Login
Newsletter
Werbung
Sicherheit: Zwei Probleme in kitty
Aktuelle Meldungen Distributionen
Name: Zwei Probleme in kitty
ID: USN-5659-1
Distribution: Ubuntu
Plattformen: Ubuntu 20.04 LTS, Ubuntu 22.04 LTS
Datum: Do, 6. Oktober 2022, 06:37
Referenzen: https://launchpad.net/ubuntu/+source/kitty/0.21.2-1ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/kitty/0.15.0-1ubuntu0.2
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35605
https://ubuntu.com/security/notices/USN-5659-1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41322
Applikationen: kitty

Originalnachricht

 
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============2237394207093413853==
Content-Language: en-US
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="------------XNxc04PBXOA2OQ9ML4nfGkjO"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------XNxc04PBXOA2OQ9ML4nfGkjO
Content-Type: multipart/mixed;
 boundary="------------0NQFqwuydqpG01T8ERbju8in";
 protected-headers="v1"
From: Mark Esler <mark.esler@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <466c39ca-721f-9540-9b7a-af0eaa2ef304@canonical.com>
Subject: [USN-5659-1] kitty vulnerabilities
References:
 <20221006000022.C696940F25@juju-2df838-prod-people-canonical-com-0.openstack.prodstack5.lan>
In-Reply-To:
 <20221006000022.C696940F25@juju-2df838-prod-people-canonical-com-0.openstack.prodstack5.lan>

--------------0NQFqwuydqpG01T8ERbju8in
Content-Type: multipart/mixed;
 boundary="------------cTK0y3BDzJCfI3f4n0TP3a5V"

--------------cTK0y3BDzJCfI3f4n0TP3a5V
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64

==========================================================================
Ubuntu Security Notice USN-5659-1
October 05, 2022

kitty vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

kitty could be made to run programs if it opened a specially
crafted image or desktop notification.

Software Description:
- kitty: fast, featureful, GPU based terminal emulator

Details:

Stephane Chauveau discovered that kitty incorrectly handled image
filenames with special characters in error messages. A remote
attacker could possibly use this to execute arbitrary commands.
This issue only affected Ubuntu 20.04 LTS. (CVE-2020-35605)

Carter Sande discovered that kitty incorrectly handled escape
sequences in desktop notifications. A remote attacker could possibly
use this to execute arbitrary commands. This issue only affected
Ubuntu 22.04 LTS. (CVE-2022-41322)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
kitty 0.21.2-1ubuntu0.22.04.1

Ubuntu 20.04 LTS:
kitty 0.15.0-1ubuntu0.2

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5659-1
CVE-2020-35605, CVE-2022-41322

Package Information:
https://launchpad.net/ubuntu/+source/kitty/0.21.2-1ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/kitty/0.15.0-1ubuntu0.2
--------------cTK0y3BDzJCfI3f4n0TP3a5V
Content-Type: application/pgp-keys;
 name="OpenPGP_0xD60B83C90513BD4F.asc"
Content-Disposition: attachment;
 filename="OpenPGP_0xD60B83C90513BD4F.asc"
Content-Description: OpenPGP public key
Content-Transfer-Encoding: quoted-printable

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsFNBGJo5iQBEADBDrePgICrxsoCWxlAiEKAgZgqeX1XhHxhDCkprNwOA9ZEU7G9
77BEHgYLSrAh3LraWYK+piBXBuHdg8KCUppUmEC4GtiHg+KxtxRjgZn/tjLD6vgZ
kwZYs0KXQVCK2bhSL0paEA78Xcx1B6xa8JArnjk87VoNl6RCjJESXkwlqGtQTEOp
bNxBy5Pd0T33xYeKcOz0GWY5ndkU1gD7NtMZdWZ8vcQclLquQO5OE33OhK78cU4Z
k4xFL5I5R4rBhlrOsw002bbD0+QI6wUKQByHfvcAz59eHS/wJOrAY/1p+IKql/4f
sRQQSRPSc+3CqELdxzF2s+AG0PciQms3RVYT6czH28Ce9C9BDAENga28FvQDf5Zi
STUeXZm0XJ9g+dLg+6FBPHp9wX+ybfAmIRXQlV4D6DledQAWjoBy3j09JOGQGSH0
S3EbQ68Qn2xyGBlYeFCZbMlKDN8NrpVCx9Jf6dDb3Qv2Do1yIIRu5x0vwKlNsQG0
NffMryLCQ0tVBNNiwqrHIbmZEhSUEmKf6u+zZsx1JMewe6fRw3hf3VOzENH5tGpZ
Z1Yg8m3E2yiXmPJ9cX3iZD0l7/L8CEiuMWt/q/NEDnKsGovi9N1r04Yxxo5lWoHr
+4taaOnC2C7YEHICIWx3lEU0lm24PbNG4QBJCJ8ctwG2rV3AMILCVSzW0QARAQAB
zSVNYXJrIEVzbGVyIDxtYXJrLmVzbGVyQGNhbm9uaWNhbC5jb20+wsGUBBMBCgA+
FiEELTsQ/oZuJMqL99Qt1guDyQUTvU8FAmJo5iQCGwMFCQPCZwAFCwkIBwIGFQoJ
CAsCBBYCAwECHgECF4AACgkQ1guDyQUTvU/Gqw/9F5ko+KS9CRXXcp4SkdhHB6aG
tD9rEJycEywPymmI+OwCJppmbQBzzwW7QGLHi8TTiWnWMSeikhSh0p9pPCc9rhLt
tYDlGZwoxXPt7PwS0k9JjITNviTNZD6uHIoYmFMxS65qdh7s7OSQj4+nTij1b+dV
qzaG4krGB/pav2D2adt4k02KfqIkPiLY0Jo+o8hKOx2HRh8xqEU/eySRtVvIx55c
D4Qh63KQv465Afz+QuKsbxuqA2iboUP/srYtMQtFi8TCF7/5gLwDbGDgOAYhIxyf
vgAH5dbBFB8lIMPjIeTbP0lE+xMHUmQsKhtYICnjhnGRJeT6vBlDFuUar5DYA3fI
m9LEAf1T1eMK4FBUSCv+cULlT9+rsHDbG6tiZU/BDp/mkKFs2Ax9W68+fgXy7bor
ixrgDhfSCsYWaxLsXW/GEmyCbp30PZlLr6kvfQq7CMEjeE79FEsef7/ppRH/t+mv
6p2xhb+DDbvqzcQZ7LQn3+PLxkR37spQRvevPxpx000CqTO5gV19w/2ZSPydm2Zd
44XSranzwDdD4o5ZsMXAPuCNlVAVzxAhxNj2QQL7xh9bdDDmM9Z7qBPwFX42n7mw
ryjBHqMtrSCSI8hupSh2B/bQSRyWd3/KQ2vlJMoq7H5EJiJYpb3blvb4tfoSfEag
PqYV1jJEcKImOGs988rOwU0EYmjmJAEQAL0wGwC8P1qj0fuLaFpPKBAFtxBqnJJc
c+63DjQ17/QJrYpKwGGkW6fz/Nn0nUDf88FdrHd7t6a9c3m82/gvsr8VjAD4SISp
DjPIpfCj5gWGAuhATWB0pwjWRsgFkIThaa0px6ZJFGdU9lJmi633Xsk4s9bws8kZ
pnwtk+StRueqcSElfLw1/gbu6EhcEH62iBb2qlRhgtntgy1dcnqDEQhcdccWSgna
+ZlDIo3Z75RWoIXxrtzUe9PDdG4Ou+k/H96mS7pZdmU6elbQlcDGYegYGH6OTYjv
Zyl81ACN9Y3Fcmc+luBMeuyQndHFnG6rjOwHr6iM9ZKRBq03QiAAp4vooPyLqG9n
ZmoeLH0Q7L2pVIwroVtsJvnjws5z3DujguZcLYCeA/WEXj8p0lYy9WVGrfJ7LyLp
+Uj7AdXFB6msED51Swb6QkpWrcC7V2COKZmfYGXFy7PdIwWeqgYjJ0zqEldHGDTD
V0yTuuER2bJ/T1WBVy9U46/KRUXYevgCZFGPbyO/vKLwKVbrbkimULMFcPJpKinF
PQs0ch7HA6PPog0wbux5Bm9O78lzYo/WFlvofFKTzfGEsnifCVXkcsu0Qp8m6DQZ
yeFO8SH3DHaHFaPKc3JYEFTdmP0PdvH8aqb5TVTb8G+hvxktDkCuCrlaoFVSCNhI
WfJ6rAxxYGuNABEBAAHCwXwEGAEKACYWIQQtOxD+hm4kyov31C3WC4PJBRO9TwUC
YmjmJAIbDAUJA8JnAAAKCRDWC4PJBRO9T3SnEACEprj9LsxvhbM6A/aLk3la8UD9
MYtLSmbl+KPGEvP0r7viPftolgV8O+tRG09Z7Wd/63WsHjA2Psgwdm49BziL8tCf
ONfVXCojPxR/uyL5ykPHSE/yC+mz3DTPWcncGCdteil6Cw43MHNCm2oYJ38VXAwV
9pikHeO5Pj5xukmc/bQr3v3NrDQI+AQpNbWs2r4vw+y01IidmMh12RkuGi2UYOga
jvfDeoSSEF7VJ6Qlij9UjatkbZpSHjn2rf+B9DdlkRNr5Vfd9/xaSFQoazdgNS/Q
HqOeZ+9HqNrUlHTH9BUaTkmV6MDXtEjVGfROXxXPw/q29QUzZUZE3agqmuxB3yar
PjW24mNu5Kd22rb06blTfBO0o7DOX9UwOVLfFLejfWAYANuXilcju9/3dHRsv6o9
9tGfRxJIMOPVY6JgswYISB7CwdA+Uda6UvU+qwYCRi7B8L13H3uhDKzA5sgRZnz2
oQw+bOB/ErZv78NVnhrdy9LAkLk0U8RVvH8sWPco4ZjQVou6wDMEsKaIlioU8x6n
YOi8LBpijWpaKEpCbU4nRdV/4d3eWr7tu1MWGcm70C6mrjypxI6TVCPg+gimjM4D
7LOpJKZJVGQg9JYPUhccp27Nn/3L2/Y9F3tKUfCTPHanOzHg4KNRRUr8CQD8qi+8
nWqztY9OeZjz0vagYM7BTQRiaOZoARAA6bzogRYAMYdwU2BsWFurvrghzEbqjguN
XwBiQ/90kXb3exYZvGXTCxdrV5FRjPU6eeX2TAyZRt6XnK6nyrZFlRAcXeWCeo05
d+mdK6fv4iOc/T0JeMZCrNm4BDjcGNOr7KImVQTNuoN9nVieVQSK/hRpSFPkNLbn
1oemHqZitxoI5HCBAVQrKR8d0REzn9Y1jdCHkhgSNaEcAww6CgF2Mlsw5txhmIh9
IZircfAzGU6lI1MgjPkDOFPDdwIoc8xtuAJB/G6gT8Ot9FQ3EMaV2zPTL7Jd1ZQR
hOrs75gjLlhOyYYb5Y3isaMKzUMYKQDFWrCws/sGEm2TwbD5gI6ipa2r71DcGijj
GJQITAQsS+rdUKBts+DPKfZR4nlLq41/utA4LJL2y33SFXeqylyIoKPs1FJ0JZyM
VXiWQyxAuPjYJPZbcSh8exj6rct/QVZgztSuvKxeaEqZ/xwkQ/uHWZxQy7lZxBbw
LCVH8HxVApD/tc3/U/jQjtQSblX3KnMia5rHjX+p9tYSSeLNPA99KNrqwLdDh9Mz
/Rm131NUHwlOEIpSeqDfs1+jQYy0QdZnxDHrIVnpIz6M8IVFRBo4LQmi0sPkzzEZ
A29s3+IzofztGXf+b+vZAmnOrQEgNPjdIVHfvQJVqcm1JdOzyuHEvN8IiV/90RAP
r2NqNrtRjQMAEQEAAcLBfAQYAQoAJhYhBC07EP6GbiTKi/fULdYLg8kFE71PBQJi
aOZoAhsgBQkDwmcAAAoJENYLg8kFE71PE2wQAK2ntrQ0902+a3KC/Ak7VhOTV0c0
my8e7mqesYRGXB158P7UJZS1grU6MjBbMsArFdshTRquSmEOnAB6ahnD+JNq+Jzf
9QKknvekzkjlC11FxTHMGncKnScsu8Vont+rFBA66JYLrh7my5CpzijTVTYC9HcA
SbnW0IzzJl90cVh5tC9S+m6Dh3kNcujWyJ8D+ceaEhwYE2LgbbDUSJa2p1tBiXQ6
SGu6nX0nyXL5p7zzRhAl/ao5cZ/FTijvdQe1Vzm7qArKj6A3ir5YOWzSnaCbfbSm
J2pPgZZCNybzStmcoZ73GgBJxIh89vixfBRLTJVECePLTw2gBmoxR1ziqs0pKW3H
y3VKBb+QMJAVmRwRlonMTgT5gHa8bCL8U7Qvx9jOrApOEqFee3dytIOoVsCUkNh0
vOKmlLuqrIopdbJm8F58qOV/eR5chfxax9jOSHkZ812LyMyxr8y6wn3d26XF4Ho1
tGRAYDI77qaLxaPbzIFas1t9X/+U+sz3Bg0exmi9/mp9wwvLJh3XOC+2MaHzBXGl
x+MvgOYIvEtZXVvfwjay19rhJRvn0D497VaVrhw7md5IbKY42h5qUCCzlHsqHEe5
YDxswWadH4fZhy+cEatf29lYJ2BaK+PIsmp22bxbxdGdoZ2cbqQXIko+3XxaiVp5
z7V5USx9zNkfsrbz
=3D3tFx
-----END PGP PUBLIC KEY BLOCK-----

--------------cTK0y3BDzJCfI3f4n0TP3a5V--

--------------0NQFqwuydqpG01T8ERbju8in--

--------------XNxc04PBXOA2OQ9ML4nfGkjO
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature"

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEELTsQ/oZuJMqL99Qt1guDyQUTvU8FAmM+O/4FAwAAAAAACgkQ1guDyQUTvU+g
0g//dA98Ce7QHK2sahenOXNZP223fHTwW1ocUOHaBENktw+7IXSD+zfPCKKiK+XeBdiFUtGhQ4JS
2GYySL/X+L7a1HoiFItmHn2//JlNTDt8pmOrmjHFNVQYXjn4JCibA5OeWbvFSCf8D8CQckBeOzZM
XH6lB5l00r5ihXMoK2FfINRL7d8rXhGoUOws7/Djv/b82StjdrBkxXOVeavn3MNVmsnYeQdRgwVR
tKC66XTh47XB92WRB+o1VllCDHa42UjTMKsdIqVlh71PT4U/M3bqdcPspBaVYhM5vBJvlBuoJkdV
9gfFGRI/fOovbTcRciXQESG3HjGBBa6NZ4Ha4u2B1AM5f9kOwjDJbYbf7CLYCzkLAntkuhxKzkgY
/QqpFBIbR/nQQmtwASrizu0vnyvYUXkCYzms3fWPJVaZNAtgkNPhkH0DgQ3SLZVnX/wIWE/YifTI
zUrZ16H3oZep7Jx04g9KR69VQMntQPgxG6IUW3y7vW0m4xf2SQbTzeRX9gxRdSfGqoLMEQfGJH4O
ToYNl4EAFVD1niAyUPQsbGfLlA0f68VE1yNGfOicV8WA9uiR36t/Gf+VhxsV0BRO7PS5p2uisE+d
t3J/R+xMC8Tp2ofAZxjDa2T20ETNg8N/aWY+i9g91f3o8tagGsuvk2LwXuvuwUQ8+dfFIzJKniok
4Tk=
=Jn8M
-----END PGP SIGNATURE-----

--------------XNxc04PBXOA2OQ9ML4nfGkjO--


--===============2237394207093413853==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

Cg==

--===============2237394207093413853==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten

141
Mach­t's gut!

51
Neue Raspber­ry Pi-Va­ri­an­te mit 8 GB RAM

0
Genode 20.05 frei­ge­ge­ben

9
Sub­ver­si­on 1.14.0-LTS vor­ge­stellt

0
»Hum­ble Ci­ties: Sky­lines Bund­le« vor­ge­stellt

0
End of Life für Co­reOS Con­tai­ner Linux ver­kün­det

32
Elek­tra 0.9.2 er­schie­nen

8
Nex­tDNS ver­lässt die Be­ta-Pha­se

23
Tu­xe­do stellt Ga­mer-Note­book vor

0
Libre Gra­phics Mee­ting be­ginnt als On­li­ne-Va­ri­an­te
 
Werbung