kicad-developers team mailing list archive

[Seth Hillbrand <seth@xxxxxxxxxxxxx>]

Hi Folks-

On February 1 and 2, we received reports from Cisco Talos of
vulnerabilities in the text handling used by GerbView to parse gerber and
drill files.

We addressed these reports immediately and scheduled a release for version
6.0.2 to get the fixes out to our user base as soon as possible.

There are 4 CVE reports [1][2][3][4].  Each presents a potential buffer
overflow attack from a specially-crafted Gerber file.  Our fixes removed
the use of static-sized buffers, preventing this type of attack in the
future.

We coordinated with Cisco Talos on the release of the CVEs, following the
full release of KiCad 6.0.2.  All users are encouraged to upgrade their
KiCad installations to avoid this potential issue.

A summary of the timeline is provided by KiCad [5] and a full writeup of
the vulnerability is published by Cisco Talos[6].

The KiCad team takes security vulnerabilities seriously and will address
them in a timely manner.  To report security issues, please file an issue
in the KiCad bug tracker and mark it "Confidential".  We will reach out to
coordinate vulnerability disclosure timelines.

Seth

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-23946
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-23947
[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-23803
[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-23804
[5] https://www.kicad.org/blog/2022/02/KiCad-6.0.2-Release/
[6] https://talosintelligence.com/vulnerability_reports/TALOS-2022-1460


-- 
[image: KiCad Services Corporation Logo]
Seth Hillbrand
*Lead Developer*
+1-530-302-5483‬
Long Beach, CA
www.kipro-pcb.com    info@xxxxxxxxxxxxx