-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4819-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff December 26, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : kitty CVE ID : CVE-2020-35605 Stephane Chauveau discovered that the graphics protocol implementation in Kitty, a GPU-based terminal emulator, did not sanitise a filename when returning an error message, which could result in the execution of arbitrary shell commands when displaying a file with cat. For the stable distribution (buster), this problem has been fixed in version 0.13.3-1+deb10u1. We recommend that you upgrade your kitty packages. For the detailed security status of kitty please refer to its security tracker page at: https://security-tracker.debian.org/tracker/kitty Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl/nf+gACgkQEMKTtsN8 TjZmPhAAl3JjKumCl+EttbyMLTmhss4CrTbABRemYx5CXY3FJnbAn9DlhL7fgah9 kCfa94dzDrHf3bh2NTmGnVR/VakYrfEq3TZwqRJRUlAnld+d5pZsD8ODLjRi4UNG +tE4mBRWMXMJGZVuVzN+2+8Obdi8M2IqMrgKvGD07DiQsbHueBicuNxa/mV1PnSR TNWUifX8gZemId48Mkjr1aMLeZSTfJZWB6EkiaUfsSU1aTldhmnhB2xZM0DM/d8N tjRYZyrnKBlDgKepr7btzY422w2dDDzxfYRz254dVQ0tMcedTuufe0Q0wRFuiYXA B97DJanSJag8zNMVfY17bNyRD1oAC6cW3gftXbPyg/F0ClmHB3S6Sd1qO8PAi4IG 2A43gbpxCtbdSI7nLjwlJ1nGWrbxQxP3/ns1J5dHBMeLrjK3Nw6eiSJOo07pp4vv ZB0ax3poY7y+PM+5O9kyLn5A0FCgz7faZODQQa9XGT9ZneHfRap5NQ8Z8Ba+O51Y /q+KJUrB+Q83XpQjnW7HoHLrkEMDsop1+ET+AwfdBUv+KuXIPSC8m3k2Iu8EsifL 0A1H9SYkk5s+uJsCtxsh5d0NnusOKyTrtyhM930MEgQzEOFguGDdFHEbNJcxr8KS Ng4HAT+TMymwIECt2DrxHFpGJHxIeGPuGWts6WggzTdJSAZ6hEY= =yJ+p -----END PGP SIGNATURE-----