New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issues: Notepad++ reads and writes past the end of a buffer bounds on opening a crafted file. #14073
Comments
Is there an estimate of when a release will be available that closes these vulns? |
I see a possible cause of CVE-2023-40031 in the UniConversion.cxx, in the UTF8FromUTF16 function. The remaining size of the destination buffer is not checked in the loop. |
The CVE is a ridiculous exaggeration of the situation. While it is technically a "buffer overflow" is really only an off-by-two bug with practically zero chance to allow for arbitrary code execution: -- If the document has an odd length (malformed utf16), the CVE suggests that the incomplete last utf16 character at the end of the file is still converted to utf8. But the length calculation is two bytes off:
E.g. if "len" is 1, the formula results in 1 + 0 + 1 = 2 where it should be 4. The fix is very simple. Round up "len" before the calculation:
There is no way that this leads to arbitrary code execution. -- There's probably also an off-by-one read bug in the same situation (the missing byte at the end of file must come from somewhere.) |
The only third-party code identified in the advisory comes from uchardet, which has already been patched in a newer version than what N++ currently uses. GHSL-2023-102/3 can be resolved with a simple dependency update. Scintilla's core components are hosted on SourceForge and would never receive GitHub's attention. |
Since I haven't used it in a while I went to uninstall until there's an update. Since there's the existing concerns about security, when the unsigned installer asked for admin privileges I was in the mindset to virus-scan it. While it's marked clean by nearly every vendor, I found the uninstaller's behaviors/capabilities a bit concerning: https://www.virustotal.com/gui/file/7022af4ff6b2dcb3fd856d0d6f8b8b66faaa22068903e574954e2ed62272d667/relations I'm no security expert so I don't know how common these are in generic uninstallers, but I don't know why it would need:
Can anyone shine some light? |
Thank you for the updates. @donho When is the expected release date for update please to resolve these CVEs? Thank you |
@speneos |
This is unrelated, you should have raised a separate issue. |
The timeline posted in the linked advisory paints a very bleak picture of this project's maintainer's attitude to security. 4 months and 4 releases with fixes such as Minor style bug, but without the fix for a critical vulnerability (arbitrary code execution), no replies to the security researcher repeatedly trying to get this fixed, and the fix was only finally released weeks after public disclosure? Anyone ever opening files they don't completely trust must seriously consider using a different editor. |
Please learn to read and count |
This is incredibly disturbing. The uninstaller is calling the content delivery network and collecting significant personal and os info that should not be exfiltrated from your computer. Please file a separate issue. |
From the v8.5.7+ the N++ uninstaller is signed ( 4476432 ). And the uninstaller needs the admin privileges to uninstall software from a protected location (...\Program Files\...).
Barking up the wrong tree. Try to persuade MS & all the others to do not collect such telemetry data...
While I can confirm that the VirusTotal is showing that suspicious behavior for the N++ uninstaller, I did not find anything like that myself: #14368 (comment) |
Notepad++ reads and writes past the end of a buffer bounds on opening a crafted file.
This bugs still exists in v8.5.6
More details:
https://securitylab.github.com/advisories/GHSL-2023-092_Notepad__/
Reference numbers from GitHub Security Labs:
GHSL-2023-092, GHSL-2023-102, GHSL-2023-103, GHSL-2023-112
CVE numbers and score:
CVE-2023-40031 (7.8 High)
CVE-2023-40036 (5.5 Medium)
CVE-2023-40164 (5.5 Medium)
CVE-2023-40166 (5.5 Medium)
The text was updated successfully, but these errors were encountered: