• Login
Community
  • Login

CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166

Scheduled Pinned Locked Moved Security
security
9 Posts 7 Posters 8.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    Scorpius
    last edited by Aug 30, 2023, 5:23 AM

    Good day,

    Are there any feedback on the following CVEs?

    CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166

    When can we expect a patched version to be released?

    G A 2 Replies Last reply Aug 30, 2023, 9:54 AM Reply Quote 1
    • G
      gerdb42 @Scorpius
      last edited by Aug 30, 2023, 9:54 AM

      This has already drawn some attention in the press. heise.de , a popular german IT-newssite mentions this quite prominently: https://www.heise.de/news/Entwickler-von-Notepad-ignoriert-offensichtlich-Sicherheitsluecken-9289124.html

      The original report can be found here: https://securitylab.github.com/advisories/GHSL-2023-092_Notepad__/

      1 Reply Last reply Reply Quote 2
      • A
        Alan Kilborn @Scorpius
        last edited by Aug 30, 2023, 2:29 PM

        @Scorpius said in CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166:

        Are there any feedback on the following CVEs?

        Has this been made into a formal “issue” for Notepad++?
        Apparently the developer has been “contacted” but the official means (for tracking purposes, so the developer doesn’t lose sight of it) would be through an issue.

        R P S 3 Replies Last reply Aug 30, 2023, 5:06 PM Reply Quote 2
        • R
          rdipardo @Alan Kilborn
          last edited by rdipardo Aug 30, 2023, 5:07 PM Aug 30, 2023, 5:06 PM

          Has this been made into a formal “issue” for Notepad++?

          Just two private security notices and at least one private pull request, all in the past four months: https://securitylab.github.com/advisories/GHSL-2023-092_Notepad__

          1 Reply Last reply Reply Quote 0
          • P
            PeterJones @Alan Kilborn
            last edited by Aug 30, 2023, 6:49 PM

            @Alan-Kilborn ,

            Though today, months after the “private report”, someone finally bothered to make a public issue, after the public shaming and news articles were published. https://github.com/notepad-plus-plus/notepad-plus-plus/issues/14073

            S 1 Reply Last reply Aug 31, 2023, 6:34 AM Reply Quote 0
            • S
              Sam Jenkins @PeterJones
              last edited by Aug 31, 2023, 6:34 AM

              @PeterJones It’s industry standard to report the issue to the maintainer directly, privately, to give them time to review and implement a fix before the security researchers make the information public.

              The security researchers reported this in April, have had responses from the developer, they have then waited four months (longer than a lot of other security researchers, I believe the Google security team give 90 days from initial contact).

              1 Reply Last reply Reply Quote 4
              • S
                Sam Jenkins @Alan Kilborn
                last edited by Sam Jenkins Aug 31, 2023, 6:50 AM Aug 31, 2023, 6:36 AM

                @Alan-Kilborn said in CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166:

                Apparently the developer has been “contacted” but the official means (for tracking purposes, so the developer doesn’t lose sight of it) would be through an issue.

                GitHub has a built in mechanism for projects to have this tracked by the developers without making all the details public, which could potential help malicious actors to figure out how to create a virus/malware and start exploiting it.

                1 Reply Last reply Reply Quote 6
                • M
                  Mark Olson
                  last edited by Sep 3, 2023, 4:33 PM

                  Just want to observe that it looks like fixes have finally made it into master:
                  https://github.com/notepad-plus-plus/notepad-plus-plus/commit/5402622abc1e0fd9477d3e4645240cc97791c081
                  https://github.com/notepad-plus-plus/notepad-plus-plus/commit/4b66d80b2f310fc3d6948c36ca44608b3b9a7a5d
                  https://github.com/notepad-plus-plus/notepad-plus-plus/commit/8c561ba74b35a48d102f9057ff20491f6be05ca7
                  https://github.com/notepad-plus-plus/notepad-plus-plus/commit/ea063246f16a73334ce84934152499c249e626f6

                  at least that appears to be the case based on my non-super-clear understanding of reading the securitylab.github.com advisory.

                  P 1 Reply Last reply Sep 7, 2023, 4:26 PM Reply Quote 6
                  • P
                    PeterJones @Mark Olson
                    last edited by Sep 7, 2023, 4:26 PM

                    @Mark-Olson said in CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166:

                    Just want to observe that it looks like fixes have finally made it into master:

                    And into v8.5.7 RC, so the fixes will be in the next release in the very near future.

                    1 Reply Last reply Reply Quote 2
                    5 out of 9
                    • First post
                      5/9
                      Last post
                    The Community of users of the Notepad++ text editor.
                    Powered by NodeBB | Contributors