{"version": "https://jsonfeed.org/version/1", "title": "/dev/posts/ - Tag index - kitty", "home_page_url": "https://www.gabriel.urdhr.fr", "feed_url": "/tags/kitty/feed.json", "items": [{"id": "http://www.gabriel.urdhr.fr/2023/09/23/code-execution-through-kitty-open/", "title": "Arbitrary code execution through kitty-open.desktop file association", "url": "https://www.gabriel.urdhr.fr/2023/09/23/code-execution-through-kitty-open/", "date_published": "2023-09-23T00:00:00+02:00", "date_modified": "2023-09-23T00:00:00+02:00", "tags": ["computer", "security", "terminal", "kitty"], "content_html": "<p>In Debian <code>kitty</code> package, the\n<code>kitty-open.desktop</code> file would associate <code>kitty +open</code> with several MIME types.\nThis could be used to arbitrary trigger code execution by serving a\nfile with such a MIME type.</p>\n<p>This has been introduced in kitty in <a href=\"https://github.com/kovidgoyal/kitty/commit/73a197fcd\">73a197fcd</a> (2022-02-06)\nreleased as part of v0.24.3.\nThis has been fixed in v0.26.5-5 of the Debian kitty package.\nFixed upstream in\n<a href=\"https://github.com/kovidgoyal/kitty/commit/537cabca7\">537cabca7</a>\nreleased in v0.29.0.\nOther distributions\nsuch as <a href=\"https://packages.ubuntu.com/lunar/kitty\">Ubuntu Lunar</a>\nare still impacted.</p>\n"}]}