#1141042 trixie-pu: package linuxcnc/1:2.9.4-2+deb13u1

Package:
release.debian.org
Source:
release.debian.org
Submitter:
Petter Reinholdtsen
Date:
2026-06-28 21:19:02 UTC
Severity:
normal
Tags:
#1141042#5
Date:
2026-06-28 21:17:17 UTC
From:
To:
The LinuxCNC project and maintainers would like to address a security
related issue in the stable edition of linuxcnc in Debian.

The issue at hand is reported as #1140943 and a fix was recently
included in an upstream release and included in yesterdays unstable
release.  I am not sure when the issue was released, but it will be good
to have it fixed in unstable.  It will affect any LinuxCNC user who is
also not root on the machine used to control a machine, which the
upstream developers suspect is a fairly rare occation, but nevertheless
it is a use case to protect.

The impact on machine owner granting LinuxCNC user access to
non-privileged users is that the local user can become root with some
craftwork.

The normal path through the relevant code is tested by the normal self
testing during build.

The fix is fairly trivial, and the risc associated with upgrading is
minimal.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

This is the complete set of changes.  I will upload them to debian
shortly, as I believe this change is non-controversial and expect it to
be accepted unchanged into the stable update.

diff --git a/debian/changelog b/debian/changelog
index 208499b..dd8d653 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+linuxcnc (1:2.9.4-2+deb13u1) trixie; urgency=medium
+
+  * Added 0010-sanitize-hal-paths.patch to sanitize name for module in
+    rtapi_app (Closes: #1140943).
+  * Added d/gbp.conf to enforce the use of pristine-tar and using
+    correct git branch for stable updates.
+
+ -- Petter Reinholdtsen <pere@debian.org>  Sun, 28 Jun 2026 23:02:42 +0200
+
 linuxcnc (1:2.9.4-2) unstable; urgency=medium

   * Team upload.
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..d6f3eb6
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,4 @@
+[DEFAULT]
+debian-branch   = debian/trixie
+upstream-branch = upstream
+pristine-tar    = True
diff --git a/debian/patches/0010-sanitize-hal-paths.patch b/debian/patches/0010-sanitize-hal-paths.patch
new file mode 100644
index 0000000..60f86d8
--- /dev/null
+++ b/debian/patches/0010-sanitize-hal-paths.patch
@@ -0,0 +1,23 @@
+Description: Fix rtapi_app: Sanitize name for module
+From: Hannes Diethelm <hannes.diethelm@gmail.com>
+Origin: https://github.com/LinuxCNC/linuxcnc/commit/00d534c87464a3ed446656998aa02b8abc74b391
+Reviewed-by: Petter Reinholdtsen <pere@debian.org>
+Forwarded: not-needed
+Last-Update: 2026-06-28
+
+diff --git a/src/rtapi/uspace_rtapi_app.cc b/src/rtapi/uspace_rtapi_app.cc
+index 6e6298831b..8e600cc4b7 100644
+--- a/src/rtapi/uspace_rtapi_app.cc
++++ b/src/rtapi/uspace_rtapi_app.cc
+@@ -274,6 +274,11 @@ static int do_comp_args(void *module, vector<string> args) {
+ static int do_load_cmd(string name, vector<string> args) {
+     void *w = modules[name];
+     if(w == NULL) {
++        //Sanitize the name
++        if(name.find("/") != std::string::npos || name.find("..") != std::string::npos){
++            rtapi_print_msg(RTAPI_MSG_ERR, "%s: Not allowed as module name. Slashes or with \"..\" (even /a..b/) are not allowed.\n", name.c_str());
++            return -1;
++        }
+         char what[LINELEN+1];
+         snprintf(what, LINELEN, "%s/%s.so", EMC2_RTLIB_DIR, name.c_str());
+         void *module = modules[name] = dlopen(what, RTLD_GLOBAL | RTLD_NOW);
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..84c8cb0
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+0010-sanitize-hal-paths.patch