CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166
-
Good day,
Are there any feedback on the following CVEs?
CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166
When can we expect a patched version to be released?
-
This has already drawn some attention in the press. heise.de, a popular german IT-newssite mentions this quite prominently: https://www.heise.de/news/Entwickler-von-Notepad-ignoriert-offensichtlich-Sicherheitsluecken-9289124.html
The original report can be found here: https://securitylab.github.com/advisories/GHSL-2023-092_Notepad__/
-
@Scorpius said in CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166:
Are there any feedback on the following CVEs?
Has this been made into a formal “issue” for Notepad++?
Apparently the developer has been “contacted” but the official means (for tracking purposes, so the developer doesn’t lose sight of it) would be through an issue. -
Has this been made into a formal “issue” for Notepad++?
Just two private security notices and at least one private pull request, all in the past four months: https://securitylab.github.com/advisories/GHSL-2023-092_Notepad__
-
Though today, months after the “private report”, someone finally bothered to make a public issue, after the public shaming and news articles were published. https://github.com/notepad-plus-plus/notepad-plus-plus/issues/14073
-
@PeterJones It’s industry standard to report the issue to the maintainer directly, privately, to give them time to review and implement a fix before the security researchers make the information public.
The security researchers reported this in April, have had responses from the developer, they have then waited four months (longer than a lot of other security researchers, I believe the Google security team give 90 days from initial contact).
-
@Alan-Kilborn said in CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166:
Apparently the developer has been “contacted” but the official means (for tracking purposes, so the developer doesn’t lose sight of it) would be through an issue.
GitHub has a built in mechanism for projects to have this tracked by the developers without making all the details public, which could potential help malicious actors to figure out how to create a virus/malware and start exploiting it.
-
Just want to observe that it looks like fixes have finally made it into master:
https://github.com/notepad-plus-plus/notepad-plus-plus/commit/5402622abc1e0fd9477d3e4645240cc97791c081
https://github.com/notepad-plus-plus/notepad-plus-plus/commit/4b66d80b2f310fc3d6948c36ca44608b3b9a7a5d
https://github.com/notepad-plus-plus/notepad-plus-plus/commit/8c561ba74b35a48d102f9057ff20491f6be05ca7
https://github.com/notepad-plus-plus/notepad-plus-plus/commit/ea063246f16a73334ce84934152499c249e626f6at least that appears to be the case based on my non-super-clear understanding of reading the securitylab.github.com advisory.
-
@Mark-Olson said in CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166:
Just want to observe that it looks like fixes have finally made it into master:
And into v8.5.7 RC, so the fixes will be in the next release in the very near future.
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login