Your message dated Thu, 28 May 2026 21:02:30 +0000
with message-id <[email protected]>
and subject line Bug#1137210: fixed in kitty 0.41.1-2+deb13u1
has caused the Debian Bug report #1137210,
regarding kitty: CVE-2026-33633 CVE-2026-33642
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1137210: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137210
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: kitty
Version: 0.46.2-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for kitty.
CVE-2026-33633[0]:
| Kitty is a cross-platform GPU based terminal. Versions 0.46.2 and
| below contain a heap buffer overflow in load_image_data() that
| allows any process which can write to the terminal's stdin to crash
| kitty immediately. The vulnerability is triggered by a single APC
| graphics protocol command with a PNG format declaration (f=100)
| whose payload exceeds twice the initial buffer capacity. The
| overflow is attacker-controlled in both length and content, causing
| DoS and potentially escalation to RCE itself. This issue has been
| fixed in version 0.47.0.
CVE-2026-33642[1]:
| Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and
| below, the handle_compose_command() function in kitty/graphics.c
| performs bounds validation on composition offsets using unsigned
| 32-bit arithmetic that is subject to integer wrapping, potentially
| leading to Heap Buffer Over-Read/Write. An attacker who can write
| escape sequences to a kitty terminal (e.g., via a malicious file,
| SSH login banner, or piped content) can supply crafted
| x_offset/y_offset values that pass the bounds check after wrapping
| but cause massive out-of-bounds heap memory access in
| compose_rectangles(). No user interaction is required. No non-
| default configuration is required. The attacker only needs the
| ability to produce output in a kitty terminal window. This issue has
| been fixed in version 0.47.0.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-33633
https://www.cve.org/CVERecord?id=CVE-2026-33633
https://github.com/kovidgoyal/kitty/security/advisories/GHSA-j68c-v8x4-269g
[1] https://security-tracker.debian.org/tracker/CVE-2026-33642
https://www.cve.org/CVERecord?id=CVE-2026-33642
https://github.com/kovidgoyal/kitty/security/advisories/GHSA-qfgm-2c64-6x3x
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: kitty
Source-Version: 0.41.1-2+deb13u1
Done: Nilesh Patra <[email protected]>
We believe that the bug you reported is fixed in the latest version of
kitty, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nilesh Patra <[email protected]> (supplier of updated kitty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 23 May 2026 00:54:52 +0530
Source: kitty
Architecture: source
Version: 0.41.1-2+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Nilesh Patra <[email protected]>
Changed-By: Nilesh Patra <[email protected]>
Closes: 1137210
Changes:
kitty (0.41.1-2+deb13u1) trixie-security; urgency=medium
.
* Add patches to fix CVE-2026-33642 and CVE-2026-33633
Closes: #1137210
Checksums-Sha1:
5ab5af810e91c5fd1c018502b7203fc6f77c0307 2693 kitty_0.41.1-2+deb13u1.dsc
e2534d2501fbc6dd955875ba30f8266c4273a0e9 6381814 kitty_0.41.1.orig.tar.gz
1d1491a56e2f7c005b77b9a6ff62d81bd93e3355 1129544
kitty_0.41.1-2+deb13u1.debian.tar.xz
9abe1c9f00689133ed3a3fb60925034613098555 16553
kitty_0.41.1-2+deb13u1_amd64.buildinfo
Checksums-Sha256:
06300ce0d435629ac748d0a7fd95c2aeff4ebb0fddc58452fa7355f8f3e78086 2693
kitty_0.41.1-2+deb13u1.dsc
16b26d56a06b1c94f02b0b8f6c7c8e557d208083f8b75235b1fcb68ed69d8b3d 6381814
kitty_0.41.1.orig.tar.gz
09c58da69af785057b585d1629e5bf7e2f7a5ecce8bb952b71b5cc0ee44340b7 1129544
kitty_0.41.1-2+deb13u1.debian.tar.xz
7ff98e62affe346ef50a21cc776180afbaf3e0e46767de69f10214e250d0a027 16553
kitty_0.41.1-2+deb13u1_amd64.buildinfo
Files:
382714a3b8533be4868615f2649e5834 2693 x11 optional kitty_0.41.1-2+deb13u1.dsc
e68a4ec00c598642ba8286bc3c5372d3 6381814 x11 optional kitty_0.41.1.orig.tar.gz
2878d9e24ff114921bb9a87ba94e7a4e 1129544 x11 optional
kitty_0.41.1-2+deb13u1.debian.tar.xz
ecf5a107896946e8a9535af041ad7774 16553 x11 optional
kitty_0.41.1-2+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iIgEARYKADAWIQSglbZu4JAkvuai8HIqJ5BL1yQ+2gUCahCw5hIcbmlsZXNoQGRl
Ymlhbi5vcmcACgkQKieQS9ckPtpzoAD/UfaryIRh1ChM9SKvNX02pcw9oQfw6PPD
xDavinLwKuMBAPdMdZLdwI4mDun/rVTQKZNKaxcCLLwBgDji+gUnIQ4E
=PHCD
-----END PGP SIGNATURE-----
pgpdY4c5nxdGj.pgp
Description: PGP signature
--- End Message ---
