Your message dated Wed, 06 May 2026 18:33:16 +0000
with message-id <[email protected]>
and subject line Bug#1126285: fixed in arduino-core-avr 1.8.7+dfsg-1~deb12u1
has caused the Debian Bug report #1126285,
regarding arduino-core-avr: CVE-2025-69209
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126285: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126285
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: arduino-core-avr
Version: 1.8.6+dfsg-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/arduino/ArduinoCore-avr/pull/613
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for arduino-core-avr.
CVE-2025-69209[0]:
| ArduinoCore-avr contains the source code and configuration files of
| the Arduino AVR Boards platform. A vulnerability in versions prior
| to 1.8.7 allows an attacker to trigger a stack-based buffer overflow
| when converting floating-point values to strings with high
| precision. By passing very large `decimalPlaces` values to the
| affected String constructors or concat methods, the `dtostrf`
| function writes beyond fixed-size stack buffers, causing memory
| corruption and denial of service. Under specific conditions, this
| could enable arbitrary code execution on AVR-based Arduino boards.
| ### Patches - The Fix is included starting from the `1.8.7` release
| available from the following link [ArduinoCore-avr
| v1.8.7](https://github.com/arduino/ArduinoCore-avr) - The Fixing
| Commit is available at the following link [1a6a417f89c8901dad646efce
| 74ae9d3ddebfd59](https://github.com/arduino/ArduinoCore-
| avr/pull/613/commits/1a6a417f89c8901dad646efce74ae9d3ddebfd59) ###
| References - [ASEC-26-001 ArduinoCore-avr vXXXX Resolves Buffer
| Overflow Vulnerability](https://support.arduino.cc/hc/en-
| us/articles/XXXXX) ### Credits - Maxime Rossi Bellom and Ramtine
| Tofighi Shirazi from SecMate (https://secmate.dev/)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-69209
https://www.cve.org/CVERecord?id=CVE-2025-69209
[1] https://github.com/arduino/ArduinoCore-avr/pull/613
[2]
https://github.com/arduino/ArduinoCore-avr/security/advisories/GHSA-pvx3-fm7w-6hjm
[3]
https://github.com/arduino/ArduinoCore-avr/commit/82a8ad2fb33911d8927c7af22e0472b94325d1a7
[4]
https://support.arduino.cc/hc/en-us/articles/24985906702748-ASEC-26-001-ArduinoCore-AVR-v1-8-7-Resolves-Stack-Based-Buffer-Overflow-Vulnerability
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: arduino-core-avr
Source-Version: 1.8.7+dfsg-1~deb12u1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
arduino-core-avr, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated arduino-core-avr package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 06 May 2026 12:56:00 +0300
Source: arduino-core-avr
Architecture: source
Version: 1.8.7+dfsg-1~deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian Electronics Team
<[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1126285
Changes:
arduino-core-avr (1.8.7+dfsg-1~deb12u1) bookworm; urgency=medium
.
* Non-maintainer upload.
* Rebuild for bookworm.
- Drop -fno-jump-tables addition.
- debian/control: Restore Priority and Rules-Requires-Root fields.
.
arduino-core-avr (1.8.7+dfsg-1) unstable; urgency=medium
.
* Team upload
* [6840e74] New upstream version 1.8.7+dfsg (Closes: #1126285)
(CVE-2025-69209)
* [f497c6e] d/copyright: Adjust excludes list
* [a9b845a] Refresh patches for new upstream release
* [c386188] d/control: Bump S-V to 4.7.3; drop priority: optional and RRR
* [95bf24d] Update lintian overrides for avr bootloader files
Checksums-Sha1:
74eae330bf4f63dd770f6f2adddc8bf885730850 2138
arduino-core-avr_1.8.7+dfsg-1~deb12u1.dsc
cced6ad4bccaf25dfe20491fceee6ed7d1dccca9 10468
arduino-core-avr_1.8.7+dfsg-1~deb12u1.debian.tar.xz
Checksums-Sha256:
dea6560b9284668b50b673dd92be4d27241f5d22a26ffa36628b0e081210e10f 2138
arduino-core-avr_1.8.7+dfsg-1~deb12u1.dsc
0b9ed1c1588cc7528970665b5b560138ed6227444e7ec70265b61976ac8ecdca 10468
arduino-core-avr_1.8.7+dfsg-1~deb12u1.debian.tar.xz
Files:
6a46a691341a05a1bb08f9255d176bad 2138 utils optional
arduino-core-avr_1.8.7+dfsg-1~deb12u1.dsc
d4d4b694ef2039664add679d70aa25e6 10468 utils optional
arduino-core-avr_1.8.7+dfsg-1~deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmn7Gc8ACgkQiNJCh6LY
mLHz6Q//eN+jtoyzycSb5JaBYaa8fIj8O7sCqjZomis8mtKwqUKxsSVtJGh1bvg+
h7so3QAPYOvtVNX3HCYdEIh9lW0aL/fEB9nDqBE30Cd1wOPaUVs7kxlSK0z9epuI
U3yQzzDA1NS3RgYO0YsSY6bi70etBe9tEwDLoRhYK+EMFOiuMQUgDEnnVxWSwmdp
zNEW06YVhZfSxaInH1BSuw6OSS07gzoDn8/tDr6Riyjnfkz7kzOL1EuWxH0iqAsX
o9AnEgCxYcfZypBkiV2wFWd4/njwlpXZRnDKxVt7PMzY6evNa8BoP8Fz0y7S5jXd
0eaKjgpQsWVTCZotWER8P6hQ9xOA4BbQpF0liVwuI6dkYFpE/53o3PpUCCe2EUrT
fW0nAEORVeBb31THBkbHuoUYin4tKnUuF3oPQTEvLkrDskizez0SBeO/V0gykJJw
TDNHaaktCy/1n6ay8DkWB7gzMyt7N6JvZfSILCkuPJOVTDJolD6lB/H6x4grr1m+
yFOUHcB8POWyoZfJmTYS9lVv0aGQLbM3kZEujSrBRgpz6mNCzxbX9Ib4uNgg87CS
6ifHI7MD41JpqwYnzbsROmel04YrC0fLKU38mPrpLK4mCvZLmxkdVUKTsciyX64/
wo9A34FJhVOyDnkms7evmq8q3OxOFzxiXSIRwIT+Psu3PcnHHp4=
=HK/v
-----END PGP SIGNATURE-----
pgpoFTSKyXhtd.pgp
Description: PGP signature
--- End Message ---
