Bugzilla – Bug 1180298
VUL-0: CVE-2020-35605: kitty: RCE because of filename containing special characters
Last modified: 2021-01-07 20:17:15 UTC
rh#1910073 The Graphics Protocol feature in graphics.c in kitty before 0.19.3 allows remote attackers to execute arbitrary code because a filename containing special characters can be included in an error message. Reference: https://github.com/kovidgoyal/kitty/issues/3128 Upstream patch: https://github.com/kovidgoyal/kitty/commit/82c137878c2b99100a3cdc1c0f0efea069313901 References: https://bugzilla.redhat.com/show_bug.cgi?id=1910073 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-35605 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35605 https://github.com/kovidgoyal/kitty/commit/82c137878c2b99100a3cdc1c0f0efea069313901 https://github.com/kovidgoyal/kitty/issues/3128
SR#860182 to Leap 15.2 For Tumbleweed this was fixed one week ago with SR#859010
This is an autogenerated message for OBS integration: This bug (1180298) was mentioned in https://build.opensuse.org/request/show/860182 15.2 / kitty
openSUSE-SU-2021:0025-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1180298 CVE References: CVE-2020-35605 JIRA References: Sources used: openSUSE Leap 15.2 (src): kitty-0.16.0-lp152.2.3.1