Index: bug1.html =================================================================== --- bug1.html (nonexistent) +++ bug1.html (revision 11599) @@ -0,0 +1,69 @@ + + +
++Users opening untrusted boards or projects may unintentionally execute +external programs. + +
+pcb-rnd inherited 5 settings from gEDA/PCB that let pcb-rnd (and PCB) +execute external processes, wrapping certain file operations: +
+The old Settings system has been replaced in pcb-rnd; the new conf system +allows any configuration setting to be specified in a project file or a +board file. This includes the above 5 items as well. +
+An attacker may produce a project or a single board file in .pcb or .lht format +that contains the above config settings, executing arbitrary code on the +user's computer when pcb-rnd opens or saves the file or loads fonts or +footprints or netlists. + +
+
+Before opening the file, grep for _command and _shell in it, remove +the offending lines. + + +
+The patch prevents these 5 settings to take effect when the source of +the setting is not from one of these: +
+This bans sources like the board file, the project file and environmental +variable. + + + + +