aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2019-10-31T12:37:51Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10549testing/emscripten: upgrade to 1.38.342019-10-31T12:37:51ZLucas Ramagetesting/emscripten: upgrade to 1.38.34Currently available version is from 2017.
Also, the homepage has changed to https://emscripten.org, and the source
has also moved to https://github.com/emscripten-core/emscripten.
I reached out to the maintainer, but I never received a...Currently available version is from 2017.
Also, the homepage has changed to https://emscripten.org, and the source
has also moved to https://github.com/emscripten-core/emscripten.
I reached out to the maintainer, but I never received a response.
I would be willing to submit a patch, I just don’t want to duplicate
effort.
*(from redmine: issue id 10549, created on 2019-06-10)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/10551heimdal: man-in-the-middle attack in function krb5_init_creds_step in lib/krb...2019-07-23T10:35:39ZAlicha CHheimdal: man-in-the-middle attack in function krb5_init_creds_step in lib/krb5/init_creds_pw.c (CVE-2019-12098)In the client side of Heimdal before 7.6.0, failure to verify anonymous
PKINIT PA-PKINIT-KX key exchange permits a
man-in-the-middle attack. This issue is in krb5\_init\_creds\_step in
lib/krb5/init\_creds\_pw.c.
### References:
http...In the client side of Heimdal before 7.6.0, failure to verify anonymous
PKINIT PA-PKINIT-KX key exchange permits a
man-in-the-middle attack. This issue is in krb5\_init\_creds\_step in
lib/krb5/init\_creds\_pw.c.
### References:
http://www.h5l.org/pipermail/heimdal-announce/2019-May/000009.html
https://nvd.nist.gov/vuln/detail/CVE-2019-12098
### Patch:
Fixed by:
https://github.com/heimdal/heimdal/commit/2f7f3d9960aa6ea21358bdf3687cee5149aa35cf
(7.6.0)
Introduced by:
https://github.com/heimdal/heimdal/commit/a1ef548600c5bb51cf52a9a9ea12676506ede19f
(1.4.0)
*(from redmine: issue id 10551, created on 2019-06-12)*
* Relations:
* child #10552
* child #10553
* child #10554
* child #10555Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10552[3.10] heimdal: man-in-the-middle attack in function krb5_init_creds_step in ...2019-07-16T11:25:06ZAlicha CH[3.10] heimdal: man-in-the-middle attack in function krb5_init_creds_step in lib/krb5/init_creds_pw.c (CVE-2019-12098)In the client side of Heimdal before 7.6.0, failure to verify anonymous
PKINIT PA-PKINIT-KX key exchange permits a
man-in-the-middle attack. This issue is in krb5\_init\_creds\_step in
lib/krb5/init\_creds\_pw.c.
### References:
http...In the client side of Heimdal before 7.6.0, failure to verify anonymous
PKINIT PA-PKINIT-KX key exchange permits a
man-in-the-middle attack. This issue is in krb5\_init\_creds\_step in
lib/krb5/init\_creds\_pw.c.
### References:
http://www.h5l.org/pipermail/heimdal-announce/2019-May/000009.html
https://nvd.nist.gov/vuln/detail/CVE-2019-12098
### Patch:
Fixed by:
https://github.com/heimdal/heimdal/commit/2f7f3d9960aa6ea21358bdf3687cee5149aa35cf
(7.6.0)
Introduced by:
https://github.com/heimdal/heimdal/commit/a1ef548600c5bb51cf52a9a9ea12676506ede19f
(1.4.0)
*(from redmine: issue id 10552, created on 2019-06-12)*
* Relations:
* parent #10551
* Changesets:
* Revision 7f6e6b03d2536a389bb79a29915bd3a8fe881517 by Natanael Copa on 2019-07-11T16:02:02Z:
```
main/heimdal: security fix for CVE-2019-12098
fixes #10552
```3.10.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10553[3.9] heimdal: man-in-the-middle attack in function krb5_init_creds_step in l...2019-07-16T11:24:34ZAlicha CH[3.9] heimdal: man-in-the-middle attack in function krb5_init_creds_step in lib/krb5/init_creds_pw.c (CVE-2019-12098)In the client side of Heimdal before 7.6.0, failure to verify anonymous
PKINIT PA-PKINIT-KX key exchange permits a
man-in-the-middle attack. This issue is in krb5\_init\_creds\_step in
lib/krb5/init\_creds\_pw.c.
### References:
http...In the client side of Heimdal before 7.6.0, failure to verify anonymous
PKINIT PA-PKINIT-KX key exchange permits a
man-in-the-middle attack. This issue is in krb5\_init\_creds\_step in
lib/krb5/init\_creds\_pw.c.
### References:
http://www.h5l.org/pipermail/heimdal-announce/2019-May/000009.html
https://nvd.nist.gov/vuln/detail/CVE-2019-12098
### Patch:
Fixed by:
https://github.com/heimdal/heimdal/commit/2f7f3d9960aa6ea21358bdf3687cee5149aa35cf
(7.6.0)
Introduced by:
https://github.com/heimdal/heimdal/commit/a1ef548600c5bb51cf52a9a9ea12676506ede19f
(1.4.0)
*(from redmine: issue id 10553, created on 2019-06-12)*
* Relations:
* parent #10551
* Changesets:
* Revision 5949036164c597352ded38bcb5386cc5e4ea273b by Natanael Copa on 2019-07-11T16:06:28Z:
```
main/heimdal: security fix for CVE-2019-12098
fixes #10553
```3.9.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10554[3.8] heimdal: man-in-the-middle attack in function krb5_init_creds_step in l...2019-07-16T11:24:11ZAlicha CH[3.8] heimdal: man-in-the-middle attack in function krb5_init_creds_step in lib/krb5/init_creds_pw.c (CVE-2019-12098)In the client side of Heimdal before 7.6.0, failure to verify anonymous
PKINIT PA-PKINIT-KX key exchange permits a
man-in-the-middle attack. This issue is in krb5\_init\_creds\_step in
lib/krb5/init\_creds\_pw.c.
### References:
http...In the client side of Heimdal before 7.6.0, failure to verify anonymous
PKINIT PA-PKINIT-KX key exchange permits a
man-in-the-middle attack. This issue is in krb5\_init\_creds\_step in
lib/krb5/init\_creds\_pw.c.
### References:
http://www.h5l.org/pipermail/heimdal-announce/2019-May/000009.html
https://nvd.nist.gov/vuln/detail/CVE-2019-12098
### Patch:
Fixed by:
https://github.com/heimdal/heimdal/commit/2f7f3d9960aa6ea21358bdf3687cee5149aa35cf
(7.6.0)
Introduced by:
https://github.com/heimdal/heimdal/commit/a1ef548600c5bb51cf52a9a9ea12676506ede19f
(1.4.0)
*(from redmine: issue id 10554, created on 2019-06-12)*
* Relations:
* parent #10551
* Changesets:
* Revision e8ebbb3123154e0d2dfd574d9eea59dd51ffe205 by Natanael Copa on 2019-07-11T16:12:06Z:
```
main/heimdal: security fix for CVE-2019-12098
fixes #10554
```3.8.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10555[3.7] heimdal: man-in-the-middle attack in function krb5_init_creds_step in l...2019-07-16T11:23:39ZAlicha CH[3.7] heimdal: man-in-the-middle attack in function krb5_init_creds_step in lib/krb5/init_creds_pw.c (CVE-2019-12098)In the client side of Heimdal before 7.6.0, failure to verify anonymous
PKINIT PA-PKINIT-KX key exchange permits a
man-in-the-middle attack. This issue is in krb5\_init\_creds\_step in
lib/krb5/init\_creds\_pw.c.
### References:
http...In the client side of Heimdal before 7.6.0, failure to verify anonymous
PKINIT PA-PKINIT-KX key exchange permits a
man-in-the-middle attack. This issue is in krb5\_init\_creds\_step in
lib/krb5/init\_creds\_pw.c.
### References:
http://www.h5l.org/pipermail/heimdal-announce/2019-May/000009.html
https://nvd.nist.gov/vuln/detail/CVE-2019-12098
### Patch:
Fixed by:
https://github.com/heimdal/heimdal/commit/2f7f3d9960aa6ea21358bdf3687cee5149aa35cf
(7.6.0)
Introduced by:
https://github.com/heimdal/heimdal/commit/a1ef548600c5bb51cf52a9a9ea12676506ede19f
(1.4.0)
*(from redmine: issue id 10555, created on 2019-06-12)*
* Relations:
* parent #10551
* Changesets:
* Revision c29e49eb3beddab5fba37d37713486319c12df8c by Natanael Copa on 2019-07-11T16:17:41Z:
```
main/heimdal: security fix for CVE-2019-12098
fixes #10555
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10556GeoIP Database changed2019-07-23T11:07:11ZJan-Hendrik DörnerGeoIP Database changedGeoLite Legacy databases were discontinued on January 2, 2019.
Therefore the downloads fail.
There is a new “geolite2” database which now should be used.
*(from redmine: issue id 10556, created on 2019-06-12, closed on 2019-06-12)*GeoLite Legacy databases were discontinued on January 2, 2019.
Therefore the downloads fail.
There is a new “geolite2” database which now should be used.
*(from redmine: issue id 10556, created on 2019-06-12, closed on 2019-06-12)*Leonardo ArenaLeonardo Arenahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10557py-django: AdminURLFieldWidget XSS (CVE-2019-12308)2019-07-23T11:07:11ZAlicha CHpy-django: AdminURLFieldWidget XSS (CVE-2019-12308)An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9,
and 2.2 before 2.2.2. The clickable Current URL
value displayed by the AdminURLFieldWidget displays the provided value
without validating it as a safe URL. Thus, ...An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9,
and 2.2 before 2.2.2. The clickable Current URL
value displayed by the AdminURLFieldWidget displays the provided value
without validating it as a safe URL. Thus, an unvalidated
value stored in the database, or a value provided as a URL query
parameter payload, could result in an clickable JavaScript link.
### Fixed In Version:
Django 2.2.2, Django 2.1.9, Django 1.11.21
### References:
https://docs.djangoproject.com/en/dev/releases/1.11.21/
https://www.openwall.com/lists/oss-security/2019/06/03/2
### Patch:
https://github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b
*(from redmine: issue id 10557, created on 2019-06-13, closed on 2019-06-26)*
* Relations:
* child #10558
* child #10559
* child #10560
* child #10561
* Changesets:
* Revision f545a3e9d547e92bcc100a029a62c393337e7b8c by Natanael Copa on 2019-06-25T21:02:47Z:
```
main/py-django: security upgrade to 1.11.21 (CVE-2019-12308)
ref #10557
```Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10558[3.10] py-django: AdminURLFieldWidget XSS (CVE-2019-12308)2019-07-23T11:07:10ZAlicha CH[3.10] py-django: AdminURLFieldWidget XSS (CVE-2019-12308)An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9,
and 2.2 before 2.2.2. The clickable Current URL
value displayed by the AdminURLFieldWidget displays the provided value
without validating it as a safe URL. Thus, ...An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9,
and 2.2 before 2.2.2. The clickable Current URL
value displayed by the AdminURLFieldWidget displays the provided value
without validating it as a safe URL. Thus, an unvalidated
value stored in the database, or a value provided as a URL query
parameter payload, could result in an clickable JavaScript link.
### Fixed In Version:
Django 2.2.2, Django 2.1.9, Django 1.11.21
### References:
https://docs.djangoproject.com/en/dev/releases/1.11.21/
https://www.openwall.com/lists/oss-security/2019/06/03/2
### Patch:
https://github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b
*(from redmine: issue id 10558, created on 2019-06-13, closed on 2019-06-26)*
* Relations:
* parent #10557
* Changesets:
* Revision 3192c106fcf98faea0a2e8554ba5b4be87ca45b8 by Natanael Copa on 2019-06-25T21:05:03Z:
```
main/py-django: security upgrade to 1.11.21 (CVE-2019-12308)
fixes #10558
```3.10.1Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10559[3.9] py-django: AdminURLFieldWidget XSS (CVE-2019-12308)2019-07-23T11:07:08ZAlicha CH[3.9] py-django: AdminURLFieldWidget XSS (CVE-2019-12308)An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9,
and 2.2 before 2.2.2. The clickable Current URL
value displayed by the AdminURLFieldWidget displays the provided value
without validating it as a safe URL. Thus, ...An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9,
and 2.2 before 2.2.2. The clickable Current URL
value displayed by the AdminURLFieldWidget displays the provided value
without validating it as a safe URL. Thus, an unvalidated
value stored in the database, or a value provided as a URL query
parameter payload, could result in an clickable JavaScript link.
### Fixed In Version:
Django 2.2.2, Django 2.1.9, Django 1.11.21
### References:
https://docs.djangoproject.com/en/dev/releases/1.11.21/
https://www.openwall.com/lists/oss-security/2019/06/03/2
### Patch:
https://github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b
*(from redmine: issue id 10559, created on 2019-06-13, closed on 2019-06-26)*
* Relations:
* parent #10557
* Changesets:
* Revision 7c08ad453addc444dcde7fac47a4aa6479257560 by Natanael Copa on 2019-06-25T21:07:23Z:
```
main/py-django: security upgrade to 1.11.21 (CVE-2019-12308)
fixes #10559
```3.9.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10560[3.8] py-django: AdminURLFieldWidget XSS (CVE-2019-12308)2019-07-23T11:07:07ZAlicha CH[3.8] py-django: AdminURLFieldWidget XSS (CVE-2019-12308)An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9,
and 2.2 before 2.2.2. The clickable Current URL
value displayed by the AdminURLFieldWidget displays the provided value
without validating it as a safe URL. Thus, ...An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9,
and 2.2 before 2.2.2. The clickable Current URL
value displayed by the AdminURLFieldWidget displays the provided value
without validating it as a safe URL. Thus, an unvalidated
value stored in the database, or a value provided as a URL query
parameter payload, could result in an clickable JavaScript link.
### Fixed In Version:
Django 2.2.2, Django 2.1.9, Django 1.11.21
### References:
https://docs.djangoproject.com/en/dev/releases/1.11.21/
https://www.openwall.com/lists/oss-security/2019/06/03/2
### Patch:
https://github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b
*(from redmine: issue id 10560, created on 2019-06-13, closed on 2019-06-26)*
* Relations:
* parent #10557
* Changesets:
* Revision ece4776819ab6ba9289ec3478766b5298bbcfa86 by Natanael Copa on 2019-06-25T21:08:37Z:
```
main/py-django: security upgrade to 1.11.21 (CVE-2019-12308)
fixes #10560
```3.8.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10561[3.7] py-django: AdminURLFieldWidget XSS (CVE-2019-12308)2019-07-23T11:07:06ZAlicha CH[3.7] py-django: AdminURLFieldWidget XSS (CVE-2019-12308)An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9,
and 2.2 before 2.2.2. The clickable Current URL
value displayed by the AdminURLFieldWidget displays the provided value
without validating it as a safe URL. Thus, ...An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9,
and 2.2 before 2.2.2. The clickable Current URL
value displayed by the AdminURLFieldWidget displays the provided value
without validating it as a safe URL. Thus, an unvalidated
value stored in the database, or a value provided as a URL query
parameter payload, could result in an clickable JavaScript link.
### Fixed In Version:
Django 2.2.2, Django 2.1.9, Django 1.11.21
### References:
https://docs.djangoproject.com/en/dev/releases/1.11.21/
https://www.openwall.com/lists/oss-security/2019/06/03/2
### Patch:
https://github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b
*(from redmine: issue id 10561, created on 2019-06-13, closed on 2019-06-26)*
* Relations:
* parent #10557
* Changesets:
* Revision 901a6212b9da2d67aced00bf967da681827a5f37 by Natanael Copa on 2019-06-25T21:09:56Z:
```
main/py-django: security upgrade to 1.11.21 (CVE-2019-12308)
fixes #10561
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10562[3.7] vim: arbitrary command execution in getchar.c (CVE-2019-12735)2019-07-23T11:07:05ZAlicha CH[3.7] vim: arbitrary command execution in getchar.c (CVE-2019-12735)getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote
attackers to execute arbitrary OS commands via the :source!
command in a modeline, as demonstrated by execute in Vim, and
assert\_fails or nvim\_input in Neovim.
#...getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote
attackers to execute arbitrary OS commands via the :source!
command in a modeline, as demonstrated by execute in Vim, and
assert\_fails or nvim\_input in Neovim.
### References:
https://github.com/numirias/security/blob/master/doc/2019-06-04\_ace-vim-neovim.md
### Patch:
https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040
*(from redmine: issue id 10562, created on 2019-06-13, closed on 2019-06-22)*
* Changesets:
* Revision aaf594bc234db11d5ef457511b7b3cebb3bcba46 by Natanael Copa on 2019-06-22T07:30:19Z:
```
main/vim: backport fix for CVE-2019-12735
fixes #10562
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10563libcroco: Multiple vulnerabilities (CVE-2017-7960, CVE-2017-7961, CVE-2017-88...2019-07-23T10:34:16ZAlicha CHlibcroco: Multiple vulnerabilities (CVE-2017-7960, CVE-2017-7961, CVE-2017-8834, CVE-2017-8871)CVE-2017-7960: The cr\_input\_new\_from\_uri function in cr-input.c in
libcroco 0.6.11 and 0.6.12 allows
remote attackers to cause a denial of service (heap-based buffer
over-read) via a crafted CSS file.
### References:
https://nvd....CVE-2017-7960: The cr\_input\_new\_from\_uri function in cr-input.c in
libcroco 0.6.11 and 0.6.12 allows
remote attackers to cause a denial of service (heap-based buffer
over-read) via a crafted CSS file.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2017-7960
https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/
### Patch:
https://git.gnome.org/browse/libcroco/commit/?id=898e3a8c8c0314d2e6b106809a8e3e93cf9d4394
CVE-2017-7961: The cr\_tknzr\_parse\_rgb function in cr-tknzr.c in
libcroco 0.6.11 and 0.6.12 has an “outside the range
of representable values of type long” undefined behavior issue, which
might allow remote attackers to cause a denial
of service (application crash) or possibly have unspecified other impact
via a crafted CSS file.
### References:
https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/
### Patch:
https://git.gnome.org/browse/libcroco/commit/?id=9ad72875e9f08e4c519ef63d44cdbd94aa9504f7
CVE-2017-8834: The cr\_tknzr\_parse\_comment function in cr-tknzr.c in
libcroco 0.6.12 allows remote
attackers to cause a denial of service (memory allocation error) via a
crafted CSS file.
### References:
https://bugzilla.gnome.org/show\_bug.cgi?id=782647
https://nvd.nist.gov/vuln/detail/CVE-2017-8834
CVE-2017-8871: The cr\_parser\_parse\_selector\_core function in
cr-parser.c in libcroco 0.6.12 allows remote
attackers to cause a denial of service (infinite loop and CPU
consumption) via a crafted CSS file.
### References:
https://bugzilla.gnome.org/show\_bug.cgi?id=782649
https://nvd.nist.gov/vuln/detail/CVE-2017-8871
*(from redmine: issue id 10563, created on 2019-06-13)*
* Relations:
* child #10564
* child #10565
* child #10566LeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10564[3.9] libcroco: Multiple vulnerabilities (CVE-2017-7960, CVE-2017-7961, CVE-2...2019-07-23T10:32:31ZAlicha CH[3.9] libcroco: Multiple vulnerabilities (CVE-2017-7960, CVE-2017-7961, CVE-2017-8834, CVE-2017-8871)CVE-2017-7960: The cr\_input\_new\_from\_uri function in cr-input.c in
libcroco 0.6.11 and 0.6.12 allows
remote attackers to cause a denial of service (heap-based buffer
over-read) via a crafted CSS file.
### References:
https://nvd....CVE-2017-7960: The cr\_input\_new\_from\_uri function in cr-input.c in
libcroco 0.6.11 and 0.6.12 allows
remote attackers to cause a denial of service (heap-based buffer
over-read) via a crafted CSS file.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2017-7960
https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/
### Patch:
https://git.gnome.org/browse/libcroco/commit/?id=898e3a8c8c0314d2e6b106809a8e3e93cf9d4394
CVE-2017-7961: The cr\_tknzr\_parse\_rgb function in cr-tknzr.c in
libcroco 0.6.11 and 0.6.12 has an “outside the range
of representable values of type long” undefined behavior issue, which
might allow remote attackers to cause a denial
of service (application crash) or possibly have unspecified other impact
via a crafted CSS file.
### References:
https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/
### Patch:
https://git.gnome.org/browse/libcroco/commit/?id=9ad72875e9f08e4c519ef63d44cdbd94aa9504f7
CVE-2017-8834: The cr\_tknzr\_parse\_comment function in cr-tknzr.c in
libcroco 0.6.12 allows remote
attackers to cause a denial of service (memory allocation error) via a
crafted CSS file.
### References:
https://bugzilla.gnome.org/show\_bug.cgi?id=782647
https://nvd.nist.gov/vuln/detail/CVE-2017-8834
CVE-2017-8871: The cr\_parser\_parse\_selector\_core function in
cr-parser.c in libcroco 0.6.12 allows remote
attackers to cause a denial of service (infinite loop and CPU
consumption) via a crafted CSS file.
### References:
https://bugzilla.gnome.org/show\_bug.cgi?id=782649
https://nvd.nist.gov/vuln/detail/CVE-2017-8871
*(from redmine: issue id 10564, created on 2019-06-13)*
* Relations:
* parent #105633.9.5LeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10565[3.8] libcroco: Multiple vulnerabilities (CVE-2017-7960, CVE-2017-7961, CVE-2...2019-07-23T10:34:17ZAlicha CH[3.8] libcroco: Multiple vulnerabilities (CVE-2017-7960, CVE-2017-7961, CVE-2017-8834, CVE-2017-8871)CVE-2017-7960: The cr\_input\_new\_from\_uri function in cr-input.c in
libcroco 0.6.11 and 0.6.12 allows
remote attackers to cause a denial of service (heap-based buffer
over-read) via a crafted CSS file.
### References:
https://nvd....CVE-2017-7960: The cr\_input\_new\_from\_uri function in cr-input.c in
libcroco 0.6.11 and 0.6.12 allows
remote attackers to cause a denial of service (heap-based buffer
over-read) via a crafted CSS file.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2017-7960
https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/
### Patch:
https://git.gnome.org/browse/libcroco/commit/?id=898e3a8c8c0314d2e6b106809a8e3e93cf9d4394
CVE-2017-7961: The cr\_tknzr\_parse\_rgb function in cr-tknzr.c in
libcroco 0.6.11 and 0.6.12 has an “outside the range
of representable values of type long” undefined behavior issue, which
might allow remote attackers to cause a denial
of service (application crash) or possibly have unspecified other impact
via a crafted CSS file.
### References:
https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/
### Patch:
https://git.gnome.org/browse/libcroco/commit/?id=9ad72875e9f08e4c519ef63d44cdbd94aa9504f7
CVE-2017-8834: The cr\_tknzr\_parse\_comment function in cr-tknzr.c in
libcroco 0.6.12 allows remote
attackers to cause a denial of service (memory allocation error) via a
crafted CSS file.
### References:
https://bugzilla.gnome.org/show\_bug.cgi?id=782647
https://nvd.nist.gov/vuln/detail/CVE-2017-8834
CVE-2017-8871: The cr\_parser\_parse\_selector\_core function in
cr-parser.c in libcroco 0.6.12 allows remote
attackers to cause a denial of service (infinite loop and CPU
consumption) via a crafted CSS file.
### References:
https://bugzilla.gnome.org/show\_bug.cgi?id=782649
https://nvd.nist.gov/vuln/detail/CVE-2017-8871
*(from redmine: issue id 10565, created on 2019-06-13)*
* Relations:
* parent #105633.8.5LeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10566[3.7] libcroco: Multiple vulnerabilities (CVE-2017-7960, CVE-2017-7961, CVE-2...2019-07-23T10:34:19ZAlicha CH[3.7] libcroco: Multiple vulnerabilities (CVE-2017-7960, CVE-2017-7961, CVE-2017-8834, CVE-2017-8871)CVE-2017-7960: The cr\_input\_new\_from\_uri function in cr-input.c in
libcroco 0.6.11 and 0.6.12 allows
remote attackers to cause a denial of service (heap-based buffer
over-read) via a crafted CSS file.
### References:
https://nvd....CVE-2017-7960: The cr\_input\_new\_from\_uri function in cr-input.c in
libcroco 0.6.11 and 0.6.12 allows
remote attackers to cause a denial of service (heap-based buffer
over-read) via a crafted CSS file.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2017-7960
https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/
### Patch:
https://git.gnome.org/browse/libcroco/commit/?id=898e3a8c8c0314d2e6b106809a8e3e93cf9d4394
CVE-2017-7961: The cr\_tknzr\_parse\_rgb function in cr-tknzr.c in
libcroco 0.6.11 and 0.6.12 has an “outside the range
of representable values of type long” undefined behavior issue, which
might allow remote attackers to cause a denial
of service (application crash) or possibly have unspecified other impact
via a crafted CSS file.
### References:
https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/
### Patch:
https://git.gnome.org/browse/libcroco/commit/?id=9ad72875e9f08e4c519ef63d44cdbd94aa9504f7
CVE-2017-8834: The cr\_tknzr\_parse\_comment function in cr-tknzr.c in
libcroco 0.6.12 allows remote
attackers to cause a denial of service (memory allocation error) via a
crafted CSS file.
### References:
https://bugzilla.gnome.org/show\_bug.cgi?id=782647
https://nvd.nist.gov/vuln/detail/CVE-2017-8834
CVE-2017-8871: The cr\_parser\_parse\_selector\_core function in
cr-parser.c in libcroco 0.6.12 allows remote
attackers to cause a denial of service (infinite loop and CPU
consumption) via a crafted CSS file.
### References:
https://bugzilla.gnome.org/show\_bug.cgi?id=782649
https://nvd.nist.gov/vuln/detail/CVE-2017-8871
*(from redmine: issue id 10566, created on 2019-06-13)*
* Relations:
* parent #105633.7.4LeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10567dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749)2019-07-23T11:07:04ZAlicha CHdbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749)dbus is the reference implementation of D-Bus, an asynchronous
inter-process communication system commonly used for system services
or within a desktop session on Linux and other operating systems.
Joe Vennix of Apple Information Se...dbus is the reference implementation of D-Bus, an asynchronous
inter-process communication system commonly used for system services
or within a desktop session on Linux and other operating systems.
Joe Vennix of Apple Information Security discovered an implementation
flaw
in the DBUS\_COOKIE\_SHA1 authentication mechanism. A malicious client
with
write access to its own home directory could manipulate a
~/.dbus-keyrings
symlink to cause a DBusServer with a different uid to read and write
in unintended locations. In the worst case, this could result in the
DBusServer reusing a cookie that is known to the malicious client, and
treating that cookie as evidence that a subsequent client connection
came from an attacker-chosen uid, allowing authentication bypass.
This vulnerability does not normally affect the standard system
dbus-daemon, which only allows the EXTERNAL authentication mechanism.
In supported branches of dbus it also does not normally affect the
standard
session dbus-daemon, for the same reason.
However, this vulnerability can affect third-party users of DBusServer
(such as Upstart in Ubuntu 14.04 LTS), third-party dbus-daemon
instances,
standard dbus-daemon instances with non-standard configuration, and
the
session bus in older/unsupported dbus branches (such as dbus 1.6.x in
Ubuntu 14.04 LTS).
Vulnerable versions: all < 1.10.28, 1.12.x < 1.12.16, 1.13.x <
1.13.12
Fixed versions: all >= 1.13.12, 1.12.x >= 1.12.16, 1.10.x >=
1.10.28
### References:
https://gitlab.freedesktop.org/dbus/dbus/issues/269
http://www.openwall.com/lists/oss-security/2019/06/11/2
### Patch:
https://gitlab.freedesktop.org/dbus/dbus/commit/47b1a4c41004bf494b87370987b222c934b19016
*(from redmine: issue id 10567, created on 2019-06-13, closed on 2019-06-20)*
* Relations:
* child #10568
* child #10569
* child #10570
* child #10571Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10568[3.10] dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749)2019-07-23T11:07:02ZAlicha CH[3.10] dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749)dbus is the reference implementation of D-Bus, an asynchronous
inter-process communication system commonly used for system services
or within a desktop session on Linux and other operating systems.
Joe Vennix of Apple Information Se...dbus is the reference implementation of D-Bus, an asynchronous
inter-process communication system commonly used for system services
or within a desktop session on Linux and other operating systems.
Joe Vennix of Apple Information Security discovered an implementation
flaw
in the DBUS\_COOKIE\_SHA1 authentication mechanism. A malicious client
with
write access to its own home directory could manipulate a
~/.dbus-keyrings
symlink to cause a DBusServer with a different uid to read and write
in unintended locations. In the worst case, this could result in the
DBusServer reusing a cookie that is known to the malicious client, and
treating that cookie as evidence that a subsequent client connection
came from an attacker-chosen uid, allowing authentication bypass.
This vulnerability does not normally affect the standard system
dbus-daemon, which only allows the EXTERNAL authentication mechanism.
In supported branches of dbus it also does not normally affect the
standard
session dbus-daemon, for the same reason.
However, this vulnerability can affect third-party users of DBusServer
(such as Upstart in Ubuntu 14.04 LTS), third-party dbus-daemon
instances,
standard dbus-daemon instances with non-standard configuration, and
the
session bus in older/unsupported dbus branches (such as dbus 1.6.x in
Ubuntu 14.04 LTS).
Vulnerable versions: all < 1.10.28, 1.12.x < 1.12.16, 1.13.x <
1.13.12
Fixed versions: all >= 1.13.12, 1.12.x >= 1.12.16, 1.10.x >=
1.10.28
### References:
https://gitlab.freedesktop.org/dbus/dbus/issues/269
http://www.openwall.com/lists/oss-security/2019/06/11/2
### Patch:
https://gitlab.freedesktop.org/dbus/dbus/commit/47b1a4c41004bf494b87370987b222c934b19016
*(from redmine: issue id 10568, created on 2019-06-13, closed on 2019-06-20)*
* Relations:
* parent #10567
* Changesets:
* Revision fa0e230be9fd2e79919214ecab466f5149cab5fe by Natanael Copa on 2019-06-17T09:49:34Z:
```
main/dbus: upgrade to 1.12.16 (CVE-2019-12749)
fixes #10568
```3.10.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10569[3.9] dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749)2019-07-23T11:07:01ZAlicha CH[3.9] dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749)dbus is the reference implementation of D-Bus, an asynchronous
inter-process communication system commonly used for system services
or within a desktop session on Linux and other operating systems.
Joe Vennix of Apple Information Se...dbus is the reference implementation of D-Bus, an asynchronous
inter-process communication system commonly used for system services
or within a desktop session on Linux and other operating systems.
Joe Vennix of Apple Information Security discovered an implementation
flaw
in the DBUS\_COOKIE\_SHA1 authentication mechanism. A malicious client
with
write access to its own home directory could manipulate a
~/.dbus-keyrings
symlink to cause a DBusServer with a different uid to read and write
in unintended locations. In the worst case, this could result in the
DBusServer reusing a cookie that is known to the malicious client, and
treating that cookie as evidence that a subsequent client connection
came from an attacker-chosen uid, allowing authentication bypass.
This vulnerability does not normally affect the standard system
dbus-daemon, which only allows the EXTERNAL authentication mechanism.
In supported branches of dbus it also does not normally affect the
standard
session dbus-daemon, for the same reason.
However, this vulnerability can affect third-party users of DBusServer
(such as Upstart in Ubuntu 14.04 LTS), third-party dbus-daemon
instances,
standard dbus-daemon instances with non-standard configuration, and
the
session bus in older/unsupported dbus branches (such as dbus 1.6.x in
Ubuntu 14.04 LTS).
Vulnerable versions: all < 1.10.28, 1.12.x < 1.12.16, 1.13.x <
1.13.12
Fixed versions: all >= 1.13.12, 1.12.x >= 1.12.16, 1.10.x >=
1.10.28
### References:
https://gitlab.freedesktop.org/dbus/dbus/issues/269
http://www.openwall.com/lists/oss-security/2019/06/11/2
### Patch:
https://gitlab.freedesktop.org/dbus/dbus/commit/47b1a4c41004bf494b87370987b222c934b19016
*(from redmine: issue id 10569, created on 2019-06-13, closed on 2019-06-20)*
* Relations:
* parent #10567
* Changesets:
* Revision 4197c781d3fe1b09de37fa74c222bad3183c187f by Natanael Copa on 2019-06-17T09:53:00Z:
```
main/dbus: upgrade to 1.10.28 (CVE-2019-12749)
fixes #10569
```3.9.5Natanael CopaNatanael Copa