CVE-2022-23946 <= KiCad 6.0.1 Stack-based buffer overflow in GCodeNumber parsing CVE-2022-23947 <= KiCad 6.0.1 Stack-based buffer overflow in DCodeNumber parsing CVE-2022-23803 <= KiCad 6.0.1 Stack-based buffer overflow in ReadXYCoord CVE-2022-23804 <= KiCad 6.0.1 Stack-based buffer overflow in ReadIJCoord Reproducible: Always
Thanks for reporting! Maintainer, please bump.
KiCad 6.0.2 is in the tree which has replaced 6.0.1. However we still have KiCad 5.1.12 in the tree becasue it's needed by some industrial users since 6 series is not backward compatible with 5 series, and people need some time for migration. What is the recommendation for such cases when we have to keep an older version in the tree for a while longer?
In this case, simply masking the old version can be appropriate.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fcf5b32f1c2ab571e4918ba97091eb0beb58f831 commit fcf5b32f1c2ab571e4918ba97091eb0beb58f831 Author: Zoltan Puskas <zoltan@sinustrom.info> AuthorDate: 2022-02-19 03:55:37 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-02-19 17:14:15 +0000 sci-electronics/kicad.*: Mask vulnerable versions Signed-off-by: Zoltan Puskas <zoltan@sinustrom.info> Bug: https://bugs.gentoo.org/833426 Closes: https://github.com/gentoo/gentoo/pull/24268 Signed-off-by: John Helmert III <ajak@gentoo.org> profiles/package.mask | 14 ++++++++++++++ 1 file changed, 14 insertions(+)
Thanks! All done. Please note that the Bug: tag should be used for security bugs, rather than Closes:.
