#1141045 bookworm-pu: package linuxcnc/2.9.0~pre1+git20230208.f1270d6ed7-1+deb12u2

Package:
release.debian.org
Source:
release.debian.org
Submitter:
Petter Reinholdtsen
Date:
2026-06-28 21:47:02 UTC
Severity:
normal
Tags:
#1141045#5
Date:
2026-06-28 21:46:33 UTC
From:
To:
The LinuxCNC project and maintainers would like to address a security
related issue in the oldstable edition of linuxcnc in Debian.

The issue at hand is reported as #1140943 and a fix was recently
included in an upstream release and included in yesterdays unstable
release.  I am not sure when the issue was released, but it will be good
to have it fixed in unstable.  It will affect any LinuxCNC user who is
also not root on the machine used to control a machine, which the
upstream developers suspect is a fairly rare occation, but nevertheless
it is a use case to protect.

The impact on machine owner granting LinuxCNC user access to
non-privileged users is that the local user can become root with some
craftwork.

The normal path through the relevant code is tested by the normal self
testing during build.

The fix is fairly trivial, and the risc associated with upgrading is
minimal.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

This is the complete set of changes.  I will upload them to debian
shortly, as I believe this change is non-controversial and expect it to
be accepted unchanged into the oldstable update.

diff --git a/debian/changelog b/debian/changelog
index b818f54..f7846ac 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+linuxcnc (2.9.0~pre1+git20230208.f1270d6ed7-1+deb12u2) bookworm; urgency=medium
+
+  * Team upload.
+
+  * Told gbp to use xz compression, to match already uploaded
+    orig.tar.gz.
+  * Added 0010-sanitize-hal-paths.patch to sanitize name for module in
+    rtapi_app (Closes: #1140943).
+  * Added a small patch to fix missing gettimeofday() declaration with
+    newer GCC/glibc version.
+
+ -- Petter Reinholdtsen <pere@debian.org>  Sun, 28 Jun 2026 23:34:48 +0200
+
 linuxcnc (2.9.0~pre1+git20230208.f1270d6ed7-1+deb12u1) bookworm; urgency=medium

   [ CMorley ]
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 3796750..97c6480 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,3 +1,4 @@
 [DEFAULT]
 debian-branch   = debian/bookworm
 upstream-branch = upstream
+compression = xz
diff --git a/debian/patches/0010-sanitize-hal-paths.patch b/debian/patches/0010-sanitize-hal-paths.patch
new file mode 100644
index 0000000..60f86d8
--- /dev/null
+++ b/debian/patches/0010-sanitize-hal-paths.patch
@@ -0,0 +1,23 @@
+Description: Fix rtapi_app: Sanitize name for module
+From: Hannes Diethelm <hannes.diethelm@gmail.com>
+Origin: https://github.com/LinuxCNC/linuxcnc/commit/00d534c87464a3ed446656998aa02b8abc74b391
+Reviewed-by: Petter Reinholdtsen <pere@debian.org>
+Forwarded: not-needed
+Last-Update: 2026-06-28
+
+diff --git a/src/rtapi/uspace_rtapi_app.cc b/src/rtapi/uspace_rtapi_app.cc
+index 6e6298831b..8e600cc4b7 100644
+--- a/src/rtapi/uspace_rtapi_app.cc
++++ b/src/rtapi/uspace_rtapi_app.cc
+@@ -274,6 +274,11 @@ static int do_comp_args(void *module, vector<string> args) {
+ static int do_load_cmd(string name, vector<string> args) {
+     void *w = modules[name];
+     if(w == NULL) {
++        //Sanitize the name
++        if(name.find("/") != std::string::npos || name.find("..") != std::string::npos){
++            rtapi_print_msg(RTAPI_MSG_ERR, "%s: Not allowed as module name. Slashes or with \"..\" (even /a..b/) are not allowed.\n", name.c_str());
++            return -1;
++        }
+         char what[LINELEN+1];
+         snprintf(what, LINELEN, "%s/%s.so", EMC2_RTLIB_DIR, name.c_str());
+         void *module = modules[name] = dlopen(what, RTLD_GLOBAL | RTLD_NOW);
diff --git a/debian/patches/1000-gettimeofday-include.patch b/debian/patches/1000-gettimeofday-include.patch
new file mode 100644
index 0000000..db72943
--- /dev/null
+++ b/debian/patches/1000-gettimeofday-include.patch
@@ -0,0 +1,19 @@
+Description: Add missing include for gettimeofday()
+ This get the source building with more recent gcc/glibc too
+From: Petter Reinholdtsen <pere@debian.org>
+Reviewed-by: Petter Reinholdtsen <pere@debian.org>
+Forwarded: not-needed
+Last-Update: 2026-06-28
+
+diff --git a/src/emc/rs274ngc/gcodemodule.cc b/src/emc/rs274ngc/gcodemodule.cc
+index ff222e7..88b08b7 100644
+--- a/src/emc/rs274ngc/gcodemodule.cc
++++ b/src/emc/rs274ngc/gcodemodule.cc
+@@ -16,6 +16,7 @@
+ //    along with this program; if not, write to the Free Software
+ //    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
++#include <sys/time.h>
+ #include <Python.h>
+ #include <structmember.h>
+
diff --git a/debian/patches/series b/debian/patches/series
index f427620..39265bb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,4 @@
 #0010-arm-hppa.patch
+0010-sanitize-hal-paths.patch
 0020-mdi-fix-unwanted-movement.patch
+1000-gettimeofday-include.patch