDtMFF/G9zpUNWybkP8ku4PrVaihZcrirYVJir
oMi/2kPXgm+zDRtVxDhU23Ka9dYPIi0vcOF8+Y5SfUgMNYKTUkOh/vekiZzUFL1b
odxtk8YUpbogBPmNWyRlb0Xg0NPYzHccxZqdkJKyJn/MBR9Yq4chS+qcRb9PJHeW
0t7LbP8msLXdw8l6S7ABzWrNUiEDiamEo/8zz+zUv/nlLPxX8whyDVHS5te/CX2F
Z9OpP/RlDQEwoEG54nRt5edEfMEwG7FcBqfN2uJZfNWOOM0meW81+uK/NG/EcucP
N40eyC30p+g8Byw3uA+9OAuAjmLyq7DIzQrWe2H4xIlUM3ikixiwXoEfNwXCPtMN
kfdt3M/s2bjgY+G5/PW5ou/A2N4lM40waEbnlaM9VvfIzuLtYr4pgXNC1BvJsiuO
e+Eksj7pEaK9Yz5ncBNh1JzLarOEZW6yIKmtyoe+UU/u0DMk8jUE2R+BK5prBbP2
MXyC6VNpgrs4syCFnM8Kh8Cw0fmArv30uSbCLdJIRd6yMOZqGTvmQlmnZFvr1lpi
ipMihoa7XwuHu/rnur+RKWjIOQPiuzLUEKA3kyoNAoBLivnRHyQ6s6iaqfkmx/sR
9ilhxL5RygljxKnDa6aJvz4feWYDhQFrTpEADHUaVWpet/iweHg=
=pA5j
-----END PGP SIGNATURE-----

pgphJp1gjvmzf.pgp
Description: PGP signature

--- End Message ---