Your message dated Fri, 30 Jan 2026 13:19:37 +0000
with message-id <[email protected]>
and subject line Bug#1126285: fixed in arduino-core-avr 1.8.7+dfsg-1
has caused the Debian Bug report #1126285,
regarding arduino-core-avr: CVE-2025-69209
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126285: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126285
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: arduino-core-avr
Version: 1.8.6+dfsg-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/arduino/ArduinoCore-avr/pull/613
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for arduino-core-avr.
CVE-2025-69209[0]:
| ArduinoCore-avr contains the source code and configuration files of
| the Arduino AVR Boards platform. A vulnerability in versions prior
| to 1.8.7 allows an attacker to trigger a stack-based buffer overflow
| when converting floating-point values to strings with high
| precision. By passing very large `decimalPlaces` values to the
| affected String constructors or concat methods, the `dtostrf`
| function writes beyond fixed-size stack buffers, causing memory
| corruption and denial of service. Under specific conditions, this
| could enable arbitrary code execution on AVR-based Arduino boards.
| ### Patches - The Fix is included starting from the `1.8.7` release
| available from the following link [ArduinoCore-avr
| v1.8.7](https://github.com/arduino/ArduinoCore-avr) - The Fixing
| Commit is available at the following link [1a6a417f89c8901dad646efce
| 74ae9d3ddebfd59](https://github.com/arduino/ArduinoCore-
| avr/pull/613/commits/1a6a417f89c8901dad646efce74ae9d3ddebfd59) ###
| References - [ASEC-26-001 ArduinoCore-avr vXXXX Resolves Buffer
| Overflow Vulnerability](https://support.arduino.cc/hc/en-
| us/articles/XXXXX) ### Credits - Maxime Rossi Bellom and Ramtine
| Tofighi Shirazi from SecMate (https://secmate.dev/)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-69209
https://www.cve.org/CVERecord?id=CVE-2025-69209
[1] https://github.com/arduino/ArduinoCore-avr/pull/613
[2]
https://github.com/arduino/ArduinoCore-avr/security/advisories/GHSA-pvx3-fm7w-6hjm
[3]
https://github.com/arduino/ArduinoCore-avr/commit/82a8ad2fb33911d8927c7af22e0472b94325d1a7
[4]
https://support.arduino.cc/hc/en-us/articles/24985906702748-ASEC-26-001-ArduinoCore-AVR-v1-8-7-Resolves-Stack-Based-Buffer-Overflow-Vulnerability
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: arduino-core-avr
Source-Version: 1.8.7+dfsg-1
Done: Matthias Geiger <[email protected]>
We believe that the bug you reported is fixed in the latest version of
arduino-core-avr, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthias Geiger <[email protected]> (supplier of updated arduino-core-avr
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 30 Jan 2026 13:56:33 +0100
Source: arduino-core-avr
Architecture: source
Version: 1.8.7+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Electronics Team
<[email protected]>
Changed-By: Matthias Geiger <[email protected]>
Closes: 1126285
Changes:
arduino-core-avr (1.8.7+dfsg-1) unstable; urgency=medium
.
* Team upload
* [6840e74] New upstream version 1.8.7+dfsg (Closes: #1126285)
(CVE-2025-69209)
* [f497c6e] d/copyright: Adjust excludes list
* [a9b845a] Refresh patches for new upstream release
* [c386188] d/control: Bump S-V to 4.7.3; drop priority: optional and RRR
* [95bf24d] Update lintian overrides for avr bootloader files
Checksums-Sha1:
b538330e5f7f1deb926bbe0a3a11d657d883e45d 2390 arduino-core-avr_1.8.7+dfsg-1.dsc
d0ae59f7e8842e05732bb14df07fed75c20b9f8d 194948
arduino-core-avr_1.8.7+dfsg.orig.tar.xz
57055e8d757329d1f233987d75f935e211d630c4 10348
arduino-core-avr_1.8.7+dfsg-1.debian.tar.xz
121087e618c3b617652391f7ee7973a1cf626fde 495224
arduino-core-avr_1.8.7+dfsg-1.git.tar.xz
c69d9f251c841f9b67492f3c3ee53f65beb80077 17350
arduino-core-avr_1.8.7+dfsg-1_source.buildinfo
Checksums-Sha256:
50c4f8eec839b93666756c0c8e8d24782c24f277d6952df8cfbd292b63b3aa63 2390
arduino-core-avr_1.8.7+dfsg-1.dsc
2c766795f0a200069a9c201a9b27d36c64284f299eab0314996c1c148ff9fc64 194948
arduino-core-avr_1.8.7+dfsg.orig.tar.xz
a8e4e32a1f80f9b0b2657291a7d43798b570b0104c47eba2fabe7af02e5be44e 10348
arduino-core-avr_1.8.7+dfsg-1.debian.tar.xz
1586f110799cd650051aece3634ea0f59342bfe691d8631ab1f1b9c765fb04eb 495224
arduino-core-avr_1.8.7+dfsg-1.git.tar.xz
2344006ab835cb7c44b478bd98390e8ad88edf9858e00e7014fd86ae8c9fa6a7 17350
arduino-core-avr_1.8.7+dfsg-1_source.buildinfo
Files:
9114eb010544124d5b747e30eba21116 2390 utils optional
arduino-core-avr_1.8.7+dfsg-1.dsc
a6284a2c75bff53bf3b6eb902bea82b6 194948 utils optional
arduino-core-avr_1.8.7+dfsg.orig.tar.xz
b5a67743ed8d88103289089d659a7752 10348 utils optional
arduino-core-avr_1.8.7+dfsg-1.debian.tar.xz
d9d90258ad2e6c653fd78bbb6db95cf2 495224 utils None
arduino-core-avr_1.8.7+dfsg-1.git.tar.xz
ed063fda97bbd02f033e3a14a6d8c9ce 17350 utils optional
arduino-core-avr_1.8.7+dfsg-1_source.buildinfo
Git-Tag-Info: tag=92bce3dc10fdea2e08b2eb4e79000ed74612f0bb
fp=14593bff4a5ebf6fe0e9716eecbedbb607b9b2be
Git-Tag-Tagger: Matthias Geiger <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAml8q18ACgkQYG0ITkaD
wHmECA//YXw6DdR6BB479IzL6kY7TGWNANqMRYCD4ede+KfcXRRjWF/zFBzQs+xX
LEHFyl3RHrfuBlSkHIHcgmK3GqZagUdL2nECo6eET8x8S+8OTw6APKlFUORmHjdm
V7FoI5hBlUp898erOwwxPhpfzU0bVCLWWhL6+AA9J6zk0XqOq878UKGLBaeJoiGR
e80aLLOHJhZjR8arWJx46P7mLmow2WukotQNZ1VpiTeyN+udTYHawpObvPdQKw38
20O5gFGOBO2fOwNs0pl/+UYLhBK8JDPjPg7VeQjwdJs0Jap0D23EifongS1e7S3V
R3AsuuS8hZXUS5RSHP4r0a6OQYfUtwAq7H3r09ldZnh07FL2seCvDEv5vXMZYRbJ
H/t/vdas0R782hwl5rcla1lEg+qEmuFkPX2f/n7U48Ets3UyrW9BrQhJwFNDhPcq
lpveE+gwthAYLyO3//Tqajn6EcAsWnaW/3WlAM1Eq+PYKqxGdBXjOEvA7R3U1q6T
knD0sxsyhCZoHLoDsRWWd2rtq3GWLwalw0c0dmKky4GvO3PcasWlBvuC+zavSZ9G
04lfJx6Lnnznzax2QiKynyhfDz60FSj+ey1fHT9wqEr6ElRAzRvM7w1Aiid0w08t
j2ExBV1/wUDyyTRcUw85dPywvHqgYMpvM25elZ4ZSCZQDE5UPFY=
=deZ2
-----END PGP SIGNATURE-----
pgprQGSjQW6lN.pgp
Description: PGP signature
--- End Message ---
