Arbitrary code execution through kitty-open.desktop file association

Published: Sep 23 2023

In Debian kitty package, the kitty-open.desktop file would associate kitty +open with several MIME types. This could be used to arbitrary trigger code execution by serving a file with such a MIME type.

This has been introduced in kitty in 73a197fcd (2022-02-06) released as part of v0.24.3. This has been fixed in v0.26.5-5 of the Debian kitty package. Fixed upstream in 537cabca7 released in v0.29.0. Other distributions such as Ubuntu Lunar are still impacted.

Analysing structured log files with simple tools

Published: Sep 17 2023

Some tools and other notes when you just want to analyze your structured log files locally using simple tools with a focus for newline-delimited JSON (NDJSON) / JSON lines / JSON Text Sequences.

Simple terminal image display using the iTerm2 image protocol

Published: Aug 29 2023

A simple way to display image in a terminal using the iTerm2 image protocol. This is supported by iTerm2, WezTerm, recent versions of Konsole.

Shell command and Emacs Lisp injection in emacsclient-mail.desktop

Published: Jun 8 2023

Shell command injection and Emacs Lisp injection vulnerabilities in one of the Emacs Desktop Entry (emacsclient-mail.desktop) leading to arbitrary code execution through a crafted mailto: URI.

Arbitrary file write in Stellarium file association

Published: Jun 8 2023

I found an arbitrary file write vulnerability (through path traversal) which would be exploited for arbitrary code execution in Stellarium (desktop version).

MIME-type spoofing in Firefox/Thunderbird and file managers

Published: Mar 7 2023

An interesting spoofing attack resulting from the interaction between Firefox (or Thunderbird) MIME types handling and file managers.

Code execution through MIME-type association of Mono interpreter

Published: Feb 28 2023

A dangerous file type association in Debian which could be used to trigger arbitrary code execution.

Using a Kap&Link smart card reader with CPS3 smart cards on Linux

Published: Feb 19 2023

Tutorial on how to get Carte Professionnel de Santé 3 (CPS3) smart cards work with Firefox under Linux with a Kap&Link smart card reader. It has some information to understand the related lingo, how the different components interact and how you might try to enable support for a PC/SC (Personal computer/Smart Card) / CCID (Chip/Smart Card Interface Devices) smart card reader which is not supported by the driver.