Hi Nilesh, On Sat, May 23, 2026 at 09:14:28PM +0200, Salvatore Bonaccorso wrote: > Hi Nilesh, > > On Sat, May 23, 2026 at 10:15:20PM +0530, Nilesh Patra wrote: > > Hi Salvatore, > > > > On 23/05/26 1:14 am, Nilesh Patra wrote: > > > On 22/05/26 9:24 pm, Salvatore Bonaccorso wrote: > > >> Debian bookworm is still supported for one month, can you prepare as > > >> well an update for it, please? Note there is as well a no-dsa CVE for > > >> kitty: CVE-2025-43929, can you check its backportability and include > > >> this one as well for the bookworm-security update? > > > > > > I'm quite short on time, to be honest and not sure if I can manage cycles > > > for this. > > > > Unfortunately I really won't be able to squeeze in time for this. Really, > > really can't. > > But I do have some updates to share, if it helps LTS team. > > > > I tried to repro the CVEs on bookworm. > > > > 1. CVE-2026-33633 - does not seem to crash the terminal, but I do see an > > infinite hang. > > 2. CVE-2026-33642 - also does not seem to crash kitty, and I'm able to cat > > the file just fine; no anomaly. > > > > I tried with the patches backported which did not change behavior wrt > > either CVE. Hence this needs more > > investigation, and one would need to check the code that gets/does not get > > hit for old-stable and probably > > also if these CVEs are even relevant for old-stable. > > > > For CVE-2025-43929: > > > > This is non-trivial to backport. We will need to backport at least > > > > https://github.com/kovidgoyal/kitty/commit/537cabca710f64b838d3b8b1dc986db596fb29d4 > > > > and for safety > > > > https://github.com/kovidgoyal/kitty/commit/ca1555d12ef99e930dfa55a9268675ec3b032a1a > > https://github.com/kovidgoyal/kitty/commit/ce5cfdd9caf44c538af800a07162e1f49bd53c35 > > > > as well. > > > > The first patch out of this series does not apply as there have been quite > > a few changes that have happened > > between this 0.26.5-5 and this commit. > > I will try to have a look at the above tomorrow and then we come back > to you. > > thanks for your work so far!
So indeed things for bookworm and older are bit more compliated as they stand now. Further triage for bookworm and backporting fixes will need more time, thus we will release the kitty DSA for trixie indepently from bookworm. Regards, Salvatore
