Notepad++ version 8.5.7 has been released with security updates for multiple buffer overflow vulnerabilities identified in the previous version.
Notepad++ version 8.5.7 has been released with security updates for multiple buffer overflow vulnerabilities identified in the previous version.
Notepad++ is a popular free source code editor that supports many programming languages, can be extended via plugins, and offers productivity-enhancing features such as multi-tabbed editing and syntax highlighting.
GitHub's security researcher, Jaroslav Lobačevski, reported the vulnerabilities in Notepad++ version 8.5.2 to the developers over the last couple of months. Discovered vulnerabilities involve heap buffer write and read overflows in various functions and libraries used by Notepad++.
Proof of concept exploits has also been published for these flaws in the researcher's public advisory, making it crucial for users to update to the latest version as soon as possible.
Listed four Vulnerabilities discovered by GitHub's researcher:
- CVE-2023-40031: Buffer overflow in the Utf8_16_Read::convert function due to incorrect assumptions about UTF16 to UTF8 encoding conversions.
- CVE-2023-40036: Global buffer read overflow in CharDistributionAnalysisHandle:: HandleOneChar caused by an array index order based on the buffer size and exacerbated using the uchardet library.
- CVE-2023-40164: Global buffer read overflow in nsCodingStateMachine::NextState. This flaw is linked to a specific version of the uchardet library used by Notepad++, and it is vulnerable due to its dependence on the size of the charLenTable buffer.
- CVE-2023-40166: Heap buffer read overflow occurs in FileManager::detectLanguageFromTextBegining due to failing to check buffer lengths during file language detection.
Among these vulnerabilities, CVE-2023-40031 is considered the most severe, with a CVSS v3 rating of 7.8 (high), potentially leading to arbitrary code execution. However, a user has disputed the possibility of code execution using this flaw, stating that it is more of an off-by-two bug with practically zero chance of allowing for arbitrary code execution.
The other three vulnerabilities are medium-severity issues (rating 5.5) that Lobačevski says might be leveraged to leak internal memory allocation information.
While Lobačevski published his blog and proof of concept exploit on 21 August 2023, the Notepad++ development team did not respond until the user community pressed for its resolution. It was only after substantial pressure from the user community that a public issue was created on 30 August 2023, acknowledging the problem and fixes for the four flaws made it into the main code branch on 3 September 2023.
Notepad++ 8.5.7 has been released and should be installed to fix the changelog's four vulnerabilities and other bugs.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?