Jump to content
  • Notepad++ 8.5.7 released with fixes for four security vulnerabilities


    Karlston

    • 741 views
    • 3 minutes
     Share


    • 741 views
    • 3 minutes

    Notepad++ version 8.5.7 has been released with fixes for multiple buffer overflow zero-days, with one marked as potentially leading to code execution by tricking users into opening specially crafted files.

     

    Notepad++ is a popular free source code editor that supports many programming languages, can be extended via plugins, and offers productivity-enhancing features such as multi-tabbed editing and syntax highlighting.

     

    GitHub's security researcher Jaroslav Lobačevski reported the vulnerabilities in Notepad++ version 8.5.2 to the developers over the last couple of months. 

     

    Proof of concept exploits have also been published for these flaws in the researcher's public advisory, making it essential for users to update the program as soon as possible.

    Security flaws in Notepad++

    The discovered vulnerabilities involve heap buffer write and read overflows in various functions and libraries used by Notepad++.

     

    Here's a summary of the four flaws discovered by GitHub's researcher:

     

    • CVE-2023-40031: Buffer overflow in the Utf8_16_Read::convert function due to incorrect assumptions about UTF16 to UTF8 encoding conversions.
    • CVE-2023-40036: Global buffer read overflow in CharDistributionAnalysis::HandleOneChar caused by an array index order based on the buffer size, exacerbated by using the uchardet library.
    • CVE-2023-40164: Global buffer read overflow in nsCodingStateMachine::NextState. This is linked to a specific version of the uchardet library used by Notepad++, vulnerable due to its dependency on the size of the charLenTable buffer.
    • CVE-2023-40166: Heap buffer read overflow occurs in FileManager::detectLanguageFromTextBegining due to failing to check buffer lengths during file language detection.

     

    The most severe of these flaws is CVE-2023-40031, assigned a CVSS v3 rating of 7.8 (high), potentially leading to arbitrary code execution.

     

    However, a user disputes that it would be possible to perform code execution using this flaw due to the type of error it is.

     

    "While it is technically a "buffer overflow" is really only an off-by-two bug with practically zero chance to allow for arbitrary code execution," reads a comment to a GitHub issue opened about the flaws.

     

    The other three issues are medium-severity (5.5) problems that Lobačevski says might be leveraged to leak internal memory allocation information.

    Fix coming

    Despite Lobačevski's blog and proof of concept exploits being published on August 21, 2023, the Notepad++ development team did not rush to respond to the situation until the user community pressed for its resolution.

     

    Eventually, on August 30, 2023, a public issue was created to acknowledge the problem, and fixes for the four flaws made it into the main code branch on September 3, 2023.

     

    Notepad++ 8.5.7 has now been released and should be installed to fix the four vulnerabilities and other bugs listed in the changelog.

     

    Source

     

    • Like 2

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...