Version in base suite: 22.12.3-1 Base version: konsole_22.12.3-1 Target version: konsole_22.12.3-1+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/k/konsole/konsole_22.12.3-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/k/konsole/konsole_22.12.3-1+deb12u1.dsc changelog | 6 ++++++ patches/CVE-2025-49091.patch | 18 ++++++++++++++++++ patches/series | 1 + 3 files changed, 25 insertions(+) diff -Nru konsole-22.12.3/debian/changelog konsole-22.12.3/debian/changelog --- konsole-22.12.3/debian/changelog 2023-03-01 10:57:56.000000000 +0000 +++ konsole-22.12.3/debian/changelog 2025-06-11 18:12:08.000000000 +0000 @@ -1,3 +1,9 @@ +konsole (4:22.12.3-1+deb12u1) bookworm-security; urgency=medium + + * CVE-2025-49091 + + -- Moritz Mühlenhoff Wed, 11 Jun 2025 20:12:08 +0200 + konsole (4:22.12.3-1) unstable; urgency=medium [ Aurélien COUDERC ] diff -Nru konsole-22.12.3/debian/patches/CVE-2025-49091.patch konsole-22.12.3/debian/patches/CVE-2025-49091.patch --- konsole-22.12.3/debian/patches/CVE-2025-49091.patch 1970-01-01 00:00:00.000000000 +0000 +++ konsole-22.12.3/debian/patches/CVE-2025-49091.patch 2025-06-11 12:12:33.000000000 +0000 @@ -0,0 +1,18 @@ +From 09d20dea109050b4c02fb73095f327b5642a2b75 Mon Sep 17 00:00:00 2001 +From: Kurt Hindenburg +Date: Wed, 28 May 2025 18:54:39 -0400 +Subject: [PATCH] Clear the arguments if the command is not found + +--- konsole-22.12.3.orig/src/session/Session.cpp ++++ konsole-22.12.3/src/session/Session.cpp +@@ -461,8 +461,10 @@ void Session::run() + // if a program was specified via setProgram(), but it couldn't be found (but a fallback was), print a warning + if (exec != checkProgram(_program)) { + terminalWarning(i18n("Could not find '%1', starting '%2' instead. Please check your profile settings.", _program, exec)); ++ _arguments.clear(); // ignore args if program is invalid + } else if (exec != checkProgram(exec)) { + terminalWarning(i18n("Could not find '%1', starting '%2' instead. Please check your profile settings.", exec, checkProgram(exec))); ++ _arguments.clear(); // ignore args if program is invalid + } + + // if no arguments are specified, fall back to program name diff -Nru konsole-22.12.3/debian/patches/series konsole-22.12.3/debian/patches/series --- konsole-22.12.3/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ konsole-22.12.3/debian/patches/series 2025-06-11 12:12:22.000000000 +0000 @@ -0,0 +1 @@ +CVE-2025-49091.patch