Stephane Chauveau

Name of the Vulnerable Software and Affected Versions: kitty versions prior to 0.19.3 Description: The Graphics Protocol feature in the graphics.c file of kitty allows remote attackers to execute arbitrary code because a filename containing special characters can be included in an error message. This issue is related to the lack of filename sanitization when returning an error message, which can be exploited by remote attackers to gain access to confidential data, disrupt its integrity, and cause a denial of service. Recommendations: For kitty versions prior to 0.19.3, update to version 0.19.3 or later to resolve the issue. As a temporary workaround, consider disabling the Graphics Protocol feature until a patch is available. Restrict access to the graphics.c file to minimize the risk of exploitation. Avoid using filenames containing special characters in the affected Graphics Protocol feature until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OProfile versions 0.9.6 and earlier **Description** A directory traversal issue exists, potentially allowing local users to overwrite arbitrary files by providing a .. (dot dot) in the `--save` argument, related to the `--session-dir` argument. **Recommendations** For OProfile versions 0.9.6 and earlier, consider restricting access to the `utils/opcontrol` component to minimize the risk of exploitation. Avoid using the `--save` argument with untrusted input until the issue is resolved.