Version in base suite: 0.41.1-2

Base version: kitty_0.41.1-2
Target version: kitty_0.41.1-2+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/k/kitty/kitty_0.41.1-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/k/kitty/kitty_0.41.1-2+deb13u1.dsc

 changelog                         |    7 +++++++
 patches/0016-CVE-2026-33633.patch |   19 +++++++++++++++++++
 patches/0017-CVE-2026-33642.patch |   27 +++++++++++++++++++++++++++
 patches/series                    |    2 ++
 4 files changed, 55 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpzl1l5291/kitty_0.41.1-2.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpzl1l5291/kitty_0.41.1-2+deb13u1.dsc: no acceptable signature found
diff -Nru kitty-0.41.1/debian/changelog kitty-0.41.1/debian/changelog
--- kitty-0.41.1/debian/changelog	2025-06-05 15:09:21.000000000 +0000
+++ kitty-0.41.1/debian/changelog	2026-05-22 19:24:52.000000000 +0000
@@ -1,3 +1,10 @@
+kitty (0.41.1-2+deb13u1) trixie-security; urgency=medium
+
+  * Add patches to fix CVE-2026-33642 and CVE-2026-33633
+    Closes: #1137210
+
+ -- Nilesh Patra <nilesh@debian.org>  Sat, 23 May 2026 00:54:52 +0530
+
 kitty (0.41.1-2) unstable; urgency=medium
 
   * Backport upstream patch to fixup FTBFS on s390x
diff -Nru kitty-0.41.1/debian/patches/0016-CVE-2026-33633.patch kitty-0.41.1/debian/patches/0016-CVE-2026-33633.patch
--- kitty-0.41.1/debian/patches/0016-CVE-2026-33633.patch	1970-01-01 00:00:00.000000000 +0000
+++ kitty-0.41.1/debian/patches/0016-CVE-2026-33633.patch	2026-05-22 19:24:19.000000000 +0000
@@ -0,0 +1,19 @@
+From 48ab623f594d60dbbfb1e767d9686d380ce547fb Mon Sep 17 00:00:00 2001
+From: Kovid Goyal <kovid@kovidgoyal.net>
+Date: Sat, 21 Mar 2026 17:23:06 +0530
+Subject: [PATCH] Graphics protocol: Fix crash when handling invalid PNG image
+ with direct transmission
+
+diff --git a/kitty/graphics.c b/kitty/graphics.c
+index 3cfec4ba39e..944c21dab55 100644
+--- a/kitty/graphics.c
++++ b/kitty/graphics.c
+@@ -555,7 +555,7 @@ load_image_data(GraphicsManager *self, Image *img, const GraphicsCommand *g, con
+         case 'd':  // direct
+             if (load_data->buf_capacity - load_data->buf_used < g->payload_sz) {
+                 if (load_data->buf_used + g->payload_sz > MAX_DATA_SZ || data_fmt != PNG) ABRT("EFBIG", "Too much data");
+-                load_data->buf_capacity = MIN(2 * load_data->buf_capacity, MAX_DATA_SZ);
++                load_data->buf_capacity = MAX(MIN(2 * load_data->buf_capacity, MAX_DATA_SZ), load_data->buf_used + g->payload_sz);
+                 load_data->buf = realloc(load_data->buf, load_data->buf_capacity);
+                 if (load_data->buf == NULL) {
+                     load_data->buf_capacity = 0; load_data->buf_used = 0;
diff -Nru kitty-0.41.1/debian/patches/0017-CVE-2026-33642.patch kitty-0.41.1/debian/patches/0017-CVE-2026-33642.patch
--- kitty-0.41.1/debian/patches/0017-CVE-2026-33642.patch	1970-01-01 00:00:00.000000000 +0000
+++ kitty-0.41.1/debian/patches/0017-CVE-2026-33642.patch	2026-05-22 19:24:19.000000000 +0000
@@ -0,0 +1,27 @@
+From e9661f0f3afb4e4dbffa509adfb3df3c9780ad34 Mon Sep 17 00:00:00 2001
+From: Kovid Goyal <kovid@kovidgoyal.net>
+Date: Sun, 22 Mar 2026 21:49:12 +0530
+Subject: [PATCH] Graphics protocol: Fix crash when handling invalid offset
+ values in graphics compose commands
+
+---
+ docs/changelog.rst | 2 ++
+ kitty/graphics.c   | 7 ++++---
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+--- a/kitty/graphics.c
++++ b/kitty/graphics.c
+@@ -1825,9 +1825,10 @@
+         set_command_failed_response("ENOENT", "No destination frame number %u exists in image id: %u\n", g->other_frame_number, img->client_id);
+         return;
+     }
+-    const unsigned int width = g->width ? g->width : img->width;
+-    const unsigned int height = g->height ? g->height : img->height;
+-    const unsigned int dest_x = g->x_offset, dest_y = g->y_offset, src_x = g->cell_x_offset, src_y = g->cell_y_offset;
++    // Use uint64_t to avoid overflow when testing for validity. All dimensions are 32bit numbers.
++    const uint64_t width = g->width ? g->width : img->width;
++    const uint64_t height = g->height ? g->height : img->height;
++    const uint64_t dest_x = g->x_offset, dest_y = g->y_offset, src_x = g->cell_x_offset, src_y = g->cell_y_offset;
+     if (dest_x + width > img->width || dest_y + height > img->height) {
+         set_command_failed_response("EINVAL", "The destination rectangle is out of bounds");
+         return;
diff -Nru kitty-0.41.1/debian/patches/series kitty-0.41.1/debian/patches/series
--- kitty-0.41.1/debian/patches/series	2025-06-05 15:08:35.000000000 +0000
+++ kitty-0.41.1/debian/patches/series	2026-05-22 19:24:19.000000000 +0000
@@ -12,3 +12,5 @@
 0013-avoid-failing-font-tests-on-ci.patch
 0014-use-disintegration-imaging.patch
 0015-backport-s390x-ftbfs-fix.patch
+0016-CVE-2026-33633.patch
+0017-CVE-2026-33642.patch