Mageia alert MGASA-2022-0295 (kicad)

From:
             
 
Mageia Updates <buildsystem-daemon@mageia.org>
To:
             
 
updates-announce@ml.mageia.org
Subject:
             
 
[updates-announce] MGASA-2022-0295: Updated kicad packages fix security vulnerability
Date:
             
 
Thu, 25 Aug 2022 23:22:06 +0200
Message-ID:
             
 
<20220825212206.75C8BA13B0@duvel.mageia.org>
Archive-link:
             
 
Article
MGASA-2022-0295 - Updated kicad packages fix security vulnerability

Publication date: 25 Aug 2022
URL: https://advisories.mageia.org/MGASA-2022-0295.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2022-23803,
     CVE-2022-23804,
     CVE-2022-23946,
     CVE-2022-23947

Description:
Multiple buffer overflows were discovered in Kicad, a suite of programs
for the creation of printed circuit boards, which could result in the
execution of arbitrary code if malformed Gerber/Excellon files, as
follows.

A stack-based buffer overflow vulnerability exists in the Gerber Viewer
gerber and excellon ReadXYCoord coordinate parsing functionality of KiCad
EDA 6.0.1 and master commit de006fc010. A specially-crafted gerber or
excellon file can lead to code execution. An attacker can provide a
malicious file to trigger this vulnerability. (CVE-2022-23803)

A stack-based buffer overflow vulnerability exists in the Gerber Viewer
gerber and excellon ReadIJCoord coordinate parsing functionality of KiCad
EDA 6.0.1 and master commit de006fc010. A specially-crafted gerber or
excellon file can lead to code execution. An attacker can provide a
malicious file to trigger this vulnerability. (CVE-2022-23804)

A stack-based buffer overflow vulnerability exists in the Gerber Viewer
gerber and excellon GCodeNumber parsing functionality of KiCad EDA 6.0.1
and master commit de006fc010. A specially-crafted gerber or excellon file
can lead to code execution. An attacker can provide a malicious file to
trigger this vulnerability. (CVE-2022-23946)

A stack-based buffer overflow vulnerability exists in the Gerber Viewer
gerber and excellon DCodeNumber parsing functionality of KiCad EDA 6.0.1
and master commit de006fc010. A specially-crafted gerber or excellon file
can lead to code execution. An attacker can provide a malicious file to
trigger this vulnerability. (CVE-2022-23947)

References:
- https://bugs.mageia.org/show_bug.cgi?id=30109
-
https://lists.fedoraproject.org/archives/list/package-ann...
- https://www.debian.org/lts/security/2022/dla-2998
- https://www.kicad.org/blog/2022/07/KiCad-6.0.7-Release/
- https://www.debian.org/security/2022/dsa-5214
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2...

SRPMS:
- 8/core/kicad-5.1.12-1.1.mga8