Version in base suite: 22.12.3-2+deb12u1 Base version: kdenlive_22.12.3-2+deb12u1 Target version: kdenlive_22.12.3-2+deb12u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/k/kdenlive/kdenlive_22.12.3-2+deb12u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/k/kdenlive/kdenlive_22.12.3-2+deb12u2.dsc changelog | 8 ++++++++ patches/02-CVE-2026-45184.diff | 39 +++++++++++++++++++++++++++++++++++++++ patches/series | 1 + 3 files changed, 48 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp44q4trn5/kdenlive_22.12.3-2+deb12u1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp44q4trn5/kdenlive_22.12.3-2+deb12u2.dsc: no acceptable signature found diff -Nru kdenlive-22.12.3/debian/changelog kdenlive-22.12.3/debian/changelog --- kdenlive-22.12.3/debian/changelog 2023-04-17 09:49:39.000000000 +0000 +++ kdenlive-22.12.3/debian/changelog 2026-05-21 14:42:50.000000000 +0000 @@ -1,3 +1,11 @@ +kdenlive (22.12.3-2+deb12u2) bookworm-security; urgency=high + + * Add patch 02-CVE-2026-45184: Dangerous proxy parameters, when an + attacker-controlled project file is used. + Closes: #1136172 + + -- Patrick Matthäi Thu, 21 May 2026 16:42:50 +0200 + kdenlive (22.12.3-2+deb12u1) testing-proposed-updates; urgency=medium * Bump version and upload to t-p-u. diff -Nru kdenlive-22.12.3/debian/patches/02-CVE-2026-45184.diff kdenlive-22.12.3/debian/patches/02-CVE-2026-45184.diff --- kdenlive-22.12.3/debian/patches/02-CVE-2026-45184.diff 1970-01-01 00:00:00.000000000 +0000 +++ kdenlive-22.12.3/debian/patches/02-CVE-2026-45184.diff 2026-05-21 14:42:50.000000000 +0000 @@ -0,0 +1,39 @@ +Description: Fix CVE-2026-45184 (RCE via malicious project file) +Origin: upstream, https://commits.kde.org/kdenlive/94042ddd259551e4a7a5f6672329752972c84685 +Origin: upstream, https://commits.kde.org/kdenlive/c3999aacc6da54756f3df8aab03b900459562ecd +Author: Jean-Baptiste Mardelle +Bug: https://kde.org/info/security/advisory-20260508-1.txt +Forwarded: not-needed +Last-Update: 2026-05-21 + +--- a/src/jobs/proxytask.cpp ++++ b/src/jobs/proxytask.cpp +@@ -259,7 +259,8 @@ void ProxyTask::run() + } + // Only output error data, make sure we don't block when proxy file already exists + QStringList parameters = {QStringLiteral("-hide_banner"), QStringLiteral("-y"), QStringLiteral("-stats"), +- QStringLiteral("-v"), QStringLiteral("error"), QStringLiteral("-noautorotate")}; ++ QStringLiteral("-v"), QStringLiteral("error"), QStringLiteral("-noautorotate"), ++ QStringLiteral("-protocol_whitelist"), QStringLiteral("file,pipe")}; + m_jobDuration = int(binClip->duration().seconds()); + QString proxyParams = pCore->currentDoc()->getDocumentProperty(QStringLiteral("proxyparams")).simplified(); + if (proxyParams.isEmpty()) { +@@ -265,6 +266,18 @@ void ProxyTask::run() + if (proxyParams.isEmpty()) { + // Automatic setting, decide based on hw support + proxyParams = pCore->currentDoc()->getAutoProxyProfile(); ++ } else { ++ // Sanitize parameters ++ const QStringList blockedParams = { ++ QStringLiteral("attach"), QStringLiteral("metadata"), QStringLiteral("null"), QStringLiteral("dump"), ++ QStringLiteral("concat"), QStringLiteral("safe"), QStringLiteral("ladspa"), QStringLiteral("protocol_whitelist")}; ++ for (auto &b : blockedParams) { ++ if (proxyParams.contains(b)) { ++ // Unwanted param found, discard parameters ++ proxyParams = pCore->currentDoc()->getAutoProxyProfile(); ++ break; ++ } ++ } + } + int proxyResize = pCore->currentDoc()->getDocumentProperty(QStringLiteral("proxyresize")).toInt(); + bool nvenc = proxyParams.contains(QStringLiteral("%nvcodec")); diff -Nru kdenlive-22.12.3/debian/patches/series kdenlive-22.12.3/debian/patches/series --- kdenlive-22.12.3/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ kdenlive-22.12.3/debian/patches/series 2026-05-21 14:42:50.000000000 +0000 @@ -0,0 +1 @@ +02-CVE-2026-45184.diff