Fedora has issued an advisory today (March 2): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5EMCGSSP3FIWCSL2KXVXLF35JYZKZE5Q/ The issues are fixed upstream in 6.0.2. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 6.0.2
Debian-LTS has issued an advisory for this on May 10: https://www.debian.org/lts/security/2022/dla-2998
Kicad 6.0.5 pushed to Cauldron.
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8
Kicad 6.0.5 packages pushed to core/backports_testing. Kicad 6.0.1 for Mageia 8 lives in core/backports. SRPMS/RPMS: kicad-6.0.5-1.mga8 kicad-doc-6.0.5-1.mga8 kicad-footprints-6.0.5-1.mga8 kicad-packages3d-6.0.5-1.mga8 kicad-symbols-6.0.5-1.mga8 kicad-templates-6.0.5-1.mga8
Assignee: jani.valimaa => qa-bugsCC: (none) => jani.valimaa
What about kicad-5.1.12-1.mga8 in core/updates? Is it affected? If so, it needs to be patched. If not, this bug needs to be changed to a backports bug.
Status comment: Fixed upstream in 6.0.2 => (none)Keywords: (none) => feedback
Thank you Jani, and David for the heads up. 6.0.5 install and launch. Current stable is now 6.0.7 https://www.kicad.org/blog/2022/07/KiCad-6.0.7-Release/ Every release note since 6.0.0 talk about critical bug fixes. That seem like a standard text they put on top every release... It is a half year since we put 6.0.1 in backports. Meanwhile, I note that the official flatpak is kept promptly updated and in quick test works OK. (I have it installed, but not really used yet.) If we can not keep up (apparently us in QA is to blame this time), we should consider dropping it in mga9, user can use flatpak - with the added convenience of delta updates of these big packages. There is probably some drawback in performance and some other limitation, I know too little. I may test both our backport and the official flatpak version in a real project next week if i get that task. (first time in KiCad for me and years since I last made a PCB (in Eagle)) If I see 6.0.7 in backports then that is what I will test. IMO we should not put too much energy in 5.12 unless we see another distro patching it and it is easy to implement. Upstream have not and probably will never release a new 5 series version. Anyway, this is a security (and functionality) update for our backport - A version series which by upstream is the only currently supported series, and probably the one preferred by our users.
CC: (none) => fri
Debian backported a patch to 4.x, so we should be able to patch it.
Debian has issued an advisory for this on August 21: https://www.debian.org/security/2022/dsa-5214 They patched kicad 5.1.x, so we can borrow their patch. A separate bug should be opened for the backports update.
Keywords: feedback => (none)Assignee: qa-bugs => jani.valimaa
Pushed kicad-5.1.12-1.1.mga8 with patches from Debian to mga8 core/updates_testing. Please test. SRPMS: kicad-5.1.12-1.1.mga8 RPMS: kicad-5.1.12-1.1.mga8 kicad-doc-5.1.12-1.1.mga8 kicad-i18n-5.1.12-1.1.mga8 kicad-library-5.1.12-1.1.mga8
Assignee: jani.valimaa => qa-bugs
5.1.12-1.1.mga8 64bit OK Installed the listed packages; clean launch, and clean run from terminal. Performed quick test: New project, opened schema, placed components, annotated, printed, exported to new PCB: OK. Now we need an advisory. (In reply to David Walser from comment #7) > A separate bug should be opened for the backports update. Bug 30774 - KiCad backports security (and functions) update
Keywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OKCC: (none) => sysadmin-bugs
Advisory committed to svn as ... $ cat 30109.adv type: security subject: Updated kicad packages fix security vulnerability CVE: - CVE-2022-23803 - CVE-2022-23804 - CVE-2022-23946 - CVE-2022-23947 src: 8: core: - kicad-5.1.12-1.1.mga8 description: | Multiple buffer overflows were discovered in Kicad, a suite of programs for the creation of printed circuit boards, which could result in the execution of arbitrary code if malformed Gerber/Excellon files, as follows. A stack-based buffer overflow vulnerability exists in the Gerber Viewer gerber and excellon ReadXYCoord coordinate parsing functionality of KiCad EDA 6.0.1 and master commit de006fc010. A specially-crafted gerber or excellon file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability. (CVE-2022-23803) A stack-based buffer overflow vulnerability exists in the Gerber Viewer gerber and excellon ReadIJCoord coordinate parsing functionality of KiCad EDA 6.0.1 and master commit de006fc010. A specially-crafted gerber or excellon file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability. (CVE-2022-23804) A stack-based buffer overflow vulnerability exists in the Gerber Viewer gerber and excellon GCodeNumber parsing functionality of KiCad EDA 6.0.1 and master commit de006fc010. A specially-crafted gerber or excellon file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability. (CVE-2022-23946) A stack-based buffer overflow vulnerability exists in the Gerber Viewer gerber and excellon DCodeNumber parsing functionality of KiCad EDA 6.0.1 and master commit de006fc010. A specially-crafted gerber or excellon file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability. (CVE-2022-23947) references: - https://bugs.mageia.org/show_bug.cgi?id=30109 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5EMCGSSP3FIWCSL2KXVXLF35JYZKZE5Q/ - https://www.debian.org/lts/security/2022/dla-2998 - https://www.kicad.org/blog/2022/07/KiCad-6.0.7-Release/ - https://www.debian.org/security/2022/dsa-5214
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0295.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED