aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2021-07-18T07:23:51Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9999[3.7] openssh: Multiple vulnerabilities (CVE-2018-20685, CVE-2019-6109, CVE-2...2021-07-18T07:23:51ZAlicha CH[3.7] openssh: Multiple vulnerabilities (CVE-2018-20685, CVE-2019-6109, CVE-2019-6111)**CVE-2018-20685**: In OpenSSH 7.9, scp.c in the scp client allows
remote SSH servers to bypass intended access restrictions via the
filename of . or an empty filename. The impact is modifying the
permissions of the target directory on...**CVE-2018-20685**: In OpenSSH 7.9, scp.c in the scp client allows
remote SSH servers to bypass intended access restrictions via the
filename of . or an empty filename. The impact is modifying the
permissions of the target directory on the client side.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-20685
https://marc.info/?l=oss-security&m=154745764812881&w=2
### Patch:
https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2
**CVE-2019-6109**: An issue was discovered in OpenSSH 7.9. Due to
missing character encoding in the progress display, a malicious server
(or Man-in-The-Middle attacker) can employ crafted object names to
manipulate the client output, e.g., by using ANSI control codes to hide
additional files being transferred. This affects
refresh\_progress\_meter() in progressmeter.c.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-6109
https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
### Patch:
https://github.com/openssh/openssh-portable/commit/8976f1c4b2721c26e878151f52bdf346dfe2d54c
possibly additionally needed:
https://github.com/openssh/openssh-portable/commit/bdc6c63c80b55bcbaa66b5fde31c1cb1d09a41eb
**CVE-2019-6111**: An issue was discovered in OpenSSH 7.9. Due to the
scp implementation being derived from 1983 rcp, the server chooses which
files/directories are sent to the client. However, the scp client only
performs cursory validation of the object name returned (only directory
traversal attacks are prevented). A malicious scp server (or
Man-in-The-Middle attacker) can overwrite arbitrary files in the scp
client target directory. If recursive operation (-r) is performed, the
server can manipulate subdirectories as well (for example, to overwrite
the .ssh/authorized\_keys file).
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-6111
### Patch:
https://github.com/openssh/openssh-portable/commit/391ffc4b9d31fa1f4ad566499fef9176ff8a07dc
*(from redmine: issue id 9999, created on 2019-02-20, closed on 2019-03-05)*
* Relations:
* parent #9995
* Changesets:
* Revision cfa04666c50b8dfbe34b6ac8e6b177add54ce649 on 2019-03-04T15:08:29Z:
```
main/openssh: security fixes
CVE-2018-20685, CVE-2019-6109, CVE-2019-6111
Rebased HPN patch, included upstream patch due regression bug due to CVE-2019-6109 fix
Fixes #9999
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9835[3.7] py-django: Content spoofing via URL path in default 404 page (CVE-2019-...2020-01-18T00:12:52ZAlicha CH[3.7] py-django: Content spoofing via URL path in default 404 page (CVE-2019-3498)Django before versions 1.11.18, 2.0.10 and 2.1.5 is vulnerable to
content spoofing via crafted URL in the default 404 page.
An attacker could craft a malicious URL that could make spoofed content
appear on the default page generated
...Django before versions 1.11.18, 2.0.10 and 2.1.5 is vulnerable to
content spoofing via crafted URL in the default 404 page.
An attacker could craft a malicious URL that could make spoofed content
appear on the default page generated
by the django.views.defaults.page\_not\_found() view.
### Fixed In Version:
python-django 1.11.18, python-django 2.0.10, python-django 2.1.5
### References:
https://www.djangoproject.com/weblog/2019/jan/04/security-releases/
### Patch:
https://github.com/django/django/commit/1cd00fcf52d089ef0fe03beabd05d59df8ea052a
*(from redmine: issue id 9835, created on 2019-01-09, closed on 2019-02-19)*
* Relations:
* parent #9832
* Changesets:
* Revision efea0b2841657c90aec0a76835d84fbc2ed2cfb9 on 2019-02-04T11:27:46Z:
```
main/py-django: security upgrade to 1.11.18 (CVE-2019-3498)
Fixes #9835
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9210[3.7] libao: Invalid memory allocation in _tokenize_matrix function in audio_...2019-07-23T11:24:09ZAlicha CH[3.7] libao: Invalid memory allocation in _tokenize_matrix function in audio_out.c (CVE-2017-11548)The \_tokenize\_matrix function in audio\_out.c in Xiph.Org libao 1.2.0
allows remote attackers to cause
a denial of service (memory corruption) via a crafted MP3 file.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2017-11548 ...The \_tokenize\_matrix function in audio\_out.c in Xiph.Org libao 1.2.0
allows remote attackers to cause
a denial of service (memory corruption) via a crafted MP3 file.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2017-11548
http://seclists.org/fulldisclosure/2017/Jul/84
*(from redmine: issue id 9210, created on 2018-08-08, closed on 2018-12-06)*
* Relations:
* copied_to #9207
* parent #9207
* Changesets:
* Revision e31e4436408d168bc3b7ca4c27163e80101a874f by Natanael Copa on 2018-12-04T12:20:14Z:
```
main/libao: security fix for CVE-2017-11548
fixes #9210
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9308[3.7] spice: Missing check in demarshal.py:write_validate_array_item() allows...2019-07-23T11:22:53ZAlicha CH[3.7] spice: Missing check in demarshal.py:write_validate_array_item() allows for buffer overflow and denial of service (CVE-2018-10873)A vulnerability was discovered in SPICE before version 0.14.1 where the
generated code used for demarshalling messages
lacked sufficient bounds checks. A malicious client or server, after
authentication, could send specially crafted me...A vulnerability was discovered in SPICE before version 0.14.1 where the
generated code used for demarshalling messages
lacked sufficient bounds checks. A malicious client or server, after
authentication, could send specially crafted messages
to its peer which would result in a crash or, potentially, other
impacts.
### References:
http://openwall.com/lists/oss-security/2018/08/17/1
https://nvd.nist.gov/vuln/detail/CVE-2018-10873
### Patch:
https://gitlab.freedesktop.org/spice/spice-common/commit/bb15d4815ab586b4c4a20f4a565970a44824c42c
*(from redmine: issue id 9308, created on 2018-08-21, closed on 2018-11-08)*
* Relations:
* copied_to #9305
* parent #9305
* Changesets:
* Revision 9a0074177b1efee56bc3f82db0651fa656877d9e on 2018-11-07T13:58:06Z:
```
main/spice: security upgrade to 0.14.1 (CVE-2018-10873)
Fixes #9308
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9319[3.7] openssh: User enumeration via malformed packets in authentication reque...2019-07-23T11:22:46ZAlicha CH[3.7] openssh: User enumeration via malformed packets in authentication requests (CVE-2018-15473)OpenSSH through 7.7 is prone to a user enumeration vulnerability due to
not delaying bailout for
an invalid authenticating user until after the packet containing the
request has been fully parsed,
related to auth2-gss.c, auth2-hostba...OpenSSH through 7.7 is prone to a user enumeration vulnerability due to
not delaying bailout for
an invalid authenticating user until after the packet containing the
request has been fully parsed,
related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.
### References:
http://www.openwall.com/lists/oss-security/2018/08/15/5
https://nvd.nist.gov/vuln/detail/CVE-2018-15473
### Patch:
https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0
*(from redmine: issue id 9319, created on 2018-08-22, closed on 2018-09-20)*
* Relations:
* parent #9316
* Changesets:
* Revision db649bc3a2755f56372cc2abae87e42e5285e44f by Natanael Copa on 2018-09-20T10:23:51Z:
```
main/openssh: backport security fix (CVE-2018-15473)
fixes #9319
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9349[3.7] dropbear: User enumeration vulnerability (CVE-2018-15599)2019-07-23T11:22:26ZAlicha CH[3.7] dropbear: User enumeration vulnerability (CVE-2018-15599)The recv\_msg\_userauth\_request function in svr-auth.c in Dropbear
through 2018.76 is prone to a user enumeration vulnerability because
username
validity affects how fields in SSH\_MSG\_USERAUTH messages are handled,
a similar issue t...The recv\_msg\_userauth\_request function in svr-auth.c in Dropbear
through 2018.76 is prone to a user enumeration vulnerability because
username
validity affects how fields in SSH\_MSG\_USERAUTH messages are handled,
a similar issue to CVE-2018-15473 in an unrelated codebase.
### References:
http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2018q3/002108.html
https://nvd.nist.gov/vuln/detail/CVE-2018-15599
### Patch:
https://secure.ucc.asn.au/hg/dropbear/rev/5d2d1021ca00
*(from redmine: issue id 9349, created on 2018-08-28, closed on 2018-11-08)*
* Relations:
* parent #9346
* Changesets:
* Revision 170fca277e13753265ff981c27e1c59d2488a99d by Natanael Copa on 2018-09-20T08:34:53Z:
```
main/dropbear: backport security fix (CVE-2018-15599)
fixes #9349
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9378[3.7] dnsmasq: Improper validation of wildcard synthesized NSEC records (CVE-...2019-07-23T11:22:00ZAlicha CH[3.7] dnsmasq: Improper validation of wildcard synthesized NSEC records (CVE-2017-15107)A vulnerability was found in the implementation of DNSSEC in Dnsmasq up
to and including 2.78. Wildcard synthesized
NSEC records could be improperly interpreted to prove the non-existence
of hostnames that actually exist.
### Referenc...A vulnerability was found in the implementation of DNSSEC in Dnsmasq up
to and including 2.78. Wildcard synthesized
NSEC records could be improperly interpreted to prove the non-existence
of hostnames that actually exist.
### References:
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2018q1/011896.html
https://nvd.nist.gov/vuln/detail/CVE-2017-15107
### Patch:
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=4fe6744a220eddd3f1749b40cac3dfc510787de6
*(from redmine: issue id 9378, created on 2018-09-04, closed on 2018-09-20)*
* Relations:
* parent #9377
* Changesets:
* Revision cc3d92312d674250637dad701c603e3fdfedfb4e by Natanael Copa on 2018-09-20T07:52:58Z:
```
main/dnsmasq: backport security fix (CVE-2017-15107)
fixes #9378
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9395[3.7] curl: NTLM password overflow via integer overflow (CVE-2018-14618)2019-07-23T11:21:45ZAlicha CH[3.7] curl: NTLM password overflow via integer overflow (CVE-2018-14618)The internal function Curl\_ntlm\_core\_mk\_nt\_hash multiplies the
length of the password by two (SUM)
to figure out how large temporary storage area to allocate from the
heap. The length value is then subsequently
used to iterate o...The internal function Curl\_ntlm\_core\_mk\_nt\_hash multiplies the
length of the password by two (SUM)
to figure out how large temporary storage area to allocate from the
heap. The length value is then subsequently
used to iterate over the password and generate output into the allocated
storage buffer. On systems with a 32 bit size\_t,
the math to calculate SUM triggers an integer overflow when the password
length exceeds 2GB (2^31 bytes). This integer
overflow usually causes a very small buffer to actually get allocated
instead of the intended very huge one, making the
use of that buffer end up in a heap buffer overflow.
### Affected versions:
libcurl 7.15.4 to and including 7.61.0
### Not affected versions:
libcurl < 7.15.4 and >= 7.61.1
### References:
https://curl.haxx.se/docs/CVE-2018-14618.html
### Patch:
https://github.com/curl/curl/commit/57d299a499155d4b327e341c6024e293b0418243.patch
*(from redmine: issue id 9395, created on 2018-09-06, closed on 2018-09-20)*
* Relations:
* parent #9392
* Changesets:
* Revision df67baba4917987405ef39567974697f7ff6c0ed by Natanael Copa on 2018-09-19T11:28:57Z:
```
main/curl: security upgrade to 7.61.1 (CVE-2018-14618)
fixes #9395
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9429[3.7] libjpeg-turbo: Multiple vulnerabilities (CVE-2017-15232, CVE-2018-1152,...2019-07-23T11:21:26ZAlicha CH[3.7] libjpeg-turbo: Multiple vulnerabilities (CVE-2017-15232, CVE-2018-1152, CVE-2018-11813)**CVE-2017-15232**: libjpeg-turbo 1.5.2 has a NULL Pointer Dereference
in jdpostct.c and jquant1.c
via a crafted JPEG file.
### References:
https://github.com/libjpeg-turbo/libjpeg-turbo/pull/182
https://nvd.nist.gov/vuln/detail/CV...**CVE-2017-15232**: libjpeg-turbo 1.5.2 has a NULL Pointer Dereference
in jdpostct.c and jquant1.c
via a crafted JPEG file.
### References:
https://github.com/libjpeg-turbo/libjpeg-turbo/pull/182
https://nvd.nist.gov/vuln/detail/CVE-2017-15232
**CVE-2018-1152**: libjpeg-turbo 1.5.90 is vulnerable to a denial of
service vulnerability caused by
a divide by zero when processing a crafted BMP image.
### Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-1152
### Patch:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/43e84cff1bb2bd8293066f6ac4eb0df61ddddbc6
**CVE-2018-11813**: “cjpeg” utility large loop because read\_pixel in
rdtarga.c mishandles EOF
### Reference:
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/242
### Patch:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/19074854d9d8bc32dff3ed252eed17ed6cc2ecfc
*(from redmine: issue id 9429, created on 2018-09-20, closed on 2018-09-27)*
* Relations:
* parent #9426
* Changesets:
* Revision 01568379c03fee752d2d2db8bf4f352c547192a8 by Natanael Copa on 2018-09-25T12:48:08Z:
```
main/libjpeg-turbo: backport security fix (CVE-2018-11813)
fixes #9429
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9450[3.7] pango: application crash triggered by unicode chars in pango-emoji.c (C...2019-07-23T11:21:09ZAlicha CH[3.7] pango: application crash triggered by unicode chars in pango-emoji.c (CVE-2018-15120)A flaw was found in Pango since versions 1.40.8 up to newer. Typing
certain invalid Emoji sequences into
a GTK+ application can trigger a Reachable Assertion resulting in an
application crash.
### Fixed In Version:
pango 1.42.4
### ...A flaw was found in Pango since versions 1.40.8 up to newer. Typing
certain invalid Emoji sequences into
a GTK+ application can trigger a Reachable Assertion resulting in an
application crash.
### Fixed In Version:
pango 1.42.4
### References:
https://mail.gnome.org/archives/distributor-list/2018-August/msg00001.html
https://nvd.nist.gov/vuln/detail/CVE-2018-15120
### Patch:
https://gitlab.gnome.org/GNOME/pango/commit/71aaeaf020340412b8d012fe23a556c0420eda5f
*(from redmine: issue id 9450, created on 2018-09-21, closed on 2018-11-08)*
* Relations:
* parent #9448
* Changesets:
* Revision 648d75ad65dee2318f7993e58e83cd26b64e291f on 2018-11-06T15:49:41Z:
```
main/pango: security fix (CVE-2018-15120)
Fixes #9450
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9464[3.7] bind: Update policies krb5-subdomain and ms-subdomain (CVE-2018-5741)2019-07-23T11:20:56ZAlicha CH[3.7] bind: Update policies krb5-subdomain and ms-subdomain (CVE-2018-5741)In order to provide fine-grained controls over the ability to use
Dynamic DNS (DDNS) to update records in a zone, BIND provides a feature
called update-policy. Various rules can be configured to limit the types
of updates that can be per...In order to provide fine-grained controls over the ability to use
Dynamic DNS (DDNS) to update records in a zone, BIND provides a feature
called update-policy. Various rules can be configured to limit the types
of updates that can be performed by a client, depending on the key used
when sending the update request. Unfortunately some rule types were not
initially documented, and when documentation for them was added to the
Administrator Reference Manual (ARM) in change, the language that was
added to the ARM at that time incorrectly described the behavior of two
rule types, krb5-subdomain and ms-subdomain. This incorrect
documentation could mislead operators into believing that policies they
had configured were more restrictive than they actually were.
### Versions affected:
The behavior described is present in all versions of BIND 9 which
contain the krb5-subdomain and ms-subdomain update
policies prior to our upcoming maintenance releases, BIND 9.11.5 and
9.12.3. However, the misleading documentation
is not present in all versions.
### References:
https://kb.isc.org/docs/cve-2018-5741
https://www.openwall.com/lists/oss-security/2018/09/19/11
*(from redmine: issue id 9464, created on 2018-09-25, closed on 2018-12-04)*
* Relations:
* parent #9461
* Changesets:
* Revision 6f40ae0c65be42bfa15f7d4c08b7ebd55a3ea4b2 by Natanael Copa on 2018-11-29T15:57:02Z:
```
main/bind: security upgrade to 9.12.3 (CVE-2018-5741)
fixes #9464
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9485[3.7] strongswan: Multiple vulnerabilities (CVE-2018-16151, CVE-2018-16152)2019-07-23T11:20:38ZAlicha CH[3.7] strongswan: Multiple vulnerabilities (CVE-2018-16151, CVE-2018-16152)**CVE-2018-16151**: In verify\_emsa\_pkcs1\_signature() in
gmp\_rsa\_public\_key.c in the gmp plugin in strongSwan 4.x and 5.x
before 5.7.0,
the RSA implementation based on GMP does not reject excess data after
the encoded algorithm OI...**CVE-2018-16151**: In verify\_emsa\_pkcs1\_signature() in
gmp\_rsa\_public\_key.c in the gmp plugin in strongSwan 4.x and 5.x
before 5.7.0,
the RSA implementation based on GMP does not reject excess data after
the encoded algorithm OID during PKCS\#1 v1.5 signature verification.
Similar to the flaw in the same version of strongSwan regarding
digestAlgorithm.parameters, a remote attacker can forge signatures when
small
public exponents are being used, which could lead to impersonation when
only an RSA signature is used for IKEv2 authentication.
### References:
https://www.strongswan.org/blog/2018/09/24/strongswan-vulnerability-(cve-2018-16151,-cve-2018-16152).html
https://nvd.nist.gov/vuln/detail/CVE-2018-16151
### Patches:
https://download.strongswan.org/patches/27\_gmp\_pkcs1\_verify\_patch/strongswan-5.3.1-5.6.0\_gmp-pkcs1-verify.patch
https://download.strongswan.org/patches/27\_gmp\_pkcs1\_verify\_patch/strongswan-5.6.1-5.6.3\_gmp-pkcs1-verify.patch
**CVE-2018-16152**: In verify\_emsa\_pkcs1\_signature() in
gmp\_rsa\_public\_key.c in the gmp plugin in strongSwan 4.x and 5.x
before 5.7.0,
the RSA implementation based on GMP does not reject excess data in the
digestAlgorithm.parameters field during PKCS\#1 v1.5 signature
verification. Consequently, a remote attacker can forge signatures when
small public exponents are being used, which could lead to
impersonation when only an RSA signature is used for IKEv2
authentication.
### References:
https://www.strongswan.org/blog/2018/09/24/strongswan-vulnerability-(cve-2018-16151,-cve-2018-16152).html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-16152
### Patches:
https://download.strongswan.org/patches/27\_gmp\_pkcs1\_verify\_patch/strongswan-5.3.1-5.6.0\_gmp-pkcs1-verify.patch
https://download.strongswan.org/patches/27\_gmp\_pkcs1\_verify\_patch/strongswan-5.6.1-5.6.3\_gmp-pkcs1-verify.patch
*(from redmine: issue id 9485, created on 2018-09-27, closed on 2018-10-04)*
* Relations:
* parent #9482
* Changesets:
* Revision 2f0878ed064f5b397f15426c9141880a36754a99 by Natanael Copa on 2018-10-02T12:22:52Z:
```
main/strongswan: backport security fix (CVE-2018-16151, CVE-2018-16152)
fixes #9485
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9517[3.7] strongswan: heap buffer overflow using crafted certificates (CVE-2018-1...2019-07-23T11:20:16ZAlicha CH[3.7] strongswan: heap buffer overflow using crafted certificates (CVE-2018-17540)The gmp plugin in strongSwan before 5.7.1 has a Buffer Overflow via a
crafted certificate,
the vulnerability was introduced with the patch that fixes
CVE-2018-16151/2.
### References:
https://www.strongswan.org/blog/2018/10/01/strong...The gmp plugin in strongSwan before 5.7.1 has a Buffer Overflow via a
crafted certificate,
the vulnerability was introduced with the patch that fixes
CVE-2018-16151/2.
### References:
https://www.strongswan.org/blog/2018/10/01/strongswan-vulnerability-(cve-2018-17540).html
https://nvd.nist.gov/vuln/detail/CVE-2018-17540
*(from redmine: issue id 9517, created on 2018-10-08, closed on 2018-10-09)*
* Relations:
* parent #9515
* Changesets:
* Revision e043f4360d1a4acefce7229bd7836a3db968e86c on 2018-10-08T13:26:31Z:
```
main/strongswan: security fix (CVE-2018-17540)
Fixes #9517
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9523[3.7] libexif: Out-of-bounds heap read in exif_data_save_data_entry function ...2019-07-23T11:20:10ZAlicha CH[3.7] libexif: Out-of-bounds heap read in exif_data_save_data_entry function (CVE-2017-7544)One heap-based out-of-bounds read vulnerabiltiy exists in
libexif-0.6.21. When saving the data of an entry tagged with
“EXIF\_TAG\_MAKER\_NOTE” to
a buffer and copying the data of the exif entry, there is a mismatch
between the compute...One heap-based out-of-bounds read vulnerabiltiy exists in
libexif-0.6.21. When saving the data of an entry tagged with
“EXIF\_TAG\_MAKER\_NOTE” to
a buffer and copying the data of the exif entry, there is a mismatch
between the computed read size of the entry data and the size of the
allocated entry data.
The vulnerability can cause Denial-of-Service, even Information
Disclosure (disclosing some critical heap chunk metadata, even other
applications’ private data).
### References:
https://sourceforge.net/p/libexif/bugs/130/
https://nvd.nist.gov/vuln/detail/CVE-2017-7544
*(from redmine: issue id 9523, created on 2018-10-08, closed on 2018-10-09)*
* Relations:
* parent #9520
* Changesets:
* Revision cbc4ecf8e7c6c9368d52cb2080d2fed92b853ea3 on 2018-10-08T13:49:38Z:
```
main/libexif: security fix (CVE-2017-7544)
Fixes #9523
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9535[3.7] libx11: Multiple vulnerabilities (CVE-2018-14598, CVE-2018-14599, CVE-2...2019-07-23T11:20:02ZAlicha CH[3.7] libx11: Multiple vulnerabilities (CVE-2018-14598, CVE-2018-14599, CVE-2018-14600)CVE-2018-14598: Crash on invalid reply in XListExtensions in ListExt.c
----------------------------------------------------------------------
An issue was discovered in ListExt.c:XListExtensions and
GetFPath.c:XGetFontPath in libX11 thr...CVE-2018-14598: Crash on invalid reply in XListExtensions in ListExt.c
----------------------------------------------------------------------
An issue was discovered in ListExt.c:XListExtensions and
GetFPath.c:XGetFontPath in libX11 through version 1.6.5. A malicious
server can send
a reply in which the first string overflows, causing a variable to be
set to NULL that will be freed later on, leading to DoS (segmentation
fault).
### Fixed In Version:
libX11 1.6.6
### References:
http://www.openwall.com/lists/oss-security/2018/08/21/6
https://lists.x.org/archives/xorg-announce/2018-August/002916.html
### Patch:
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=e83722768fd5c467ef61fa159e8c6278770b45c2
CVE-2018-14599: off-by-one error in XListExtensions in ListExt.c
----------------------------------------------------------------
An issue was discovered in libX11 through 1.6.5. Functions
GetFPath.c:XGetFontPath, ListExt.c:XListExtensions and
FontNames.c:XListFonts are
vulnerable to an off-by-one error when parsing list of strings returned
by malicious server responses, leading to DoS.
### Fixed In Version:
libX11 1.6.6
### References:
http://www.openwall.com/lists/oss-security/2018/08/21/6
https://lists.x.org/archives/xorg-announce/2018-August/002916.html
### Patch:
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=b469da1430cdcee06e31c6251b83aede072a1ff0
CVE-2018-14600: Out of Bounds write in XListExtensions in ListExt.c
-------------------------------------------------------------------
An issue was discovered in libX11 through 1.6.5. Functions
ListExt.c:XListExtensions and GetFPath.c:XGetFontPath interpret a
variable as signed instead
of unsigned, resulting in an out-of-bounds write (of up to 128 bytes),
leading to DoS or remote code execution.
### Fixed In Version:
libX11 1.6.6
### References:
http://www.openwall.com/lists/oss-security/2018/08/21/6
https://lists.x.org/archives/xorg-announce/2018-August/002916.html
### Patch:
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=dbf72805fd9d7b1846fe9a11b46f3994bfc27fea
*(from redmine: issue id 9535, created on 2018-10-08, closed on 2018-10-09)*
* Relations:
* parent #9532
* Changesets:
* Revision 6b5e91624ae5ccf42f83f5799de854c9aa486ca7 by Natanael Copa on 2018-10-08T11:56:44Z:
```
main/libx11: security upgrade to 1.6.6
CVE-2018-14598
CVE-2018-14599
CVE-2018-14600
fixes #9535
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9542[3.7] Git RCE vulnerability regarding submodules (CVE-2018-17456)2019-07-23T11:19:57ZAlicha CH[3.7] Git RCE vulnerability regarding submodules (CVE-2018-17456)Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x
before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows
remote code execution
during processing of a recursive “git clone” of a superproject if a
.gitmo...Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x
before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows
remote code execution
during processing of a recursive “git clone” of a superproject if a
.gitmodules file has a URL field beginning with a ‘-’ character.
### References:
https://www.openwall.com/lists/oss-security/2018/10/06/3
https://nvd.nist.gov/vuln/detail/CVE-2018-17456
### Patches:
https://github.com/git/git/commit/98afac7a7cefdca0d2c4917dd8066a59f7088265
https://github.com/git/git/commit/f6adec4e329ef0e25e14c63b735a5956dc67b8bc
https://github.com/git/git/commit/273c61496f88c6495b886acb1041fe57965151da
For the fsck check:
https://github.com/git/git/commit/a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46
https://github.com/git/git/commit/1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404
*(from redmine: issue id 9542, created on 2018-10-09, closed on 2018-10-25)*
* Relations:
* parent #9511
* Changesets:
* Revision 259b4c73d6c9dc718544df5c637f6df7fc19e37b by Natanael Copa on 2018-10-24T17:13:17Z:
```
main/git: security upgrade to 2.15.3 (CVE-2018-17456)
fixes #9542
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9570[3.7] libssh: Authentication Bypass due to improper message callbacks impleme...2019-07-23T11:19:36ZAlicha CH[3.7] libssh: Authentication Bypass due to improper message callbacks implementation (CVE-2018-10933)libssh versions 0.6 and above have an authentication bypass
vulnerability in
the server code. By presenting the server an
SSH2\_MSG\_USERAUTH\_SUCCESS message
in place of the SSH2\_MSG\_USERAUTH\_REQUEST message which the server
woul...libssh versions 0.6 and above have an authentication bypass
vulnerability in
the server code. By presenting the server an
SSH2\_MSG\_USERAUTH\_SUCCESS message
in place of the SSH2\_MSG\_USERAUTH\_REQUEST message which the server
would expect
to initiate authentication, the attacker could successfully
authentciate
without any credentials.
### Fixed In Version:
libssh 0.7.6, libssh 0.8.4
### References:
https://www.libssh.org/security/advisories/CVE-2018-10933.txt
https://www.openwall.com/lists/oss-security/2018/10/17/5
*(from redmine: issue id 9570, created on 2018-10-23, closed on 2018-10-25)*
* Relations:
* parent #9569
* Changesets:
* Revision 5c43888ac21b20f04716252828c30995461222a3 on 2018-10-24T16:58:41Z:
```
main/libssh: security upgrade 0.7.6 (CVE-2018-10933)
fixes #9570
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9599[3.7] xorg-server: Incorrect permission check in Xorg X server allows for pri...2019-07-23T11:19:13ZAlicha CH[3.7] xorg-server: Incorrect permission check in Xorg X server allows for privilege escalation (CVE-2018-14665)A flaw was found in xorg-x11-server before 1.20.3. An incorrect
permission check for -modulepath and -logfile options when
starting Xorg. X server allows unprivileged users with the ability to
log in to the system via physical console ...A flaw was found in xorg-x11-server before 1.20.3. An incorrect
permission check for -modulepath and -logfile options when
starting Xorg. X server allows unprivileged users with the ability to
log in to the system via physical console to escalate their
privileges and run arbitrary code under root privileges.
### Fixed In Version:
xorg-server 1.20.3
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-14665
https://marc.info/?l=oss-security&m=154047832307726&w=2
### Patch:
Introduced by:
https://gitlab.freedesktop.org/xorg/xserver/commit/032b1d79b7d04d47814a5b3a9fdd162249fea74c
(1.19.0)
Fixed by:
https://gitlab.freedesktop.org/xorg/xserver/commit/50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e
*(from redmine: issue id 9599, created on 2018-10-29, closed on 2018-10-30)*
* Relations:
* parent #9596
* Changesets:
* Revision 200ed130cd6de4484176410175e321c8dfc55f09 by Natanael Copa on 2018-10-29T18:34:51Z:
```
main/xorg-server: security fix (CVE-2018-14665)
fixes #9599
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9613[3.7] curl: Multiple vulnerabilities (CVE-2018-16839, CVE-2018-16840, CVE-201...2019-07-23T11:18:59ZAlicha CH[3.7] curl: Multiple vulnerabilities (CVE-2018-16839, CVE-2018-16840, CVE-2018-16842)CVE-2018-16839: SASL password overflow via integer overflow
-----------------------------------------------------------
The internal function Curl\_auth\_create\_plain\_message fails to
correctly verify that the passed in lengths
for ...CVE-2018-16839: SASL password overflow via integer overflow
-----------------------------------------------------------
The internal function Curl\_auth\_create\_plain\_message fails to
correctly verify that the passed in lengths
for name and password aren’t too long, then calculates a buffer size to
allocate.
On systems with a 32 bit size\_t, the math to calculate the buffer size
triggers an integer overflow when the user name length exceeds 2GB (2^31
bytes).
This integer overflow usually causes a very small buffer to actually get
allocated instead of the intended very huge one, making the use of that
buffer end up in a heap buffer overflow.
### Affected versions:
libcurl 7.33.0 to and including 7.61.1
### Not affected versions:
libcurl < 7.33.0 and >= 7.62.0
### Reference:
https://curl.haxx.se/docs/CVE-2018-16839.html
### Patch:
https://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5
CVE-2018-16840: use-after-free in handle close
----------------------------------------------
When closing and cleaning up an “easy” handle in the Curl\_close()
function, the library code first frees a struct (without nulling the
pointer) and might
then subsequently erroneously write to a struct field within that
already freed struct.
### Affected versions:
libcurl 7.59.0 to and including 7.61.1
### Not affected versions:
libcurl < 7.59.0 and >= 7.62.0
### Reference:
https://curl.haxx.se/docs/CVE-2018-16840.html
### Patch:
https://github.com/curl/curl/commit/81d135d67155c5295b1033679c606165d4e28f3f
CVE-2018-16842: warning message out-of-buffer read
--------------------------------------------------
The command line tool has a generic function for displaying warning and
informational messages to stderr for various
situations. For example if an unknown command line argument is used, or
passed to it in a “config” file.
This display function formats the output to wrap at 80 columns. The wrap
logic is however flawed, so if a single word in the message is itself
longer than 80 bytes
the buffer arithmetic calculates the remainder wrong and will end up
reading behind the end of the buffer. This could lead to information
disclosure or crash.
### Reference:
https://curl.haxx.se/docs/CVE-2018-16842.html
### Patch:
https://github.com/curl/curl/commit/d530e92f59ae9bb2d47066c3c460b25d2ffeb211
*(from redmine: issue id 9613, created on 2018-11-01, closed on 2018-11-08)*
* Relations:
* parent #9610
* Changesets:
* Revision 45a890319c9dae0764956a1cde0508ea76d5a6d4 on 2018-11-06T14:35:40Z:
```
main/curl: security fixes
(CVE-2018-16839, CVE-2018-16840, CVE-2018-16842)
Fixes #9613
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9665[3.7] libmspack: Multiple vulnerabilities (CVE-2018-18584, CVE-2018-18585, CV...2019-07-23T11:18:39ZAlicha CH[3.7] libmspack: Multiple vulnerabilities (CVE-2018-18584, CVE-2018-18585, CVE-2018-18586)CVE-2018-18584: A CAB file with a Quantum-compressed block of exactly 38912 bytes will write one byte beyond the end of the input buffer
----------------------------------------------------------------------------------------------------...CVE-2018-18584: A CAB file with a Quantum-compressed block of exactly 38912 bytes will write one byte beyond the end of the input buffer
----------------------------------------------------------------------------------------------------------------------------------------
In mspack/cab.h in libmspack before 0.8alpha and cabextract before 1.8,
the CAB
block input buffer is one byte too small for the maximal Quantum block,
leading to an out-of-bounds write.
### References:
https://www.cabextract.org.uk/libmspack/
https://nvd.nist.gov/vuln/detail/CVE-2018-18584
### Patch:
https://github.com/kyz/libmspack/commit/40ef1b4093d77ad3a5cfcee1f5cb6108b3a3bcc2
CVE-2018-18585: CHM files with blank filenames (by having embedded nulls) are allowed, which trips up clients that expect non-blank filenames
---------------------------------------------------------------------------------------------------------------------------------------------
chmd\_read\_headers in mspack/chmd.c in libmspack before 0.8alpha
accepts a filename
that has ‘\\0’ as its first or second character (such as the “/\\0”
name).
### References:
https://www.cabextract.org.uk/libmspack/
https://nvd.nist.gov/vuln/detail/CVE-2018-18585
### Patch:
https://github.com/kyz/libmspack/commit/8759da8db6ec9e866cb8eb143313f397f925bb4f
CVE-2018-18586: chmextract makes no attempt to protect you from relative/absolute paths in CHM filenames
--------------------------------------------------------------------------------------------------------
DISPUTED chmextract.c in the chmextract sample program, as distributed
with libmspack before 0.8alpha, does not protect against
absolute/relative pathnames in CHM files, leading to Directory
Traversal. NOTE: the vendor disputes that this is a libmspack
vulnerability, because chmextract.c was only intended as a source-code
example, not a supported application.
### References:
https://www.cabextract.org.uk/libmspack/
https://nvd.nist.gov/vuln/detail/CVE-2018-18586
### Patch:
https://github.com/kyz/libmspack/commit/7cadd489698be117c47efcadd742651594429e6d
*(from redmine: issue id 9665, created on 2018-11-21, closed on 2018-11-28)*
* Relations:
* parent #9662
* Changesets:
* Revision c9b4a96edd80dfc0ae4bd6d76202612f6bbd42d7 by Natanael Copa on 2018-11-27T12:32:31Z:
```
main/libmspack: security upgrade to 0.8_alpha
CVE-2018-18584, CVE-2018-18585, CVE-2018-18586
fixes #9665
```3.7.2Natanael CopaNatanael Copa