Notepad++ model 8.5.7 has been launched with fixes for a number of buffer overflow zero-days, with one marked as doubtlessly resulting in code execution by tricking customers into opening specifically crafted recordsdata.

Notepad++ is a well-liked free supply code editor that helps many programming languages, will be prolonged by way of plugins, and gives productivity-enhancing options akin to multi-tabbed modifying and syntax highlighting.

GitHub’s safety researcher Jaroslav Lobačevski reported the vulnerabilities in Notepad++ model 8.5.2 to the builders during the last couple of months. 

Proof of idea exploits have additionally been printed for these flaws within the researcher’s public advisory, making it important for customers to replace this system as quickly as attainable.

Safety flaws in Notepad++

The found vulnerabilities contain heap buffer write and skim overflows in varied features and libraries utilized by Notepad++.

Here is a abstract of the 4 flaws found by GitHub’s researcher:

• CVE-2023-40031: Buffer overflow within the Utf8_16_Read::convert perform because of incorrect assumptions about UTF16 to UTF8 encoding conversions.
• CVE-2023-40036: World buffer learn overflow in CharDistributionAnalysis::HandleOneChar attributable to an array index order primarily based on the buffer dimension, exacerbated by utilizing the uchardet library.
• CVE-2023-40164: World buffer learn overflow in nsCodingStateMachine::NextState. That is linked to a selected model of the uchardet library utilized by Notepad++, weak because of its dependency on the dimensions of the charLenTable buffer.
• CVE-2023-40166: Heap buffer learn overflow happens in FileManager::detectLanguageFromTextBegining because of failing to examine buffer lengths throughout file language detection.

Essentially the most extreme of those flaws is CVE-2023-40031, assigned a CVSS v3 ranking of seven.8 (excessive), doubtlessly resulting in arbitrary code execution.

Nevertheless, a consumer disputes that it could be attainable to carry out code execution utilizing this flaw as a result of kind of error it’s.

“Whereas it’s technically a “buffer overflow” is de facto solely an off-by-two bug with virtually zero probability to permit for arbitrary code execution,” reads a remark to a GitHub difficulty opened concerning the flaws.

The opposite three points are medium-severity (5.5) issues that Lobačevski says is perhaps leveraged to leak inside reminiscence allocation data.

Repair coming

Regardless of Lobačevski’s weblog and proof of idea exploits being printed on August 21, 2023, the Notepad++ growth workforce didn’t rush to answer the state of affairs till the consumer group pressed for its decision.

Finally, on August 30, 2023, a public difficulty was created to acknowledge the issue, and fixes for the 4 flaws made it into the primary code department on September 3, 2023.

Notepad++ 8.5.7 has now been launched and needs to be put in to repair the 4 vulnerabilities and different bugs listed within the changelog.