CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166
-
Good day,
Are there any feedback on the following CVEs?
CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166
When can we expect a patched version to be released?
-
This has already drawn some attention in the press. heise.de, a popular german IT-newssite mentions this quite prominently: https://www.heise.de/news/Entwickler-von-Notepad-ignoriert-offensichtlich-Sicherheitsluecken-9289124.html
The original report can be found here: https://securitylab.github.com/advisories/GHSL-2023-092_Notepad__/
-
@Scorpius said in CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166:
Are there any feedback on the following CVEs?
Has this been made into a formal “issue” for Notepad++?
Apparently the developer has been “contacted” but the official means (for tracking purposes, so the developer doesn’t lose sight of it) would be through an issue. -
Has this been made into a formal “issue” for Notepad++?
Just two private security notices and at least one private pull request, all in the past four months: https://securitylab.github.com/advisories/GHSL-2023-092_Notepad__
-
Though today, months after the “private report”, someone finally bothered to make a public issue, after the public shaming and news articles were published. https://github.com/notepad-plus-plus/notepad-plus-plus/issues/14073
-
@PeterJones It’s industry standard to report the issue to the maintainer directly, privately, to give them time to review and implement a fix before the security researchers make the information public.
The security researchers reported this in April, have had responses from the developer, they have then waited four months (longer than a lot of other security researchers, I believe the Google security team give 90 days from initial contact).
-
@Alan-Kilborn said in CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166:
Apparently the developer has been “contacted” but the official means (for tracking purposes, so the developer doesn’t lose sight of it) would be through an issue.
GitHub has a built in mechanism for projects to have this tracked by the developers without making all the details public, which could potential help malicious actors to figure out how to create a virus/malware and start exploiting it.
-
Just want to observe that it looks like fixes have finally made it into master:
https://github.com/notepad-plus-plus/notepad-plus-plus/commit/5402622abc1e0fd9477d3e4645240cc97791c081
https://github.com/notepad-plus-plus/notepad-plus-plus/commit/4b66d80b2f310fc3d6948c36ca44608b3b9a7a5d
https://github.com/notepad-plus-plus/notepad-plus-plus/commit/8c561ba74b35a48d102f9057ff20491f6be05ca7
https://github.com/notepad-plus-plus/notepad-plus-plus/commit/ea063246f16a73334ce84934152499c249e626f6at least that appears to be the case based on my non-super-clear understanding of reading the securitylab.github.com advisory.
-
@Mark-Olson said in CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166:
Just want to observe that it looks like fixes have finally made it into master:
And into v8.5.7 RC, so the fixes will be in the next release in the very near future.
