Source: arduino-core-avr Version: 1.8.6+dfsg-2 Severity: important Tags: security upstream Forwarded: https://github.com/arduino/ArduinoCore-avr/pull/613 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for arduino-core-avr. CVE-2025-69209[0]: | ArduinoCore-avr contains the source code and configuration files of | the Arduino AVR Boards platform. A vulnerability in versions prior | to 1.8.7 allows an attacker to trigger a stack-based buffer overflow | when converting floating-point values to strings with high | precision. By passing very large `decimalPlaces` values to the | affected String constructors or concat methods, the `dtostrf` | function writes beyond fixed-size stack buffers, causing memory | corruption and denial of service. Under specific conditions, this | could enable arbitrary code execution on AVR-based Arduino boards. | ### Patches - The Fix is included starting from the `1.8.7` release | available from the following link [ArduinoCore-avr | v1.8.7](https://github.com/arduino/ArduinoCore-avr) - The Fixing | Commit is available at the following link [1a6a417f89c8901dad646efce | 74ae9d3ddebfd59](https://github.com/arduino/ArduinoCore- | avr/pull/613/commits/1a6a417f89c8901dad646efce74ae9d3ddebfd59) ### | References - [ASEC-26-001 ArduinoCore-avr vXXXX Resolves Buffer | Overflow Vulnerability](https://support.arduino.cc/hc/en- | us/articles/XXXXX) ### Credits - Maxime Rossi Bellom and Ramtine | Tofighi Shirazi from SecMate (https://secmate.dev/) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-69209 https://www.cve.org/CVERecord?id=CVE-2025-69209 [1] https://github.com/arduino/ArduinoCore-avr/pull/613 [2] https://github.com/arduino/ArduinoCore-avr/security/advisories/GHSA-pvx3-fm7w-6hjm [3] https://github.com/arduino/ArduinoCore-avr/commit/82a8ad2fb33911d8927c7af22e0472b94325d1a7 [4] https://support.arduino.cc/hc/en-us/articles/24985906702748-ASEC-26-001-ArduinoCore-AVR-v1-8-7-Resolves-Stack-Based-Buffer-Overflow-Vulnerability Please adjust the affected versions in the BTS as needed. Regards, Salvatore
