CVE-2022-23946: 
Linux Debian vulnerability analysis and mitigation

A stack-based buffer overflow vulnerability (CVE-2022-23946) was discovered in the Gerber Viewer gerber and excellon GCodeNumber parsing functionality of KiCad EDA 6.0.1 and master commit de006fc010. The vulnerability was discovered by Claudio Bozzato of Cisco Talos and publicly disclosed on February 16, 2022. KiCad, a cross-platform open-source software for electronics design automation, is affected through its Gerber Viewer component, which is found in a separate binary called gerbview (Talos Report).

The vulnerability exists in the GCodeNumber parsing functionality where a line buffer of size 1024 bytes is allocated on the stack. The while loop that processes numbers in the input doesn't check buffer bounds, potentially leading to a stack-based buffer overflow when processing large input files. The vulnerability has a CVSSv3 score of 7.8 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is classified as CWE-121 (Stack-based Buffer Overflow) (Talos Report).

The vulnerability could lead to code execution if exploited successfully. An attacker can trigger this vulnerability by providing a specially-crafted gerber or excellon file to the application. The impact is significant as it could allow arbitrary code execution with the privileges of the user running the KiCad application (Talos Report, Debian Security).

The vulnerability has been fixed in various distributions and versions. Debian has addressed the issue in version 5.1.9+dfsg1-1+deb11u1 for the stable distribution (bullseye). Fedora has released version 6.0.2-1.fc35 to address the vulnerability. Users are recommended to upgrade their KiCad packages to the latest available version (Debian Security, Fedora Update).