Menu
▾
▴
#2252 CVE vulnerabilities detected when using an automatic vulnerability-detection tool
Context where the vulnerabilities are detected
Steps to reproduce:
Create a Hello World application importing scintilla
Build the application
Scan the result with Black Duck Binary Analysis
Expected behavior:
No vulnerablities should be reported.
Actual behavior:
2 High vulnerabilities is detected.
More details on the vulnerabilities:
Stack-based buffer overflow in LexRuby.cxx (SciLexer.dll) in Scintilla 1.73, as used by notepad++ 4.1.1 and earlier, allows user-assisted remote attackers to execute arbitrary code via certain Ruby (.rb) files with long lines. NOTE: this was originally reported as a vulnerability in notepad++.
SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.
These both appear to be historical bugs fixed in 2007 and 2019, respectively so are no longer of interest unless they can be reproduced with current code.
Scintilla 1.73 was released in March 2007. There is a fix for a Ruby out of bounds access in 1.74 from June 2007.
The 2019 issue specifies before 7.7 (referring to Notepad++).
SciLexer.DLL is no longer a Scintilla product. Lexers have been moved to the Lexilla project https://github.com/ScintillaOrg/lexilla .
If these issues can be replicated with Lexilla then they should be reported using the Lexilla issue tracker https://github.com/ScintillaOrg/lexilla/issues .
Last edit: Neil Hodgson 2021-05-10