kicad-developers team mailing list archive
Mailing list archive
On February 1 and 2, we received reports from Cisco Talos of
vulnerabilities in the text handling used by GerbView to parse gerber and
We addressed these reports immediately and scheduled a release for version
6.0.2 to get the fixes out to our user base as soon as possible.
There are 4 CVE reports . Each presents a potential buffer
overflow attack from a specially-crafted Gerber file. Our fixes removed
the use of static-sized buffers, preventing this type of attack in the
We coordinated with Cisco Talos on the release of the CVEs, following the
full release of KiCad 6.0.2. All users are encouraged to upgrade their
KiCad installations to avoid this potential issue.
A summary of the timeline is provided by KiCad  and a full writeup of
the vulnerability is published by Cisco Talos.
The KiCad team takes security vulnerabilities seriously and will address
them in a timely manner. To report security issues, please file an issue
in the KiCad bug tracker and mark it "Confidential". We will reach out to
coordinate vulnerability disclosure timelines.
[image: KiCad Services Corporation Logo]
Long Beach, CA