Bug#1126285: marked as done (arduino-core-avr: CVE-2025-69209)

[Debian Bug Tracking System]

Your message dated Thu, 05 Mar 2026 20:32:06 +0000
with message-id <e1vyfmc-0000000b3r8-1...@fasolo.debian.org>
and subject line Bug#1126285: fixed in arduino-core-avr 1.8.7+dfsg-1~deb13u1
has caused the Debian Bug report #1126285,
regarding arduino-core-avr: CVE-2025-69209
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1126285: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126285
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: arduino-core-avr
Version: 1.8.6+dfsg-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/arduino/ArduinoCore-avr/pull/613
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for arduino-core-avr.

CVE-2025-69209[0]:
| ArduinoCore-avr contains the source code and configuration files of
| the Arduino AVR Boards platform. A vulnerability in versions prior
| to 1.8.7 allows an attacker to trigger a stack-based buffer overflow
| when converting floating-point values to strings with high
| precision. By passing very large `decimalPlaces` values to the
| affected String constructors or concat methods, the `dtostrf`
| function writes beyond fixed-size stack buffers, causing memory
| corruption and denial of service. Under specific conditions, this
| could enable arbitrary code execution on AVR-based Arduino boards.
| ### Patches  - The Fix is included starting from the `1.8.7` release
| available from the following link [ArduinoCore-avr
| v1.8.7](https://github.com/arduino/ArduinoCore-avr)  - The Fixing
| Commit is available at the following link [1a6a417f89c8901dad646efce
| 74ae9d3ddebfd59](https://github.com/arduino/ArduinoCore-
| avr/pull/613/commits/1a6a417f89c8901dad646efce74ae9d3ddebfd59)  ###
| References  - [ASEC-26-001 ArduinoCore-avr vXXXX Resolves Buffer
| Overflow Vulnerability](https://support.arduino.cc/hc/en-
| us/articles/XXXXX)  ### Credits  - Maxime Rossi Bellom and Ramtine
| Tofighi Shirazi from SecMate (https://secmate.dev/)


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-69209
    https://www.cve.org/CVERecord?id=CVE-2025-69209
[1] https://github.com/arduino/ArduinoCore-avr/pull/613
[2] 
https://github.com/arduino/ArduinoCore-avr/security/advisories/GHSA-pvx3-fm7w-6hjm
[3] 
https://github.com/arduino/ArduinoCore-avr/commit/82a8ad2fb33911d8927c7af22e0472b94325d1a7
[4] 
https://support.arduino.cc/hc/en-us/articles/24985906702748-ASEC-26-001-ArduinoCore-AVR-v1-8-7-Resolves-Stack-Based-Buffer-Overflow-Vulnerability

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: arduino-core-avr
Source-Version: 1.8.7+dfsg-1~deb13u1
Done: Adrian Bunk <b...@debian.org>

We believe that the bug you reported is fixed in the latest version of
arduino-core-avr, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1126...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk <b...@debian.org> (supplier of updated arduino-core-avr package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 04 Mar 2026 18:32:54 +0200
Source: arduino-core-avr
Architecture: source
Version: 1.8.7+dfsg-1~deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian Electronics Team 
<pkg-electronics-de...@alioth-lists.debian.net>
Changed-By: Adrian Bunk <b...@debian.org>
Closes: 1126285
Changes:
 arduino-core-avr (1.8.7+dfsg-1~deb13u1) trixie; urgency=medium
 .
   * Non-maintainer upload.
   * Rebuild for trixie.
 .
 arduino-core-avr (1.8.7+dfsg-1) unstable; urgency=medium
 .
   * Team upload
   * [6840e74] New upstream version 1.8.7+dfsg (Closes: #1126285) 
(CVE-2025-69209)
   * [f497c6e] d/copyright: Adjust excludes list
   * [a9b845a] Refresh patches for new upstream release
   * [c386188] d/control: Bump S-V to 4.7.3; drop priority: optional and RRR
   * [95bf24d] Update lintian overrides for avr bootloader files
Checksums-Sha1:
 bae892b74ce874b1754b482276f585fa64082374 2138 
arduino-core-avr_1.8.7+dfsg-1~deb13u1.dsc
 d0ae59f7e8842e05732bb14df07fed75c20b9f8d 194948 
arduino-core-avr_1.8.7+dfsg.orig.tar.xz
 935a2c34b08eb6e356b18eb854b42418d866a0b4 10416 
arduino-core-avr_1.8.7+dfsg-1~deb13u1.debian.tar.xz
Checksums-Sha256:
 351aea09ca8fe0ffc2a73fd956e4486dade82f0062cfdb6cf98017e8da943396 2138 
arduino-core-avr_1.8.7+dfsg-1~deb13u1.dsc
 2c766795f0a200069a9c201a9b27d36c64284f299eab0314996c1c148ff9fc64 194948 
arduino-core-avr_1.8.7+dfsg.orig.tar.xz
 fb444c739dbe10d8913575a8f3230745dae1aa605f763531807832f0672f6225 10416 
arduino-core-avr_1.8.7+dfsg-1~deb13u1.debian.tar.xz
Files:
 0a6d9a57d752053913e2441f2b3b8411 2138 utils optional 
arduino-core-avr_1.8.7+dfsg-1~deb13u1.dsc
 a6284a2c75bff53bf3b6eb902bea82b6 194948 utils optional 
arduino-core-avr_1.8.7+dfsg.orig.tar.xz
 3e71569fe56590a88a23922f2649e131 10416 utils optional 
arduino-core-avr_1.8.7+dfsg-1~deb13u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmmoY88ACgkQiNJCh6LY
mLEFOhAAusPCnyWn0RJ0NiItwNAvt73O60YGNlR/iJGR1Wm8kYxzkdQrxSC80nbz
fGTpqaH40huasZeFNULojs1RJZmxgLM8uW9d4Lb7qM9lGICbxc2i2s4ptMvjbgsQ
V5PqFkt3ihcD0StQ/7Gk45aLacIoozZLhwr+pW9JZCPB17a37zOpNJI3WfbXHxmd
65JuCFBAZntF54awaWjy+CyjtZVxlkqv30Jj8qOQgFzu7/jI5WSFsNzb9yzm2ZPJ
WELPd23o4mQOvA3OcbCf66X55fCQjW4+aXvwbZgCepDMNfEbf2UPmKrotI34TEaw
FU5Ph1Cb/fjzTzxsBdpOO8I5c2pkEzkKhwt/HJquWflUXCnO1+96exE468BH0sjJ
BkjCw4t3NzWgaVcsyaHj6yJXCsGlGGXUlT8uMVerHjHiAy3SSteVKwo55cMRoql6
szp3LuBUiB7SIg0Zk6BgRxF9pi56fFPy54kR0N4WmHpHU/VXVI04MOkfQevTNsUA
secGoxNwLInuQ3nkTEjlFe03xcQVmJR7XqmZw2ikuuakFC3eFzLWXPJCJfKWPkNL
bVjdGkCXSTRmvSpeqg7Jl5xca72UVGwxa9hOvfK69uOoprDMW6BaGPqDgPLyQPuy
J0XoETBS8QxZCsfj1ZwprqfTP/XNSAXNd4ASB0fq23Ua9kIXsbw=
=5K/G
-----END PGP SIGNATURE-----

pgpMoEvHEmQQg.pgp
Description: PGP signature

--- End Message ---