Bug#876139: pcb-rnd user security patch

To: submit@bugs.debian.org
Subject: Bug#876139: pcb-rnd user security patch
From: Bdale Garbee <bdale@gag.com>
Date: Mon, 18 Sep 2017 15:56:22 -0600
Message-id: <[🔎] 87mv5rekmx.fsf@gag.com>
Reply-to: Bdale Garbee <bdale@gag.com>, 876139@bugs.debian.org

Package: release.debian.org

The pcb-rnd upstream has released a patch that closes a hole
through which arbitrary code can be executed if a user opens a
maliciously crafted printed circuit board design file.

There is no known instance of this being exploited in the field, there
is no root escalation, and the probability of someone opening a random
malicious printed circuit board design file is low.  However, upstream
has provided a clean patch for version 1.1.4, so I think we should
update the package in stable. 

Discussion with the security team led to the determination that this
doesn't meet the bar for a DSA update via security.debian.org, but we
agree it would be good to fix via point release.

I will prepare and upload a new version 1.1.4-2 targeting the stable
distribution later today.

Bdale

Reply to:

Follow-Ups:
- Processed: Re: Bug#876139: pcb-rnd user security patch
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#876139: pcb-rnd user security patch
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#876117: stretch-pu: package mate-tweak/16.10.5-1+deb9u1
Next by Date: Bug#841733: Transition Opencv 3.1
Previous by thread: Processed: Re: Bug#876117: stretch-pu: package mate-tweak/16.10.5-1+deb9u1
Next by thread: Processed: Re: Bug#876139: pcb-rnd user security patch
Index(es):
- Date
- Thread