Re: [Kicad-developers] CVE-2022-23803, CVE-2022-23804, CVE-2022-23946, CVE-2022-23947

[Steven A. Falco]

On 2/16/22 01:52 PM, jp charras wrote:


Le 16/02/2022 à 19:38, Steven A. Falco a écrit :

I found "Fix overflow vulnerability in Gerbview" and possibly "Fix relative return 
with nullptr condition".  Are there other patches in the series, or are those two the only 
ones that are needed?

I tried grepping the log for CVE, but didn't find much...

Steve



3 fixes are needed. This one is needed:

"Fix float scaling to use single fn"


I tried applying the patches to 5.1.12 but ran into rejects that I didn't feel 
comfortable to rework.

I'm asking on the Fedora list, and there is a way to request exceptions to the 
"Fedora major update policy".  I'll see where that leads.  Given that KiCad is 
planning to do annual major updates, I suspect this problem will keep coming up, so if I 
can get an exception to the policy, that would be best.

Steve


___
Mailing list: https://launchpad.net/~kicad-developers
Post to : kicad-developers@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kicad-developers
More help   : https://help.launchpad.net/ListHelp

Re: [Kicad-developers] CVE-2022-23803, CVE-2022-23804, CVE-2022-23946, CVE-2022-23947

[jp charras]

Le 16/02/2022 à 19:38, Steven A. Falco a écrit :
I found "Fix overflow vulnerability in Gerbview" and possibly "Fix 
relative return with nullptr condition".  Are there other patches in 
the series, or are those two the only ones that are needed?


I tried grepping the log for CVE, but didn't find much...

Steve



3 fixes are needed. This one is needed:

"Fix float scaling to use single fn"




On 2/16/22 01:17 PM, Seth Hillbrand wrote:
Distributions that would like to release a patched version of 5.1, 
5.0 or 4.0 can cherry-pick the patch series.  They should apply cleanly.


Seth

On Wed, Feb 16, 2022 at 9:16 AM Steven A. Falco 
mailto:stevenfa...@gmail.com>> wrote:


    One additional question - I know that 5.1.12 was the last planned 
release in the 5.x series, and that 5.1.12 has the vulnerability.  
Currently, because of Fedora policy, both F34 and F35 still ship 5.1.12.


    I'll ask on the Fedora list if this event qualifies as an 
exception to the policy, but if not, how involved would it be to 
patch 5.1.12, or perhaps to spin a 5.1.13 just to fix this issue?


         Steve

    On 2/16/22 11:49 AM, Steven A. Falco wrote:
 > Excellent!  I'll note that on the Fedora bugs.
 >
 >  Thanks,
 >  Steve
 >
 > On 2/16/22 09:44 AM, Ian McInerney wrote:
 >> All 4 CVEs were fixed in the 6.0.2 release and the release 
announcement was updated last night to say this (to coincide with the 
public disclosure that happened today). There will be another email 
on the developer list later today with more details.

 >>
 >> -Ian
 >>
 >> On Wed, Feb 16, 2022 at 2:18 PM Steven A. Falco 
mailto:stevenfa...@gmail.com> 
>> wrote:

 >>
 >>     I've just received a large number of bugs against KiCad, 
supposedly due to CVE-2022-23803, CVE-2022-23804, CVE-2022-23946, 
CVE-2022-23947.

 >>
 >>     I don't have time to look into them, but I wanted to make 
them known.  There are apparently also bugs for this on the gentoo 
site - here is one: https://bugs.gentoo.org/833426 
 >

 >>
 >>     Here are the Fedora bugs:
 >>
 >> https://bugzilla.redhat.com/show_bug.cgi?id=2054956 
 
>
 >> https://bugzilla.redhat.com/show_bug.cgi?id=2054957 
 
>
 >> https://bugzilla.redhat.com/show_bug.cgi?id=2054959 
 
>
 >> https://bugzilla.redhat.com/show_bug.cgi?id=2054960 
 
>
 >> https://bugzilla.redhat.com/show_bug.cgi?id=2054955 
 
>
 >> https://bugzilla.redhat.com/show_bug.cgi?id=2054973 
 
>
 >> https://bugzilla.redhat.com/show_bug.cgi?id=2054974 
 
>
 >> https://bugzilla.redhat.com/show_bug.cgi?id=2054979 
 
>
 >> https://bugzilla.redhat.com/show_bug.cgi?id=2054980 
 
>
 >> https://bugzilla.redhat.com/show_bug.cgi?id=2054958 
 
>
 >> https://bugzilla.redhat.com/show_bug.cgi?id=2054972 
 
>
 >> https://bugzilla.redhat.com/show_bug.cgi?id=2054978 
 
>

 >>

Re: [Kicad-developers] CVE-2022-23803, CVE-2022-23804, CVE-2022-23946, CVE-2022-23947

[Steven A. Falco]

I found "Fix overflow vulnerability in Gerbview" and possibly "Fix relative return 
with nullptr condition".  Are there other patches in the series, or are those two the only 
ones that are needed?

I tried grepping the log for CVE, but didn't find much...

Steve

On 2/16/22 01:17 PM, Seth Hillbrand wrote:

Distributions that would like to release a patched version of 5.1, 5.0 or 4.0 
can cherry-pick the patch series.  They should apply cleanly.

Seth

On Wed, Feb 16, 2022 at 9:16 AM Steven A. Falco mailto:stevenfa...@gmail.com>> wrote:

One additional question - I know that 5.1.12 was the last planned release 
in the 5.x series, and that 5.1.12 has the vulnerability.  Currently, because 
of Fedora policy, both F34 and F35 still ship 5.1.12.

I'll ask on the Fedora list if this event qualifies as an exception to the 
policy, but if not, how involved would it be to patch 5.1.12, or perhaps to 
spin a 5.1.13 just to fix this issue?

         Steve

On 2/16/22 11:49 AM, Steven A. Falco wrote:
 > Excellent!  I'll note that on the Fedora bugs.
 >
 >  Thanks,
 >  Steve
 >
 > On 2/16/22 09:44 AM, Ian McInerney wrote:
 >> All 4 CVEs were fixed in the 6.0.2 release and the release announcement 
was updated last night to say this (to coincide with the public disclosure that 
happened today). There will be another email on the developer list later today with 
more details.
 >>
 >> -Ian
 >>
 >> On Wed, Feb 16, 2022 at 2:18 PM Steven A. Falco mailto:stevenfa...@gmail.com> >> wrote:
 >>
 >>     I've just received a large number of bugs against KiCad, supposedly 
due to CVE-2022-23803, CVE-2022-23804, CVE-2022-23946, CVE-2022-23947.
 >>
 >>     I don't have time to look into them, but I wanted to make them known.  There are 
apparently also bugs for this on the gentoo site - here is one: https://bugs.gentoo.org/833426 
 >
 >>
 >>     Here are the Fedora bugs:
 >>
 >> https://bugzilla.redhat.com/show_bug.cgi?id=2054956 
 
>
 >> https://bugzilla.redhat.com/show_bug.cgi?id=2054957 
 
>
 >> https://bugzilla.redhat.com/show_bug.cgi?id=2054959 
 
>
 >> https://bugzilla.redhat.com/show_bug.cgi?id=2054960 
 
>
 >> https://bugzilla.redhat.com/show_bug.cgi?id=2054955 
 
>
 >> https://bugzilla.redhat.com/show_bug.cgi?id=2054973 
 
>
 >> https://bugzilla.redhat.com/show_bug.cgi?id=2054974 
 
>
 >> https://bugzilla.redhat.com/show_bug.cgi?id=2054979 
 
>
 >> https://bugzilla.redhat.com/show_bug.cgi?id=2054980 
 
>
 >> https://bugzilla.redhat.com/show_bug.cgi?id=2054958 
 
>
 >> https://bugzilla.redhat.com/show_bug.cgi?id=2054972 
 
>
 >> https://bugzilla.redhat.com/show_bug.cgi?id=2054978 
 
>
 >>
 >>     ___
 >>     Mailing list: https://launchpad.net/~kicad-developers 

Re: [Kicad-developers] CVE-2022-23803, CVE-2022-23804, CVE-2022-23946, CVE-2022-23947

[Seth Hillbrand]

Distributions that would like to release a patched version of 5.1, 5.0 or
4.0 can cherry-pick the patch series.  They should apply cleanly.

Seth

On Wed, Feb 16, 2022 at 9:16 AM Steven A. Falco 
wrote:

> One additional question - I know that 5.1.12 was the last planned release
> in the 5.x series, and that 5.1.12 has the vulnerability.  Currently,
> because of Fedora policy, both F34 and F35 still ship 5.1.12.
>
> I'll ask on the Fedora list if this event qualifies as an exception to the
> policy, but if not, how involved would it be to patch 5.1.12, or perhaps to
> spin a 5.1.13 just to fix this issue?
>
> Steve
>
> On 2/16/22 11:49 AM, Steven A. Falco wrote:
> > Excellent!  I'll note that on the Fedora bugs.
> >
> >  Thanks,
> >  Steve
> >
> > On 2/16/22 09:44 AM, Ian McInerney wrote:
> >> All 4 CVEs were fixed in the 6.0.2 release and the release announcement
> was updated last night to say this (to coincide with the public disclosure
> that happened today). There will be another email on the developer list
> later today with more details.
> >>
> >> -Ian
> >>
> >> On Wed, Feb 16, 2022 at 2:18 PM Steven A. Falco  > wrote:
> >>
> >> I've just received a large number of bugs against KiCad, supposedly
> due to CVE-2022-23803, CVE-2022-23804, CVE-2022-23946, CVE-2022-23947.
> >>
> >> I don't have time to look into them, but I wanted to make them
> known.  There are apparently also bugs for this on the gentoo site - here
> is one: https://bugs.gentoo.org/833426 
> >>
> >> Here are the Fedora bugs:
> >>
> >> https://bugzilla.redhat.com/show_bug.cgi?id=2054956 <
> https://bugzilla.redhat.com/show_bug.cgi?id=2054956>
> >> https://bugzilla.redhat.com/show_bug.cgi?id=2054957 <
> https://bugzilla.redhat.com/show_bug.cgi?id=2054957>
> >> https://bugzilla.redhat.com/show_bug.cgi?id=2054959 <
> https://bugzilla.redhat.com/show_bug.cgi?id=2054959>
> >> https://bugzilla.redhat.com/show_bug.cgi?id=2054960 <
> https://bugzilla.redhat.com/show_bug.cgi?id=2054960>
> >> https://bugzilla.redhat.com/show_bug.cgi?id=2054955 <
> https://bugzilla.redhat.com/show_bug.cgi?id=2054955>
> >> https://bugzilla.redhat.com/show_bug.cgi?id=2054973 <
> https://bugzilla.redhat.com/show_bug.cgi?id=2054973>
> >> https://bugzilla.redhat.com/show_bug.cgi?id=2054974 <
> https://bugzilla.redhat.com/show_bug.cgi?id=2054974>
> >> https://bugzilla.redhat.com/show_bug.cgi?id=2054979 <
> https://bugzilla.redhat.com/show_bug.cgi?id=2054979>
> >> https://bugzilla.redhat.com/show_bug.cgi?id=2054980 <
> https://bugzilla.redhat.com/show_bug.cgi?id=2054980>
> >> https://bugzilla.redhat.com/show_bug.cgi?id=2054958 <
> https://bugzilla.redhat.com/show_bug.cgi?id=2054958>
> >> https://bugzilla.redhat.com/show_bug.cgi?id=2054972 <
> https://bugzilla.redhat.com/show_bug.cgi?id=2054972>
> >> https://bugzilla.redhat.com/show_bug.cgi?id=2054978 <
> https://bugzilla.redhat.com/show_bug.cgi?id=2054978>
> >>
> >> ___
> >> Mailing list: https://launchpad.net/~kicad-developers <
> https://launchpad.net/~kicad-developers>
> >> Post to : kicad-developers@lists.launchpad.net  kicad-developers@lists.launchpad.net>
> >> Unsubscribe : https://launchpad.net/~kicad-developers <
> https://launchpad.net/~kicad-developers>
> >> More help   : https://help.launchpad.net/ListHelp <
> https://help.launchpad.net/ListHelp>
> >>
> >
>
>
> ___
> Mailing list: https://launchpad.net/~kicad-developers
> Post to : kicad-developers@lists.launchpad.net
> Unsubscribe : https://launchpad.net/~kicad-developers
> More help   : https://help.launchpad.net/ListHelp
>


-- 
[image: KiCad Services Corporation Logo]
Seth Hillbrand
*Lead Developer*
+1-530-302-5483‬
Long Beach, CA
www.kipro-pcb.comi...@kipro-pcb.com
___
Mailing list: https://launchpad.net/~kicad-developers
Post to : kicad-developers@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kicad-developers
More help   : https://help.launchpad.net/ListHelp

Re: [Kicad-developers] CVE-2022-23803, CVE-2022-23804, CVE-2022-23946, CVE-2022-23947

[Steven A. Falco]

One additional question - I know that 5.1.12 was the last planned release in 
the 5.x series, and that 5.1.12 has the vulnerability.  Currently, because of 
Fedora policy, both F34 and F35 still ship 5.1.12.

I'll ask on the Fedora list if this event qualifies as an exception to the 
policy, but if not, how involved would it be to patch 5.1.12, or perhaps to 
spin a 5.1.13 just to fix this issue?

Steve

On 2/16/22 11:49 AM, Steven A. Falco wrote:

Excellent!  I'll note that on the Fedora bugs.

 Thanks,
 Steve

On 2/16/22 09:44 AM, Ian McInerney wrote:

All 4 CVEs were fixed in the 6.0.2 release and the release announcement was 
updated last night to say this (to coincide with the public disclosure that 
happened today). There will be another email on the developer list later today 
with more details.

-Ian

On Wed, Feb 16, 2022 at 2:18 PM Steven A. Falco mailto:stevenfa...@gmail.com>> wrote:

    I've just received a large number of bugs against KiCad, supposedly due to 
CVE-2022-23803, CVE-2022-23804, CVE-2022-23946, CVE-2022-23947.

    I don't have time to look into them, but I wanted to make them known.  There are 
apparently also bugs for this on the gentoo site - here is one: 
https://bugs.gentoo.org/833426 

    Here are the Fedora bugs:

    https://bugzilla.redhat.com/show_bug.cgi?id=2054956 

    https://bugzilla.redhat.com/show_bug.cgi?id=2054957 

    https://bugzilla.redhat.com/show_bug.cgi?id=2054959 

    https://bugzilla.redhat.com/show_bug.cgi?id=2054960 

    https://bugzilla.redhat.com/show_bug.cgi?id=2054955 

    https://bugzilla.redhat.com/show_bug.cgi?id=2054973 

    https://bugzilla.redhat.com/show_bug.cgi?id=2054974 

    https://bugzilla.redhat.com/show_bug.cgi?id=2054979 

    https://bugzilla.redhat.com/show_bug.cgi?id=2054980 

    https://bugzilla.redhat.com/show_bug.cgi?id=2054958 

    https://bugzilla.redhat.com/show_bug.cgi?id=2054972 

    https://bugzilla.redhat.com/show_bug.cgi?id=2054978 


    ___
    Mailing list: https://launchpad.net/~kicad-developers 

    Post to     : kicad-developers@lists.launchpad.net 

    Unsubscribe : https://launchpad.net/~kicad-developers 

    More help   : https://help.launchpad.net/ListHelp 







___
Mailing list: https://launchpad.net/~kicad-developers
Post to : kicad-developers@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kicad-developers
More help   : https://help.launchpad.net/ListHelp

Re: [Kicad-developers] CVE-2022-23803, CVE-2022-23804, CVE-2022-23946, CVE-2022-23947

[Steven A. Falco]

Excellent!  I'll note that on the Fedora bugs.

Thanks,
Steve

On 2/16/22 09:44 AM, Ian McInerney wrote:

All 4 CVEs were fixed in the 6.0.2 release and the release announcement was 
updated last night to say this (to coincide with the public disclosure that 
happened today). There will be another email on the developer list later today 
with more details.

-Ian

On Wed, Feb 16, 2022 at 2:18 PM Steven A. Falco mailto:stevenfa...@gmail.com>> wrote:

I've just received a large number of bugs against KiCad, supposedly due to 
CVE-2022-23803, CVE-2022-23804, CVE-2022-23946, CVE-2022-23947.

I don't have time to look into them, but I wanted to make them known.  There are 
apparently also bugs for this on the gentoo site - here is one: 
https://bugs.gentoo.org/833426 

Here are the Fedora bugs:

https://bugzilla.redhat.com/show_bug.cgi?id=2054956 

https://bugzilla.redhat.com/show_bug.cgi?id=2054957 

https://bugzilla.redhat.com/show_bug.cgi?id=2054959 

https://bugzilla.redhat.com/show_bug.cgi?id=2054960 

https://bugzilla.redhat.com/show_bug.cgi?id=2054955 

https://bugzilla.redhat.com/show_bug.cgi?id=2054973 

https://bugzilla.redhat.com/show_bug.cgi?id=2054974 

https://bugzilla.redhat.com/show_bug.cgi?id=2054979 

https://bugzilla.redhat.com/show_bug.cgi?id=2054980 

https://bugzilla.redhat.com/show_bug.cgi?id=2054958 

https://bugzilla.redhat.com/show_bug.cgi?id=2054972 

https://bugzilla.redhat.com/show_bug.cgi?id=2054978 


___
Mailing list: https://launchpad.net/~kicad-developers 

Post to     : kicad-developers@lists.launchpad.net 

Unsubscribe : https://launchpad.net/~kicad-developers 

More help   : https://help.launchpad.net/ListHelp 





___
Mailing list: https://launchpad.net/~kicad-developers
Post to : kicad-developers@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kicad-developers
More help   : https://help.launchpad.net/ListHelp

Re: [Kicad-developers] CVE-2022-23803, CVE-2022-23804, CVE-2022-23946, CVE-2022-23947

[Ian McInerney]

All 4 CVEs were fixed in the 6.0.2 release and the release announcement was
updated last night to say this (to coincide with the public disclosure that
happened today). There will be another email on the developer list later
today with more details.

-Ian

On Wed, Feb 16, 2022 at 2:18 PM Steven A. Falco 
wrote:

> I've just received a large number of bugs against KiCad, supposedly due to
> CVE-2022-23803, CVE-2022-23804, CVE-2022-23946, CVE-2022-23947.
>
> I don't have time to look into them, but I wanted to make them known.
> There are apparently also bugs for this on the gentoo site - here is one:
> https://bugs.gentoo.org/833426
>
> Here are the Fedora bugs:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=2054956
> https://bugzilla.redhat.com/show_bug.cgi?id=2054957
> https://bugzilla.redhat.com/show_bug.cgi?id=2054959
> https://bugzilla.redhat.com/show_bug.cgi?id=2054960
> https://bugzilla.redhat.com/show_bug.cgi?id=2054955
> https://bugzilla.redhat.com/show_bug.cgi?id=2054973
> https://bugzilla.redhat.com/show_bug.cgi?id=2054974
> https://bugzilla.redhat.com/show_bug.cgi?id=2054979
> https://bugzilla.redhat.com/show_bug.cgi?id=2054980
> https://bugzilla.redhat.com/show_bug.cgi?id=2054958
> https://bugzilla.redhat.com/show_bug.cgi?id=2054972
> https://bugzilla.redhat.com/show_bug.cgi?id=2054978
>
> ___
> Mailing list: https://launchpad.net/~kicad-developers
> Post to : kicad-developers@lists.launchpad.net
> Unsubscribe : https://launchpad.net/~kicad-developers
> More help   : https://help.launchpad.net/ListHelp
>
___
Mailing list: https://launchpad.net/~kicad-developers
Post to : kicad-developers@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kicad-developers
More help   : https://help.launchpad.net/ListHelp

[Kicad-developers] CVE-2022-23803, CVE-2022-23804, CVE-2022-23946, CVE-2022-23947

[Steven A. Falco]

I've just received a large number of bugs against KiCad, supposedly due to 
CVE-2022-23803, CVE-2022-23804, CVE-2022-23946, CVE-2022-23947.

I don't have time to look into them, but I wanted to make them known.  There 
are apparently also bugs for this on the gentoo site - here is one:  
https://bugs.gentoo.org/833426

Here are the Fedora bugs:

https://bugzilla.redhat.com/show_bug.cgi?id=2054956
https://bugzilla.redhat.com/show_bug.cgi?id=2054957
https://bugzilla.redhat.com/show_bug.cgi?id=2054959
https://bugzilla.redhat.com/show_bug.cgi?id=2054960
https://bugzilla.redhat.com/show_bug.cgi?id=2054955
https://bugzilla.redhat.com/show_bug.cgi?id=2054973
https://bugzilla.redhat.com/show_bug.cgi?id=2054974
https://bugzilla.redhat.com/show_bug.cgi?id=2054979
https://bugzilla.redhat.com/show_bug.cgi?id=2054980
https://bugzilla.redhat.com/show_bug.cgi?id=2054958
https://bugzilla.redhat.com/show_bug.cgi?id=2054972
https://bugzilla.redhat.com/show_bug.cgi?id=2054978

___
Mailing list: https://launchpad.net/~kicad-developers
Post to : kicad-developers@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kicad-developers
More help   : https://help.launchpad.net/ListHelp