Users opening untrusted boards or projects may unintentionally execute external programs.
pcb-rnd inherited 5 settings from gEDA/PCB that let pcb-rnd (and PCB) execute external processes, wrapping certain file operations:
The old Settings system has been replaced in pcb-rnd; the new conf system allows any configuration setting to be specified in a project file or a board file. This includes the above 5 items as well.
Thus an attacker may produce a project or a single board file in .pcb or .lht format that contains the above config settings, executing arbitrary shell command on the user's computer when pcb-rnd opens or saves the file or loads fonts or footprints or netlists.
Before opening the file, grep for _command and _shell in it, remove the offending lines.
The patch prevents these 5 settings to take effect when the source of the setting is not from one of these:
This bans sources like the board file, the project file and environmental variable.