aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2022-08-14T22:33:43Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10571[3.7] dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749)2022-08-14T22:33:43ZAlicha CH[3.7] dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749)dbus is the reference implementation of D-Bus, an asynchronous
inter-process communication system commonly used for system services
or within a desktop session on Linux and other operating systems.
Joe Vennix of Apple Information Se...dbus is the reference implementation of D-Bus, an asynchronous
inter-process communication system commonly used for system services
or within a desktop session on Linux and other operating systems.
Joe Vennix of Apple Information Security discovered an implementation
flaw
in the DBUS\_COOKIE\_SHA1 authentication mechanism. A malicious client
with
write access to its own home directory could manipulate a
~/.dbus-keyrings
symlink to cause a DBusServer with a different uid to read and write
in unintended locations. In the worst case, this could result in the
DBusServer reusing a cookie that is known to the malicious client, and
treating that cookie as evidence that a subsequent client connection
came from an attacker-chosen uid, allowing authentication bypass.
This vulnerability does not normally affect the standard system
dbus-daemon, which only allows the EXTERNAL authentication mechanism.
In supported branches of dbus it also does not normally affect the
standard
session dbus-daemon, for the same reason.
However, this vulnerability can affect third-party users of DBusServer
(such as Upstart in Ubuntu 14.04 LTS), third-party dbus-daemon
instances,
standard dbus-daemon instances with non-standard configuration, and
the
session bus in older/unsupported dbus branches (such as dbus 1.6.x in
Ubuntu 14.04 LTS).
Vulnerable versions: all < 1.10.28, 1.12.x < 1.12.16, 1.13.x <
1.13.12
Fixed versions: all >= 1.13.12, 1.12.x >= 1.12.16, 1.10.x >=
1.10.28
### References:
https://gitlab.freedesktop.org/dbus/dbus/issues/269
http://www.openwall.com/lists/oss-security/2019/06/11/2
### Patch:
https://gitlab.freedesktop.org/dbus/dbus/commit/47b1a4c41004bf494b87370987b222c934b19016
*(from redmine: issue id 10571, created on 2019-06-13, closed on 2019-06-20)*
* Relations:
* parent #10567
* Changesets:
* Revision f85fc6d35df663ffa71b00201dcbde8cb5727322 by Natanael Copa on 2019-06-17T09:58:25Z:
```
main/dbus: upgrade to 1.10.28 (CVE-2019-12749)
fixes #10571
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8861cloud-init doesn't load cloud-config from attached wirtual CDROM2021-08-03T08:31:29Zalgitbotcloud-init doesn't load cloud-config from attached wirtual CDROMI have a virtual CDROM to load my cloud-init config to an Alpine 3.7.0
where I installed the cloud-init apk previously, but it doesn’t seem to
get detected or mounted correctly
*(from redmine: issue id 8861, created on 2018-05-04)*
* ...I have a virtual CDROM to load my cloud-init config to an Alpine 3.7.0
where I installed the cloud-init apk previously, but it doesn’t seem to
get detected or mounted correctly
*(from redmine: issue id 8861, created on 2018-05-04)*
* Uploads:
* [alpine.log](/uploads/586dbe3ff417c90a03cd9a4c91b575e5/alpine.log) Full log descriing the problem3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8407/boot has somehow become a symlink to /2021-01-30T00:16:14ZJose Jurado/boot has somehow become a symlink to /x86\_64 architecture; 3.6.3 was earlier upgraded to 3.7.0; original .iso
was a hardened x86\_64 c. 3.6.2. First noticed this problem because I
couldn’t find /boot/syslinux/syslinux.cfg
root@localhost:~# cd /boot
root@localhost:/...x86\_64 architecture; 3.6.3 was earlier upgraded to 3.7.0; original .iso
was a hardened x86\_64 c. 3.6.2. First noticed this problem because I
couldn’t find /boot/syslinux/syslinux.cfg
root@localhost:~# cd /boot
root@localhost:/boot# ls
System.map-hardened extlinux.conf.old libcom32.c32 menu.c32
boot initramfs-hardened libutil.c32 vesamenu.c32
config-hardened ldlinux.c32 lost+found vmlinuz-hardened
extlinux.conf ldlinux.sys mboot.c32
root@localhost:/boot# cd boot
root@localhost:/# cd /boot/boot/
root@localhost:/# ls
bin dev home lost+found mnt root run srv sys usr
boot etc lib media proc rules.d sbin swap tmp var
root@localhost:/# cd /boot/boot/boot
root@localhost:/boot# ls
System.map-hardened extlinux.conf.old libcom32.c32 menu.c32
boot initramfs-hardened libutil.c32 vesamenu.c32
config-hardened ldlinux.c32 lost+found vmlinuz-hardened
extlinux.conf ldlinux.sys mboot.c32
On closer examination, /boot has become a symlink to / as shown:
root@localhost:~# cd ..
root@localhost:/# pwd
/
root@localhost:/# ls -l
total 113
drwxr-xr-x 2 root root 4096 Dec 21 13:52 bin
drwxr-xr-x 3 root root 1024 Dec 3 02:31 boot
drwxr-xr-x 17 root root 3640 Jan 20 11:30 dev
drwxr-xr-x 65 root root 4096 Jan 18 19:15 etc
drwxr-xr-x 3 root root 4096 Jan 17 15:26 home
drwxr-xr-x 9 root root 4096 Jan 19 13:05 lib
drwx------ 2 root root 16384 Nov 14 17:11 lost+found
drwxr-xr-x 7 root root 4096 Nov 16 23:15 media
drwxr-xr-x 3 root root 4096 Nov 22 10:57 mnt
dr-xr-xr-x 223 root readproc 0 Jan 20 11:30 proc
drwx------ 15 root root 4096 Dec 29 16:44 root
drwxr-xr-x 2 root root 4096 Jan 13 18:01 rules.d
drwxr-xr-x 15 root root 580 Jan 20 11:32 run
drwxr-xr-x 2 root root 12288 Jan 13 18:00 sbin
drwxr-xr-x 2 root root 4096 Nov 14 17:12 srv
drwxr-xr-x 2 root root 4096 Nov 14 17:17 swap
dr-xr-xr-x 13 root root 0 Jan 20 11:30 sys
drwxrwxrwt 5 root root 32768 Jan 20 11:37 tmp
drwxr-xr-x 11 root root 4096 Nov 15 09:55 usr
drwxr-xr-x 12 root root 4096 Dec 3 00:46 var
root@localhost:/# cd /boot
root@localhost:/boot# ls -l
total 20363
-rw-r--r-- 1 root root 4131160 Nov 27 10:59 System.map-hardened
lrwxrwxrwx 1 root root 1 Nov 14 17:16 boot -> /
-rw-r--r-- 1 root root 165139 Nov 27 10:59 config-hardened
-rw-r--r-- 1 root root 439 Dec 13 15:26 extlinux.conf
-rw-r--r-- 1 root root 439 Dec 1 10:33 extlinux.conf.old
-rw-r--r-- 1 root root 11574996 Nov 30 17:34 initramfs-hardened
-r--r--r-- 1 root root 116924 Dec 3 02:31 ldlinux.c32
-r--r--r-- 1 root root 69632 Dec 3 02:31 ldlinux.sys
-rw-r--r-- 1 root root 181996 Dec 3 02:31 libcom32.c32
-rw-r--r-- 1 root root 23616 Dec 3 02:31 libutil.c32
drwx------ 2 root root 12288 Nov 14 17:11 lost+found
-rw-r--r-- 1 root root 11712 Dec 3 02:31 mboot.c32
-rw-r--r-- 1 root root 26568 Dec 3 02:31 menu.c32
-rw-r--r-- 1 root root 27020 Dec 3 02:31 vesamenu.c32
-rw-r--r-- 1 root root 4502608 Nov 27 10:59 vmlinuz-hardened
root@localhost:/boot# cd /boot/boot
root@localhost:/# ls -l
total 113
drwxr-xr-x 2 root root 4096 Dec 21 13:52 bin
drwxr-xr-x 3 root root 1024 Dec 3 02:31 boot
drwxr-xr-x 17 root root 3640 Jan 20 11:30 dev
drwxr-xr-x 65 root root 4096 Jan 18 19:15 etc
drwxr-xr-x 3 root root 4096 Jan 17 15:26 home
drwxr-xr-x 9 root root 4096 Jan 19 13:05 lib
drwx------ 2 root root 16384 Nov 14 17:11 lost+found
drwxr-xr-x 7 root root 4096 Nov 16 23:15 media
drwxr-xr-x 3 root root 4096 Nov 22 10:57 mnt
dr-xr-xr-x 222 root readproc 0 Jan 20 11:30 proc
drwx------ 15 root root 4096 Dec 29 16:44 root
drwxr-xr-x 2 root root 4096 Jan 13 18:01 rules.d
drwxr-xr-x 15 root root 580 Jan 20 11:32 run
drwxr-xr-x 2 root root 12288 Jan 13 18:00 sbin
drwxr-xr-x 2 root root 4096 Nov 14 17:12 srv
drwxr-xr-x 2 root root 4096 Nov 14 17:17 swap
dr-xr-xr-x 13 root root 0 Jan 20 11:30 sys
drwxrwxrwt 5 root root 32768 Jan 20 11:37 tmp
drwxr-xr-x 11 root root 4096 Nov 15 09:55 usr
drwxr-xr-x 12 root root 4096 Dec 3 00:46 var
This is being flagged up as a possible vulnerability, but I couldn’t
identify how it was created. System has otherwise appeared to have been
booting and running unsuspectingly smoothly except for the following:
\- Battery began to quickly empty (within minutes) shortly after
purchase, so AC power is required.
- Launching a shell has been returning a prompt with an “ash: out of
range” response for months, which led me to an attempt today to try to
fix this and to notice that I couldn’t find syslinux.cfg (further to
suggestion to fix grub, as at
https://ubuntuforums.org/showthread.php?t=1751950)
Months ago, syslinux.cfg had been found and edited. Running a search for
syslinux.cfg today yields no results; note response to ls
/usr/bin/syslinux:
root@localhost:/boot# whereis syslinux.cfg
syslinux: /usr/bin/syslinux /usr/share/syslinux
root@localhost:/boot# ls /usr/bin/syslinux
/usr/bin/syslinux
root@localhost:/boot# ls /usr/share/syslinux
altmbr.bin dmi.c32 isohdpfx.bin lpxelinux.0 reboot.c32
altmbr_c.bin dmitest.c32 isohdpfx_c.bin ls.c32 rosh.c32
altmbr_f.bin dosutil isohdpfx_f.bin lua.c32 sanboot.c32
cat.c32 efi64 isohdppx.bin mboot.c32 sdi.c32
chain.c32 elf.c32 isohdppx_c.bin mbr.bin sysdump.c32
cmd.c32 ethersel.c32 isohdppx_f.bin mbr_c.bin syslinux.c32
cmenu.c32 gfxboot.c32 isolinux-debug.bin mbr_f.bin syslinux.com
com32 gptmbr.bin isolinux.bin memdisk syslinux.exe
config.c32 gptmbr_c.bin kbdmap.c32 meminfo.c32 syslinux64.exe
cptime.c32 gptmbr_f.bin kontron_wdt.c32 menu.c32 vesa.c32
cpu.c32 gpxecmd.c32 ldlinux.c32 pci.c32 vesainfo.c32
cpuid.c32 hdt.c32 lfs.c32 pcitest.c32 vesamenu.c32
cpuidtest.c32 hexdump.c32 libcom32.c32 pmload.c32 vpdtest.c32
debug.c32 host.c32 libgpl.c32 poweroff.c32 whichsys.c32
dhcp.c32 ifcpu.c32 liblua.c32 prdhcp.c32 zzjson.c32
diag ifcpu64.c32 libmenu.c32 pwd.c32
dir.c32 ifmemdsk.c32 libutil.c32 pxechn.c32
disk.c32 ifplop.c32 linux.c32 pxelinux.0
I considered posting this on the forum but was concerned due to the
relative lack of response there (but I am very grateful for so much
development activity!)
*(from redmine: issue id 8407, created on 2018-01-20)*3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8383tar dependencies2020-03-16T01:21:39ZSzymon Scholztar dependenciestar should have dependencies to libraries of algorithms!
tar have option to extract f.e. lzma archive, but without it, it says
“short read”
after apk del tar && apk add tar it tells the lzip is missing !
how want you make it working ...tar should have dependencies to libraries of algorithms!
tar have option to extract f.e. lzma archive, but without it, it says
“short read”
after apk del tar && apk add tar it tells the lzip is missing !
how want you make it working without those libraries?
*(from redmine: issue id 8383, created on 2018-01-06)*3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8743lbu: Add support for detecting file-permission changes2020-03-16T01:21:07Zalgitbotlbu: Add support for detecting file-permission changesCurrently “lbu commit” does not detect, if a file-permission has been
changed - and the file-permission is the ONLY change.
To fix this, we could use ‘stats’ to compare file-permissions.
Attached is a simple patch to use ‘stats’ to de...Currently “lbu commit” does not detect, if a file-permission has been
changed - and the file-permission is the ONLY change.
To fix this, we could use ‘stats’ to compare file-permissions.
Attached is a simple patch to use ‘stats’ to detect file-permission
changes
*(from redmine: issue id 8743, created on 2018-03-27)*
* Uploads:
* [lbu-file-permission.diff](/uploads/82e68ee0a63e37f5ec2fdd5993845868/lbu-file-permission.diff) Make LBU aware of file-permissions3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8570apparmor cannot load profiles2020-02-26T10:09:19ZVincent Bentleyapparmor cannot load profilesWith fixes for bugs 7985, 8568 and 8569 manually applied, apparmor
cannot load profiles. The on screen error message hints at an AppArmor
2.4 compatibility patch to the kernel being required or could just be
missing the required file sys...With fixes for bugs 7985, 8568 and 8569 manually applied, apparmor
cannot load profiles. The on screen error message hints at an AppArmor
2.4 compatibility patch to the kernel being required or could just be
missing the required file system?
sudo ./apparmor start -vvvv
* Executing: /lib/rc/sh/openrc-run.sh /lib/rc/sh/openrc-run.sh /etc/init.d/apparmor start
* Starting AppArmor ...
* Debug parse_profiles ...
* Loading AppArmor profiles ...
egrep: bad regex '^/.*[ \t]+flags[ \t]*=[ \t]*\([ \t]*complain[ \t]*\)[ \t]+{': Invalid contents of {}
Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Use --subdomainfs to override.
* /etc/apparmor.d/bin.ping failed to load
*(from redmine: issue id 8570, created on 2018-02-24)*3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8599sysctl doesn't set net.ipv6.conf.all.forwarding2020-01-23T10:22:28Zalgitbotsysctl doesn't set net.ipv6.conf.all.forwardingI have a fresh installed Alpine 3.7 extended installation and wanted to
set a sysctl value \`net.ipv6.conf.all.forwarding\` to 1 upon boot.
What I did is added a line \`net.ipv6.conf.all.forwarding = 1\` to
/etc/sysctl.d/00-alpine.conf...I have a fresh installed Alpine 3.7 extended installation and wanted to
set a sysctl value \`net.ipv6.conf.all.forwarding\` to 1 upon boot.
What I did is added a line \`net.ipv6.conf.all.forwarding = 1\` to
/etc/sysctl.d/00-alpine.conf at the end of file with 3 newlines after
the line.
The values remains 0 after reboot, but all other parameters are being
set fine, such as custom net.ipv4.ip\_forward value.
I have tried what bernhardgruen suggested on IRC, creating
/etc/conf.d/sysctl with \`rc\_need=“net”\` line and following with
rc-update -u, which doesn’t provide any positive effect. I have tried
with rc\_need=“net.eth0”, rc\_need=“networking” but it didn’t help.
I have IPv6 address configured in /etc/network/interfaces and it comes
up at boot, but there seems to be some problem with sysctl settings for
IPv6 which i was not able to identify.
Is there way to set this parameter to 1 at boot without touching
anything else but sysctl and inventing additional boot scripts?
*(from redmine: issue id 8599, created on 2018-03-02)*3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7986wpa_supplicant starts after networking2020-01-20T08:41:53ZCarlo Landmeterwpa_supplicant starts after networkingI have to add rc\_need=“wpa\_supplicant” to /etc/conf.d/networking to
make it work.
This is on edge.
*(from redmine: issue id 7986, created on 2017-10-07)*
* Relations:
* relates #8025I have to add rc\_need=“wpa\_supplicant” to /etc/conf.d/networking to
make it work.
This is on edge.
*(from redmine: issue id 7986, created on 2017-10-07)*
* Relations:
* relates #80253.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10347[3.7] sdl: Multiple vulnerabilities (CVE-2019-7572, CVE-2019-7573, CVE-2019-7...2019-08-14T12:52:56ZAlicha CH[3.7] sdl: Multiple vulnerabilities (CVE-2019-7572, CVE-2019-7573, CVE-2019-7574, CVE-2019-7575, CVE-2019-7576, CVE-2019-7577, CVE-2019-7578, CVE-2019-7635, CVE-2019-7636, CVE-2019-7637, CVE-2019-7638)CVE-2019-7572: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x
through 2.0.9
has a buffer over-read in IMA\_ADPCM\_nibble in audio/SDL\_wave.c.
### References:
https://security-tracker.debian.org/tracker/CVE-2019-7572
https:/...CVE-2019-7572: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x
through 2.0.9
has a buffer over-read in IMA\_ADPCM\_nibble in audio/SDL\_wave.c.
### References:
https://security-tracker.debian.org/tracker/CVE-2019-7572
https://bugzilla.libsdl.org/show\_bug.cgi?id=4495
Proposed patch:
https://bugzilla-attachments.libsdl.org/attachment.cgi?id=3612
Proposed patch:
https://bugzilla-attachments.libsdl.org/attachment.cgi?id=3618
CVE-2019-7573: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x
through 2.0.9 has a
heap-based buffer over-read in InitMS\_ADPCM in audio/SDL\_wave.c
(inside the wNumCoef loop).
### References:
https://bugzilla.libsdl.org/show\_bug.cgi?id=4491
https://security-tracker.debian.org/tracker/CVE-2019-7573
Proposed patch:
https://bugzilla-attachments.libsdl.org/attachment.cgi?id=3620
CVE-2019-7574: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x
through 2.0.9 has
a heap-based buffer over-read in IMA\_ADPCM\_decode in
audio/SDL\_wave.c.
### Reference:
https://bugzilla.libsdl.org/show\_bug.cgi?id=4496
https://security-tracker.debian.org/tracker/CVE-2019-7574
Proposed patch:
https://bugzilla-attachments.libsdl.org/attachment.cgi?id=3610
CVE-2019-7575: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x
through 2.0.9 has
a heap-based buffer overflow in MS\_ADPCM\_decode in audio/SDL\_wave.c.
### References:
https://security-tracker.debian.org/tracker/CVE-2019-7575
https://bugzilla.libsdl.org/show\_bug.cgi?id=4493
Proposed patch:
https://bugzilla-attachments.libsdl.org/attachment.cgi?id=3609
CVE-2019-7576: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x
through 2.0.9 has a heap-based
buffer over-read in InitMS\_ADPCM in audio/SDL\_wave.c (outside the
wNumCoef loop).
### References:
https://security-tracker.debian.org/tracker/CVE-2019-7576
https://bugzilla.libsdl.org/show\_bug.cgi?id=4490
Proposed patch:
https://bugzilla.libsdl.org/attachment.cgi?id=3620&action=diff
CVE-2019-7577: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x
through 2.0.9 has a
buffer over-read in SDL\_LoadWAV\_RW in audio/SDL\_wave.c.
### References:
https://bugzilla.libsdl.org/show\_bug.cgi?id=4492
https://security-tracker.debian.org/tracker/CVE-2019-7577
Proposed patch:
https://bugzilla-attachments.libsdl.org/attachment.cgi?id=3608
Proposed patch:
https://bugzilla-attachments.libsdl.org/attachment.cgi?id=3694
CVE-2019-7578: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x
through 2.0.9 has
a heap-based buffer over-read in InitIMA\_ADPCM in audio/SDL\_wave.c.
### References:
https://bugzilla.libsdl.org/show\_bug.cgi?id=4494
https://security-tracker.debian.org/tracker/CVE-2019-7578
Proposed patch:
https://bugzilla-attachments.libsdl.org/attachment.cgi?id=3623
CVE-2019-7635: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x
through 2.0.9 has
a heap-based buffer over-read in Blit1to4 in video/SDL\_blit\_1.c.
### References:
https://bugzilla.libsdl.org/show\_bug.cgi?id=4498
https://security-tracker.debian.org/tracker/CVE-2019-7635
CVE-2019-7636: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x
through 2.0.9
has a heap-based buffer over-read in SDL\_GetRGB in video/SDL\_pixels.c.
### References:
https://security-tracker.debian.org/tracker/CVE-2019-7636
https://bugzilla.libsdl.org/show\_bug.cgi?id=4499
CVE-2019-7637: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x
through 2.0.9 has
a heap-based buffer overflow in SDL\_FillRect in video/SDL\_surface.c.
### References:
https://security-tracker.debian.org/tracker/CVE-2019-7637
CVE-2019-7638: SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x
through 2.0.9
has a heap-based buffer over-read in Map1toN in video/SDL\_pixels.c.
### References:
https://bugzilla.libsdl.org/show\_bug.cgi?id=4500
*(from redmine: issue id 10347, created on 2019-04-25)*
* Relations:
* parent #103433.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8907[3.7] libmad: Multiple vulnerabilities (CVE-2017-8372, CVE-2017-8373, CVE-201...2019-08-14T12:42:07ZAlicha CH[3.7] libmad: Multiple vulnerabilities (CVE-2017-8372, CVE-2017-8373, CVE-2017-8374)**CVE-2017-8372**: The mad\_layer\_III function in layer3.c in Underbit
MAD libmad 0.15.1b, if NDEBUG is omitted,
allows remote attackers to cause a denial of service (assertion failure
and application exit) via a crafted audiofile.
#...**CVE-2017-8372**: The mad\_layer\_III function in layer3.c in Underbit
MAD libmad 0.15.1b, if NDEBUG is omitted,
allows remote attackers to cause a denial of service (assertion failure
and application exit) via a crafted audiofile.
### References:
http://openwall.com/lists/oss-security/2017/05/01/7
https://blogs.gentoo.org/ago/2017/04/30/libmad-assertion-failure-in-layer3-c/
**CVE-2017-8373**: The mad\_layer\_III function in layer3.c in Underbit
MAD libmad 0.15.1b allows remote
attackers to cause a denial of service (heap-based buffer overflow and
application crash) or possibly
have unspecified other impact via a crafted audio file.
### References:
http://openwall.com/lists/oss-security/2017/05/01/8
https://blogs.gentoo.org/ago/2017/04/30/libmad-heap-based-buffer-overflow-in-mad\_layer\_iii-layer3-c/
**CVE-2017-8374**: The mad\_bit\_skip function in bit.c in Underbit MAD
libmad 0.15.1b allows remote attackers to cause
a denial of service (heap-based buffer over-read and application crash)
via a crafted audio file.
### References:
http://openwall.com/lists/oss-security/2017/05/01/9
https://blogs.gentoo.org/ago/2017/04/30/libmad-heap-based-buffer-overflow-in-mad\_bit\_skip-bit-c/
*(from redmine: issue id 8907, created on 2018-05-18)*
* Relations:
* copied_to #8905
* parent #89053.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8999"nsupdate" failures due to missing gssapi binding2019-07-23T11:26:23Zalgitbot"nsupdate" failures due to missing gssapi bindingI need to setup a Docker image with a Samba domain controller installed.
To set this image up I followed the instructions from this guide:
https://wiki.alpinelinux.org/wiki/Setting\_up\_a\_samba-ad-dc.
When I run the container I get the...I need to setup a Docker image with a Samba domain controller installed.
To set this image up I followed the instructions from this guide:
https://wiki.alpinelinux.org/wiki/Setting\_up\_a\_samba-ad-dc.
When I run the container I get the following errors multiple times:
/usr/sbin/samba_dnsupdate: /usr/bin/nsupdate: cannot specify -g or -o, program not linked with GSS API Library
../source4/dsdb/dns/dns_update.c:290: Failed DNS update - with error code 25
This happens because of a missing `configure` option
(https://git.alpinelinux.org/cgit/aports/tree/main/bind/APKBUILD\#n72):
--with-gssapi=yes
If one only adds this switch to the `APKGBUILD` the build fails with the
given error:
libtool: link: gcc -Os -fomit-frame-pointer -D_GNU_SOURCE -I/usr/include/libxml2 -fPIC -Wl,--as-needed -o .libs/resolve .libs/resolve.o ../irs/.libs/libirs.so -L/lib ../dns/.libs/libdns.so ../isccfg/.libs/libisccfg.so /tmp/aports/main/bind/src/bind-9.12.1-P2/lib/dns/.libs/libdns.so -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err /tmp/aports/main/bind/src/bind-9.12.1-P2/lib/isc/.libs/libisc.so ../isc/.libs/libisc.so -lcrypto -ldl -lcap -ljson-c -lpthread -lxml2 -lz -lm
../dns/.libs/libdns.so: undefined reference to `RSA_set0_factors'
../dns/.libs/libdns.so: undefined reference to `RSA_set0_crt_params'
../dns/.libs/libdns.so: undefined reference to `RSA_get0_factors'
../dns/.libs/libdns.so: undefined reference to `DSA_set0_pqg'
../dns/.libs/libdns.so: undefined reference to `DH_set0_key'
../dns/.libs/libdns.so: undefined reference to `DH_clear_flags'
../dns/.libs/libdns.so: undefined reference to `ECDSA_SIG_get0'
../dns/.libs/libdns.so: undefined reference to `ECDSA_SIG_set0'
../dns/.libs/libdns.so: undefined reference to `RSA_test_flags'
../dns/.libs/libdns.so: undefined reference to `DH_set0_pqg'
../dns/.libs/libdns.so: undefined reference to `DSA_SIG_get0'
../dns/.libs/libdns.so: undefined reference to `DSA_set0_key'
../dns/.libs/libdns.so: undefined reference to `DSA_get0_key'
../dns/.libs/libdns.so: undefined reference to `RSA_get0_key'
../dns/.libs/libdns.so: undefined reference to `DSA_SIG_set0'
../dns/.libs/libdns.so: undefined reference to `DSA_clear_flags'
../dns/.libs/libdns.so: undefined reference to `DH_get0_key'
../dns/.libs/libdns.so: undefined reference to `RSA_get0_crt_params'
../dns/.libs/libdns.so: undefined reference to `DSA_get0_pqg'
../dns/.libs/libdns.so: undefined reference to `DH_get0_pqg'
../dns/.libs/libdns.so: undefined reference to `RSA_set0_key'
Switching to “openssl” makes the build succeed:
sed -i \
-e 's/libressl-dev/openssl-dev/g' \
-e 's/makedepends="/makedepends="krb5-dev /' \
-e '/libressl[^.]\+\.patch/d' \
-e '/tools() {/,/}/s/depends=""/depends="krb5"/' \
-e '/.\/configure/a\ --with-gssapi=yes --with-dlopen \\' \
APKBUILD
With the new build, the errors state a the beginning of this issue are
gone.
*(from redmine: issue id 8999, created on 2018-06-13, closed on 2019-06-19)*3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10168[3.7] bind: Multiple vulnerabilities (CVE-2018-5744, CVE-2018-5745, CVE-2019-...2019-07-23T11:12:52ZAlicha CH[3.7] bind: Multiple vulnerabilities (CVE-2018-5744, CVE-2018-5745, CVE-2019-6465)CVE-2018-5744: A specially crafted packet can cause named to leak memory
------------------------------------------------------------------------
A flaw was found in Bind. A failure to free memory can occur when
processing messages havi...CVE-2018-5744: A specially crafted packet can cause named to leak memory
------------------------------------------------------------------------
A flaw was found in Bind. A failure to free memory can occur when
processing messages having a specific combination of EDNS options,
causing named’s memory use to grow without bounds until all memory is
exhausted.
### Versions affected:
BIND 9.10.7 ->9.10.8-P1, 9.11.3 ->9.11.5-P1, 9.12.0 ->
9.12.3-P1
### Reference:
https://kb.isc.org/docs/cve-2018-5744
CVE-2018-5745: An assertion failure if a trust anchor rolls over to an unsupported key algorithm when using managed-keys
------------------------------------------------------------------------------------------------------------------------
A flaw was found in Bind. Due to an error in the managed-keys feature it
is possible for a BIND server which
uses managed-keys to exit due to an assertion failure causing denial of
service.
### Versions affected:
BIND 9.9.0 ->9.10.8-P1, 9.11.0 ->9.11.5-P1, 9.12.0 ->
9.12.3-P1
### Fixed In Version:
bind 9.11.5-P4, bind 9.12.3-P4
### Reference:
https://kb.isc.org/docs/cve-2018-5745
CVE-2019-6465: Zone transfer controls for writable DLZ zones were not effective
-------------------------------------------------------------------------------
A flaw was found in Bind. Controls for zone transfers may not be
properly applied to Dynamically Loadable Zones (DLZs) if the zones are
writable.
A client exercising this defect can request and receive a zone transfers
of a DLZ even when not permitted to do so by the allow-transfer ACL.
### Versions affected:
BIND 9.9.0 ->9.10.8-P1, 9.11.0 ->9.11.5-P2, 9.12.0 ->
9.12.3-P2
### Fixed In Version:
bind 9.11.5-P4, bind 9.12.3-P4
### Reference:
https://kb.isc.org/docs/cve-2019-6465
*(from redmine: issue id 10168, created on 2019-03-27, closed on 2019-04-15)*
* Relations:
* parent #10164
* Changesets:
* Revision 3142e7931359e784a78891287108e92aefc4393c by Chris Ely on 2019-04-12T06:09:47Z:
```
main/bind: security upgrade to 9.11.5_p4
https://ftp.isc.org/isc/bind9/9.11.5-P4/RELEASE-NOTES-bind-9.11.5-P4.html
- CVE-2019-6465
- CVE-2018-5745
- CVE-2018-5744
- CVE-2018-5740
- CVE-2018-5738
Fixes #10168
With the release of BIND 9.11.0, ISC changed to the open source license
for BIND from the ISC license to the Mozilla Public License (MPL 2.0).
BIND 9.11 (Extended Support Version) will be supported until at least
December, 2021.
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10249[3.7] samba: Save registry file outside share as unprivileged user (CVE-2019-...2019-07-23T11:11:54ZAlicha CH[3.7] samba: Save registry file outside share as unprivileged user (CVE-2019-3880)Samba contains an RPC endpoint emulating the Windows registry service
API. One of the requests, “winreg\_SaveKey”, is susceptible to a
path/symlink traversal vulnerability. Unprivileged users can use it to
create a new registry hiv...Samba contains an RPC endpoint emulating the Windows registry service
API. One of the requests, “winreg\_SaveKey”, is susceptible to a
path/symlink traversal vulnerability. Unprivileged users can use it to
create a new registry hive file anywhere they have unix permissions to
create a new file within a Samba share. If they are able to create
symlinks on a Samba share, they can create a new registry hive file
anywhere they have write access, even outside a Samba share
definition.
### Affected Versions:
All versions of samba since samba 3.2.0
### Fixed In Version:
samba 4.8.11, 4.9.6 and 4.10.2
### References:
https://www.samba.org/samba/security/CVE-2019-3880.html
https://www.samba.org/samba/history/security.html
### Patch:
https://download.samba.org/pub/samba/patches/security/samba-4.8.10-security-2019-04-08.patch
*(from redmine: issue id 10249, created on 2019-04-15, closed on 2019-04-18)*
* Relations:
* parent #10246
* Changesets:
* Revision dd592906931a0d72d098e6385832a370bbb221c2 on 2019-04-17T08:33:43Z:
```
main/samba: security fix (CVE-2019-3880)
Fixes #10249
Signed-off-by: Leonardo Arena <rnalrd@alpinelinux.org>
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10255[3.7] lua5.3: use-after-free in lua_upvaluejoin in lapi.c (CVE-2019-6706)2019-07-23T11:11:49ZAlicha CH[3.7] lua5.3: use-after-free in lua_upvaluejoin in lapi.c (CVE-2019-6706)Lua 5.3.5 has a use-after-free in lua\_upvaluejoin in lapi.c. For
example, a crash outcome might be achieved by an
attacker who is able to trigger a debug.upvaluejoin call in which the
arguments have certain relationships.
### Referen...Lua 5.3.5 has a use-after-free in lua\_upvaluejoin in lapi.c. For
example, a crash outcome might be achieved by an
attacker who is able to trigger a debug.upvaluejoin call in which the
arguments have certain relationships.
### References:
http://lua.2524044.n2.nabble.com/Bug-Report-Use-after-free-in-debug-upvaluejoin-tc7685506.html
https://security-tracker.debian.org/tracker/CVE-2019-6706
*(from redmine: issue id 10255, created on 2019-04-15, closed on 2019-05-06)*
* Relations:
* parent #10251
* Changesets:
* Revision fda894f6c300cc264f5ca3fb93f499fe51a15750 by Natanael Copa on 2019-05-06T17:13:58Z:
```
main/lua5.3: upgrade to 5.3.5 and sec fix CVE-2019-6706
fixes #10255
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10280[3.7] libxslt: security framework bypass (CVE-2019-11068)2019-07-23T11:11:32ZAlicha CH[3.7] libxslt: security framework bypass (CVE-2019-11068)libxslt through 1.1.33 allows bypass of a protection mechanism because
callers of xsltCheckRead and xsltCheckWrite permit access even upon
receiving a –1 error code. xsltCheckRead can return –1 for a crafted URL
that is not actually in...libxslt through 1.1.33 allows bypass of a protection mechanism because
callers of xsltCheckRead and xsltCheckWrite permit access even upon
receiving a –1 error code. xsltCheckRead can return –1 for a crafted URL
that is not actually invalid and is subsequently loaded.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-11068
https://security-tracker.debian.org/tracker/CVE-2019-11068
### Patch:
https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6
*(from redmine: issue id 10280, created on 2019-04-17, closed on 2019-04-18)*
* Relations:
* parent #10276
* Changesets:
* Revision e0bf68014c8449196d77264ba2cc6a040051be9a by Natanael Copa on 2019-04-17T07:47:50Z:
```
main/libxslt: security fix for CVE-2019-11068
fixes #10280
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10289[3.7] ruby: Multiple vulnerabilities (CVE-2019-8320, CVE-2019-8321, CVE-2019-...2019-07-23T11:11:25ZAlicha CH[3.7] ruby: Multiple vulnerabilities (CVE-2019-8320, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324, CVE-2019-8325)CVE-2019-8320: Delete directory using symlink when decompressing tar
CVE-2019-8321: Escape sequence injection vulnerability in verbose
CVE-2019-8322: Escape sequence injection vulnerability in gem owner
CVE-2019-8323: Escape sequen...CVE-2019-8320: Delete directory using symlink when decompressing tar
CVE-2019-8321: Escape sequence injection vulnerability in verbose
CVE-2019-8322: Escape sequence injection vulnerability in gem owner
CVE-2019-8323: Escape sequence injection vulnerability in API response
handling
CVE-2019-8324: Installing a malicious gem may lead to arbitrary code
execution
CVE-2019-8325: Escape sequence injection vulnerability in errors
### Affected Versions:
Ruby 2.4 series: 2.4.5 and earlier
Ruby 2.5 series: 2.5.3 and earlier
### Reference:
https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
### Patches:
https://bugs.ruby-lang.org/attachments/7669 (for Ruby 2.4.5)
https://bugs.ruby-lang.org/attachments/7670 (for Ruby 2.5.3)
*(from redmine: issue id 10289, created on 2019-04-18, closed on 2019-05-06)*
* Relations:
* parent #10286
* Changesets:
* Revision 26cc34eb049b628c4c35af1f61ebd8437596d8ca by Natanael Copa on 2019-05-06T17:52:19Z:
```
main/ruby: upgrade to 2.4.6
- CVE-2019-8320
- CVE-2019-8321
- CVE-2019-8322
- CVE-2019-8323
- CVE-2019-8324
- CVE-2019-8325
fixes #10289
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10299[3.7] python3: Multiple vulnerabilities (CVE-2018-14647, CVE-2018-20406, CVE-...2019-07-23T11:11:22ZAlicha CH[3.7] python3: Multiple vulnerabilities (CVE-2018-14647, CVE-2018-20406, CVE-2019-9636)CVE-2018-14647: Missing salt initialization in \_elementtree.c module
---------------------------------------------------------------------
A flaw was found in python’s \_elementtree.c module, a wrapper for
libexpat XML parser. xml.etre...CVE-2018-14647: Missing salt initialization in \_elementtree.c module
---------------------------------------------------------------------
A flaw was found in python’s \_elementtree.c module, a wrapper for
libexpat XML parser. xml.etree C accelerator don’t call
XML\_SetHashSalt(), failing to properly initiate
the random hash seed from a good CSPRNG source and making hash collision
attacks with carefully crafted XML data easier.
### Fixed In Version:
python 3.7.1, python 3.6.7, python 2.7.16
### References:
https://bugs.python.org/issue34623
CVE-2018-20406: Integer overflow in Modules/\_pickle.c allows for memory exhaustion if serializing gigabytes of data
--------------------------------------------------------------------------------------------------------------------
Modules/\_pickle.c in Python before 3.7.1 has an integer overflow via a
large LONG\_BINPUT value that is mishandled during a “resize to twice
the size” attempt.
This issue might cause memory exhaustion, but is only relevant if the
pickle format is used for serializing tens or hundreds of gigabytes of
data.
### References:
https://bugs.python.org/issue34656
### Patch:
https://github.com/python/cpython/commit/71a9c65e74a70b6ed39adc4ba81d311ac1aa2acc
CVE-2019-9636: Information Disclosure due to urlsplit improper NFKC normalization
---------------------------------------------------------------------------------
Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by:
Improper Handling of Unicode Encoding (with an incorrect netloc) during
NFKC normalization.
The impact is: Information disclosure (credentials, cookies, etc. that
are cached against a given hostname). The components are:
urllib.parse.urlsplit, urllib.parse.urlparse.
The attack vector is: A specially crafted URL could be incorrectly
parsed to locate cookies or authentication data and send that
information to a different host than when parsed correctly.
### References:
https://github.com/python/cpython/pull/12201
https://nvd.nist.gov/vuln/detail/CVE-2019-9636
### Patch:
https://github.com/python/cpython/commit/23fc0416454c4ad5b9b23d520fbe6d89be3efc24
*(from redmine: issue id 10299, created on 2019-04-18, closed on 2019-04-23)*
* Relations:
* parent #10297
* Changesets:
* Revision 9d48a71d9895becc1428522aee341f26034aa3ab by Natanael Copa on 2019-04-22T10:22:54Z:
```
main/python3: security upgrade to 3.6.8
- CVE-2018-14647
- CVE-2018-20406
- CVE-2019-9636
fixes #10299
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10335[3.7] hostapd: SAE confirm missing state validation in hostapd/AP (CVE-2019-9...2019-07-23T11:10:55ZAlicha CH[3.7] hostapd: SAE confirm missing state validation in hostapd/AP (CVE-2019-9496)An invalid authentication sequence could result in the hostapd process
terminating due to missing state validation steps when
processing the SAE confirm message when in hostapd/AP mode. All version
of hostapd with SAE support are vulne...An invalid authentication sequence could result in the hostapd process
terminating due to missing state validation steps when
processing the SAE confirm message when in hostapd/AP mode. All version
of hostapd with SAE support are vulnerable.
Update to hostapd v2.8 or newer, once available.
### References:
https://w1.fi/security/2019-3/sae-confirm-missing-state-validation.txt
https://www.kb.cert.org/vuls/id/871675/
### Patch:
https://w1.fi/cgit/hostap/commit/?id=ac8fa9ef198640086cf2ce7c94673be2b6a018a0
*(from redmine: issue id 10335, created on 2019-04-25, closed on 2019-06-20)*
* Relations:
* parent #10331
* Changesets:
* Revision 4c63d15964419d85bba90df9bfeb8f6af833b40b on 2019-06-05T08:55:48Z:
```
main/hostapd: security fix (CVE-2019-9496)
Fixes #10335
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10364[3.7] libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)2019-07-23T11:10:43ZAlicha CH[3.7] libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)A vulnerability was found in libpng 1.6.36. The function
png\_image\_free in png.c has
a use-after-free because png\_image\_free\_function is called under
png\_safe\_execute.
This flaw is in the PNG Simplified API, which was introduce...A vulnerability was found in libpng 1.6.36. The function
png\_image\_free in png.c has
a use-after-free because png\_image\_free\_function is called under
png\_safe\_execute.
This flaw is in the PNG Simplified API, which was introduced
upstream in libpng-1.6.0. Previous versions of libpng are not affected.
### References:
https://github.com/glennrp/libpng/issues/275
https://nvd.nist.gov/vuln/detail/CVE-2019-7317
### Patch:
https://github.com/glennrp/libpng/commit/9c0d5c77bf5bf2d7c1e11f388de40a70e0191550
*(from redmine: issue id 10364, created on 2019-04-29, closed on 2019-05-06)*
* Relations:
* parent #10360
* Changesets:
* Revision 7343860d339ba29c5188614207d226094fbf746b by Leo Leo on 2019-05-06T08:41:55Z:
```
main/libpng: upgrade to 1.6.37
- Add secfixes
CVE-2019-7317
CVE-2018-14048
CVE-2018-14550
- Remove pkg-config detected depends_dev
fixes #10364
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10370[3.7] bind: Limiting simultaneous TCP clients is ineffective (CVE-2018-5743)2019-07-23T11:10:37ZAlicha CH[3.7] bind: Limiting simultaneous TCP clients is ineffective (CVE-2018-5743)By design, BIND is intended to limit the number of TCP clients that can
be connected at any given time. The number of allowed connections is a
tunable parameter which, if unset, defaults to a conservative value
for
most servers. Unfort...By design, BIND is intended to limit the number of TCP clients that can
be connected at any given time. The number of allowed connections is a
tunable parameter which, if unset, defaults to a conservative value
for
most servers. Unfortunately, the code which was intended to limit the
number of simultaneous connections contains an error which can be
exploited to grow the number of simultaneous connections beyond this
limit.
### Affected Versions:
BIND 9.9.0 ->9.10.8-P1, 9.11.0 ->9.11.6, 9.12.0 ->9.12.4,
9.14.0. BIND 9 Supported Preview Edition versions 9.9.3-S1 ->
9.11.5-S3, and 9.11.5-S5.
Versions 9.13.0 ->9.13.7 of the 9.13 development branch are also
affected.
### Fixed In Version:
bind 9.11.6-P1, bind 9.12.4-P1, bind 9.14.1
### References:
https://kb.isc.org/docs/cve-2018-5743
https://www.openwall.com/lists/oss-security/2019/04/25/3
*(from redmine: issue id 10370, created on 2019-04-29, closed on 2019-05-03)*
* Relations:
* parent #10366
* Changesets:
* Revision 935add8c0f7f6c11b2382695b3369beb40d3618c by Natanael Copa on 2019-05-03T06:33:15Z:
```
main/bind: security upgrade to 9.11.6_p1 (CVE-2018-5743,CVE-2019-6467)
This release introduced 3 new tools with python dependency
(dnssec-checkdns, dnssec-coverage and dnssec-keymgr). Move those tools
to a subpackage, bind-dnssec-tools, to avoid unexpectedly pull in python
as dependency for stable upgraders.
There are other tools in bind-tools that belongs to bind-dnssec-tools,
but we dont move those in a stable branch to avoid breaking things for
current users.
Include patch to fix build on non-x86:
https://gitlab.isc.org/isc-projects/bind9/commit/d72f436b7d7c697b262968c48c2d7643069ab17f
https://lists.isc.org/pipermail/bind-users/2019-April/101673.html
fixes #10370
```3.7.4Natanael CopaNatanael Copa