New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Input injection via graphic protocol #3128
Comments
|
Humm... closed after 7 minutes ... |
|
Seriously, you are complaining that I fixed your bug in seven minutes? |
|
Sorry! Closing a bug without any comment is usually a sign that it was rejected. |
|
I probably missed the commit message or my page did not refresh correctly. |
|
No worries, the point is the bug is fixed. |
|
Hi @schauveau |
|
The Debian bug was ready to go but I do not remember sending it. The problem was fixed very quickly by @kovidgoyal |
|
@schauveau reporting this to the distributions is the usecase for CVEs. Edit: I submitted a request via MITRE CVE formular. |
|
Its CVE-2020-35605. |
The Graphics Protocol feature in graphics.c in kitty before 0.19.3 allows remote attackers to execute arbitrary code because a filename containing special characters can be included in an error message. kovidgoyal/kitty#3128 Fixes: CVE-2020-35605
Describe the bug
When attempting to load an image file, the graphic protocol can reply with a message containing the faulty image filename in a decoded form (i.e. not base64) thus allowing for arbitrary input to be inserted.
To Reproduce
Here is a simple example showing how an attacker could craft a README.txt file that would cause the execution of arbitrary commands when displayed using
caton kitty.In Kitty, run
cat README.txtfrom the shell prompt to perform the input injectionRemark: The other failed commands are caused by the rest of the escape reply. The input sequence ESC+underscore is typically interpreted by readline as the command yank-last-arg thus causing the last argument of the last command (in that case, that is "README.txt") to be inserted.
The text was updated successfully, but these errors were encountered: