On 2/16/22 01:58 PM, Dan Horák wrote:
On Wed, 16 Feb 2022 13:53:04 -0500
"Steven A. Falco" <stevenfa...@gmail.com> wrote:
There are some CVE's against KiCad that have been fixed in the latest version,
namely KiCad 6.0.2. I've built that for F36 and Rawhide.
I have not released KiCad 6.0.2 into Fedora 34 and 35, because my understanding is that
by policy, we don't generally allow "major version" updates in stable Fedora
releases. Thus F34 and F35 still ship KiCad 5.1.12, which is affected by the CVE's.
I could easily build KiCad 6.0.2 for F34 / F35 - in fact, I have done so in the
KiCad Copr repository.
So, should this situation be an exception to the policy of "no major version changes
in a stable release"?
as often, it depends :-)
- what's the severity level of the CVEs?
- does KiCad 6 come with substantial changes like UI redesign,
compatibility issues with previous release, etc?
The vulnerability is rated as "7.8 -
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", whatever that means. :-)
Basically, attempting to read a malicious file can cause a buffer overflow, and
then execute malicious code.
KiCad is not suid, so the risk would be to an individual user rather than the
whole system.
KiCad 6 does have UI changes and files it creates cannot be read by KiCad 5 or
earlier.
I contacted upstream, and I know what patches form a part of the solution, but
they don't apply cleanly to KiCad 5. I might be able to sort them out...
Steve
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure