[Kicad-developers] CVE-2022-23803, CVE-2022-23804, CVE-2022-23946, CVE-2022-23947

I've just received a large number of bugs against KiCad, supposedly due to CVE-2022-23803, CVE-2022-23804, CVE-2022-23946, CVE-2022-23947. I don't have time to look into them, but I wanted to make them known. There are apparently also bugs for this on the gentoo site - here is one: https://b

Re: [Kicad-developers] CVE-2022-23803, CVE-2022-23804, CVE-2022-23946, CVE-2022-23947

All 4 CVEs were fixed in the 6.0.2 release and the release announcement was updated last night to say this (to coincide with the public disclosure that happened today). There will be another email on the developer list later today with more details. -Ian On Wed, Feb 16, 2022 at 2:18 PM Steven A.

Re: [Kicad-developers] CVE-2022-23803, CVE-2022-23804, CVE-2022-23946, CVE-2022-23947

Excellent! I'll note that on the Fedora bugs. Thanks, Steve On 2/16/22 09:44 AM, Ian McInerney wrote: All 4 CVEs were fixed in the 6.0.2 release and the release announcement was updated last night to say this (to coincide with the public disclosure that happened today). There

Re: [Kicad-developers] CVE-2022-23803, CVE-2022-23804, CVE-2022-23946, CVE-2022-23947

One additional question - I know that 5.1.12 was the last planned release in the 5.x series, and that 5.1.12 has the vulnerability. Currently, because of Fedora policy, both F34 and F35 still ship 5.1.12. I'll ask on the Fedora list if this event qualifies as an exception to the policy, but i

Re: [Kicad-developers] CVE-2022-23803, CVE-2022-23804, CVE-2022-23946, CVE-2022-23947

Distributions that would like to release a patched version of 5.1, 5.0 or 4.0 can cherry-pick the patch series. They should apply cleanly. Seth On Wed, Feb 16, 2022 at 9:16 AM Steven A. Falco wrote: > One additional question - I know that 5.1.12 was the last planned release > in the 5.x series

[Kicad-developers] CVE announcement

Hi Folks- On February 1 and 2, we received reports from Cisco Talos of vulnerabilities in the text handling used by GerbView to parse gerber and drill files. We addressed these reports immediately and scheduled a release for version 6.0.2 to get the fixes out to our user base as soon as possible.

Re: [Kicad-developers] CVE-2022-23803, CVE-2022-23804, CVE-2022-23946, CVE-2022-23947

I found "Fix overflow vulnerability in Gerbview" and possibly "Fix relative return with nullptr condition". Are there other patches in the series, or are those two the only ones that are needed? I tried grepping the log for CVE, but didn't find much... Steve On 2/16/22 01:17 PM, Seth

Re: [Kicad-developers] CVE-2022-23803, CVE-2022-23804, CVE-2022-23946, CVE-2022-23947

Le 16/02/2022 à 19:38, Steven A. Falco a écrit : I found "Fix overflow vulnerability in Gerbview" and possibly "Fix relative return with nullptr condition".  Are there other patches in the series, or are those two the only ones that are needed? I tried grepping the log for CVE, but didn't fin