Version in base suite: 24.12.3-2 Base version: kdenlive_24.12.3-2 Target version: kdenlive_24.12.3-2+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/k/kdenlive/kdenlive_24.12.3-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/k/kdenlive/kdenlive_24.12.3-2+deb13u1.dsc changelog | 8 +++++++ patches/02-CVE-2026-45184.diff | 42 +++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 51 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpzh_rdvjp/kdenlive_24.12.3-2.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpzh_rdvjp/kdenlive_24.12.3-2+deb13u1.dsc: no acceptable signature found diff -Nru kdenlive-24.12.3/debian/changelog kdenlive-24.12.3/debian/changelog --- kdenlive-24.12.3/debian/changelog 2025-07-11 08:40:34.000000000 +0000 +++ kdenlive-24.12.3/debian/changelog 2026-05-21 08:43:39.000000000 +0000 @@ -1,3 +1,11 @@ +kdenlive (24.12.3-2+deb13u1) trixie-security; urgency=high + + * Add patch 02-CVE-2026-45184: Dangerous proxy parameters, when an + attacker-controlled project file is used. + Closes: #1136172 + + -- Patrick Matthäi Thu, 21 May 2026 10:43:39 +0200 + kdenlive (24.12.3-2) unstable; urgency=medium * Merge upstream signing key with sq tool. diff -Nru kdenlive-24.12.3/debian/patches/02-CVE-2026-45184.diff kdenlive-24.12.3/debian/patches/02-CVE-2026-45184.diff --- kdenlive-24.12.3/debian/patches/02-CVE-2026-45184.diff 1970-01-01 00:00:00.000000000 +0000 +++ kdenlive-24.12.3/debian/patches/02-CVE-2026-45184.diff 2026-05-21 08:43:39.000000000 +0000 @@ -0,0 +1,42 @@ +Description: Fix CVE-2026-45184 (RCE via malicious project file) +Origin: upstream, https://commits.kde.org/kdenlive/94042ddd259551e4a7a5f6672329752972c84685 +Origin: upstream, https://commits.kde.org/kdenlive/c3999aacc6da54756f3df8aab03b900459562ecd +Author: Jean-Baptiste Mardelle +Bug: https://kde.org/info/security/advisory-20260508-1.txt +Forwarded: not-needed +Last-Update: 2026-05-21 + +--- a/src/jobs/proxytask.cpp ++++ b/src/jobs/proxytask.cpp +@@ -231,8 +231,10 @@ void ProxyTask::run() + return; + } + // Only output error data, make sure we don't block when proxy file already exists +- QStringList parameters = {QStringLiteral("-hide_banner"), QStringLiteral("-y"), QStringLiteral("-stats"), QStringLiteral("-v"), +- QStringLiteral("error")}; ++ QStringList parameters = {QStringLiteral("-hide_banner"), QStringLiteral("-y"), QStringLiteral("-stats"), ++ QStringLiteral("-v"), QStringLiteral("error"), QStringLiteral("-protocol_whitelist"), ++ QStringLiteral("file,pipe")}; ++ + m_jobDuration = int(binClip->duration().seconds()); + if (binClip->hasProducerProperty(QStringLiteral("kdenlive:camcorderproxy"))) { + // ffmpeg -an -i proxy.mp4 -vn -i original.MXF -map 0:v -map 1:a -c:v copy out.MP4 +@@ -247,6 +249,18 @@ void ProxyTask::run() + if (proxyParams.isEmpty()) { + // Automatic setting, decide based on hw support + proxyParams = pCore->currentDoc()->getAutoProxyProfile(); ++ } else { ++ // Sanitize parameters ++ const QStringList blockedParams = { ++ QStringLiteral("attach"), QStringLiteral("metadata"), QStringLiteral("null"), QStringLiteral("dump"), ++ QStringLiteral("concat"), QStringLiteral("safe"), QStringLiteral("ladspa"), QStringLiteral("protocol_whitelist")}; ++ for (auto &b : blockedParams) { ++ if (proxyParams.contains(b)) { ++ // Unwanted param found, discard parameters ++ proxyParams = pCore->currentDoc()->getAutoProxyProfile(); ++ break; ++ } ++ } + } + int proxyResize = pCore->currentDoc()->getDocumentProperty(QStringLiteral("proxyresize")).toInt(); + if (!proxyParams.contains(QLatin1String("mjpeg")) && !proxyParams.contains(QLatin1String("mpeg2video"))) { diff -Nru kdenlive-24.12.3/debian/patches/series kdenlive-24.12.3/debian/patches/series --- kdenlive-24.12.3/debian/patches/series 2025-07-11 08:40:34.000000000 +0000 +++ kdenlive-24.12.3/debian/patches/series 2026-05-21 08:43:39.000000000 +0000 @@ -1 +1,2 @@ 01-disable-autoupdate.diff +02-CVE-2026-45184.diff