Your message dated Sat, 11 Jul 2026 10:32:48 +0000
with message-id <[email protected]>
and subject line Released in 13.6
has caused the Debian Bug report #1141042,
regarding trixie-pu: package linuxcnc/1:2.9.4-2+deb13u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1141042: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1141042
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Control: affects -1 + src:linuxcnc
X-Debbugs-Cc: [email protected], Andy Pugh <[email protected]>, 
Hannes Diethelm <[email protected]>
User: [email protected]
Usertags: pu
Tags: trixie
Severity: normal

The LinuxCNC project and maintainers would like to address a security
related issue in the stable edition of linuxcnc in Debian.

The issue at hand is reported as #1140943 and a fix was recently
included in an upstream release and included in yesterdays unstable
release.  I am not sure when the issue was released, but it will be good
to have it fixed in unstable.  It will affect any LinuxCNC user who is
also not root on the machine used to control a machine, which the
upstream developers suspect is a fairly rare occation, but nevertheless
it is a use case to protect.

The impact on machine owner granting LinuxCNC user access to
non-privileged users is that the local user can become root with some
craftwork.

The normal path through the relevant code is tested by the normal self
testing during build.

The fix is fairly trivial, and the risc associated with upgrading is
minimal.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

This is the complete set of changes.  I will upload them to debian
shortly, as I believe this change is non-controversial and expect it to
be accepted unchanged into the stable update.

diff --git a/debian/changelog b/debian/changelog
index 208499b..dd8d653 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+linuxcnc (1:2.9.4-2+deb13u1) trixie; urgency=medium
+
+  * Added 0010-sanitize-hal-paths.patch to sanitize name for module in
+    rtapi_app (Closes: #1140943).
+  * Added d/gbp.conf to enforce the use of pristine-tar and using
+    correct git branch for stable updates.
+
+ -- Petter Reinholdtsen <[email protected]>  Sun, 28 Jun 2026 23:02:42 +0200
+
 linuxcnc (1:2.9.4-2) unstable; urgency=medium
 
   * Team upload.
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..d6f3eb6
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,4 @@
+[DEFAULT]
+debian-branch   = debian/trixie
+upstream-branch = upstream
+pristine-tar    = True
diff --git a/debian/patches/0010-sanitize-hal-paths.patch 
b/debian/patches/0010-sanitize-hal-paths.patch
new file mode 100644
index 0000000..60f86d8
--- /dev/null
+++ b/debian/patches/0010-sanitize-hal-paths.patch
@@ -0,0 +1,23 @@
+Description: Fix rtapi_app: Sanitize name for module
+From: Hannes Diethelm <[email protected]>
+Origin: 
https://github.com/LinuxCNC/linuxcnc/commit/00d534c87464a3ed446656998aa02b8abc74b391
+Reviewed-by: Petter Reinholdtsen <[email protected]>
+Forwarded: not-needed
+Last-Update: 2026-06-28
+
+diff --git a/src/rtapi/uspace_rtapi_app.cc b/src/rtapi/uspace_rtapi_app.cc
+index 6e6298831b..8e600cc4b7 100644
+--- a/src/rtapi/uspace_rtapi_app.cc
++++ b/src/rtapi/uspace_rtapi_app.cc
+@@ -274,6 +274,11 @@ static int do_comp_args(void *module, vector<string> 
args) {
+ static int do_load_cmd(string name, vector<string> args) {
+     void *w = modules[name];
+     if(w == NULL) {
++        //Sanitize the name
++        if(name.find("/") != std::string::npos || name.find("..") != 
std::string::npos){
++            rtapi_print_msg(RTAPI_MSG_ERR, "%s: Not allowed as module name. 
Slashes or with \"..\" (even /a..b/) are not allowed.\n", name.c_str());
++            return -1;
++        }
+         char what[LINELEN+1];
+         snprintf(what, LINELEN, "%s/%s.so", EMC2_RTLIB_DIR, name.c_str());
+         void *module = modules[name] = dlopen(what, RTLD_GLOBAL | RTLD_NOW);
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..84c8cb0
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+0010-sanitize-hal-paths.patch

-- 
Happy hacking
Petter Reinholdtsen

--- End Message ---
--- Begin Message ---
Version: 13.6

This update was released as part of 13.6.

--- End Message ---

Reply via email to