[German]In mid-August 2023, security researcher Jaroslav Lobacevski had made public four vulnerabilities (CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166) in Notepad ++ editor for Windows. The vulnerabilities' rating ranges from medium to high. The developer, having known about these vulnerabilities for months, has now fixed them with the update to Notepad++ v8.5.7.
Advertising
The vulnerabilities
Security researcher Jaroslav Lobacevski found a total of four vulnerabilities (CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166) in the Notepad ++ editor for Windows and reported them to the developer of the program as early as April 28, 2023. But nothing happened, the developer continuously released new Notepad+++ versions without addressing the vulnerabilities.
After that, Jaroslav Lobacevski decided to go public and published the details on his GitHub security page as of August 21, 2023. I had gathered more details about the process and the vulnerabilities in the blog post Vulnerabilities in Notepad ++ (Sept. 2023). One of the vulnerabilities (CVE-2023-40031) can trigger a buffer overflow when converting the Unicode representation from user UTF16 to UTF8.
Notepad++ v8.5.7 released
An anonymous blog reader has now pointed out that version 8.5.7 of Notepad++ has been released. On the download page, the notes on fixes that can be seen there state that vulnerabilities CVE-2023-40031, CVE-2023-40036, CVE-2023-40164 and CVE-2023-40166 have been fixed.
In addition, the author writes that he has made another security improvement, in which the uninstaller has now probably also been signed. I also read in the changelog that another possible memory leak when reading Utf8-16 files has been fixed. The changelog has a number of other bug fixes, which can be read on the website here.
Advertising
Advertising
