Index: trunk/doc/news.html =================================================================== --- trunk/doc/news.html (revision 11598) +++ trunk/doc/news.html (revision 11599) @@ -31,6 +31,22 @@
+Users opening untrusted boards or projects may unintentionally execute +external programs. + +
+pcb-rnd inherited 5 settings from gEDA/PCB that let pcb-rnd (and PCB) +execute external processes, wrapping certain file operations: +
+The old Settings system has been replaced in pcb-rnd; the new conf system +allows any configuration setting to be specified in a project file or a +board file. This includes the above 5 items as well. +
+An attacker may produce a project or a single board file in .pcb or .lht format +that contains the above config settings, executing arbitrary code on the +user's computer when pcb-rnd opens or saves the file or loads fonts or +footprints or netlists. + +
+
+Before opening the file, grep for _command and _shell in it, remove +the offending lines. + + +
+The patch prevents these 5 settings to take effect when the source of +the setting is not from one of these: +
+This bans sources like the board file, the project file and environmental +variable. + + + + +