aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2019-07-23T11:34:51Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8615[3.6] xen: Multiple vulnerabilitie (CVE-2018-7540, CVE-2018-7541, CVE-2018-7542)2019-07-23T11:34:51ZAlicha CH[3.6] xen: Multiple vulnerabilitie (CVE-2018-7540, CVE-2018-7541, CVE-2018-7542)**CVE-2018-7540, XSA-252**: DoS via non-preemptable L3/L4 pagetable
freeing
All Xen versions are vulnerable.
### Reference:
http://xenbits.xen.org/xsa/advisory-252.html
**CVE-2018-7541, XSA-255**: grant table v2 ->v1 transition may c...**CVE-2018-7540, XSA-252**: DoS via non-preemptable L3/L4 pagetable
freeing
All Xen versions are vulnerable.
### Reference:
http://xenbits.xen.org/xsa/advisory-252.html
**CVE-2018-7541, XSA-255**: grant table v2 ->v1 transition may crash
Xen
Xen versions 4.0 and newer are vulnerable.
### Reference:
http://xenbits.xen.org/xsa/advisory-255.html
**CVE-2018-7542, XSA-256**: x86 PVH guest without LAPIC may DoS the host
Xen version 4.8 and onwards are vulnerable.
### Reference:
http://xenbits.xen.org/xsa/advisory-256.html
*(from redmine: issue id 8615, created on 2018-03-06, closed on 2018-03-19)*
* Relations:
* copied_to #8612
* parent #8612
* Changesets:
* Revision 7a017e10fd6de2f5477c69120b540b2cd74652a1 on 2018-03-12T10:56:07Z:
```
main/xen: security fixes
CVE-2018-7540, CVE-2018-7541, CVE-2018-7542
Fixes #8615
```3.6.3Ariadne Conillariadne@ariadne.spaceAriadne Conillariadne@ariadne.spacehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8614[3.7] xen: Multiple vulnerabilitie (CVE-2018-7540, CVE-2018-7541, CVE-2018-7542)2019-07-23T11:34:52ZAlicha CH[3.7] xen: Multiple vulnerabilitie (CVE-2018-7540, CVE-2018-7541, CVE-2018-7542)**CVE-2018-7540, XSA-252**: DoS via non-preemptable L3/L4 pagetable
freeing
All Xen versions are vulnerable.
### Reference:
http://xenbits.xen.org/xsa/advisory-252.html
**CVE-2018-7541, XSA-255**: grant table v2 ->v1 transition may c...**CVE-2018-7540, XSA-252**: DoS via non-preemptable L3/L4 pagetable
freeing
All Xen versions are vulnerable.
### Reference:
http://xenbits.xen.org/xsa/advisory-252.html
**CVE-2018-7541, XSA-255**: grant table v2 ->v1 transition may crash
Xen
Xen versions 4.0 and newer are vulnerable.
### Reference:
http://xenbits.xen.org/xsa/advisory-255.html
**CVE-2018-7542, XSA-256**: x86 PVH guest without LAPIC may DoS the host
Xen version 4.8 and onwards are vulnerable.
### Reference:
http://xenbits.xen.org/xsa/advisory-256.html
*(from redmine: issue id 8614, created on 2018-03-06, closed on 2018-03-19)*
* Relations:
* copied_to #8612
* parent #8612
* Changesets:
* Revision 1fb3325abc8bc3f37fa93c0663908c29e9154087 on 2018-03-06T12:31:18Z:
```
main/xen: security fixes
CVE-2018-7540, XSA-252
CVE-2018-7541, XSA-255
CVE-2018-7542, XSA-256
Fixes #8614
```3.7.1Ariadne Conillariadne@ariadne.spaceAriadne Conillariadne@ariadne.spacehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8613[3.8] xen: Multiple vulnerabilitie (CVE-2018-7540, CVE-2018-7541, CVE-2018-7542)2019-07-23T11:34:53ZAlicha CH[3.8] xen: Multiple vulnerabilitie (CVE-2018-7540, CVE-2018-7541, CVE-2018-7542)**CVE-2018-7540, XSA-252**: DoS via non-preemptable L3/L4 pagetable
freeing
All Xen versions are vulnerable.
### Reference:
http://xenbits.xen.org/xsa/advisory-252.html
**CVE-2018-7541, XSA-255**: grant table v2 ->v1 transition may c...**CVE-2018-7540, XSA-252**: DoS via non-preemptable L3/L4 pagetable
freeing
All Xen versions are vulnerable.
### Reference:
http://xenbits.xen.org/xsa/advisory-252.html
**CVE-2018-7541, XSA-255**: grant table v2 ->v1 transition may crash
Xen
Xen versions 4.0 and newer are vulnerable.
### Reference:
http://xenbits.xen.org/xsa/advisory-255.html
**CVE-2018-7542, XSA-256**: x86 PVH guest without LAPIC may DoS the host
Xen version 4.8 and onwards are vulnerable.
### Reference:
http://xenbits.xen.org/xsa/advisory-256.html
*(from redmine: issue id 8613, created on 2018-03-06, closed on 2018-03-19)*
* Relations:
* copied_to #8612
* parent #8612
* Changesets:
* Revision 6f854a08591e446ab616d0aac83e843cddcff8a9 by Daniel Sabogal on 2018-03-19T08:17:54Z:
```
main/xen: security fixes for XSA-252, XSA-255, and XSA-256
CVE-2018-7540 XSA-252
CVE-2018-7541 XSA-255
CVE-2018-7542 XSA-256
fixes #8613
```3.8.0Ariadne Conillariadne@ariadne.spaceAriadne Conillariadne@ariadne.spacehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8612xen: Multiple vulnerabilitie (CVE-2018-7540, CVE-2018-7541, CVE-2018-7542)2019-07-23T11:34:55ZAlicha CHxen: Multiple vulnerabilitie (CVE-2018-7540, CVE-2018-7541, CVE-2018-7542)**CVE-2018-7540, XSA-252**: DoS via non-preemptable L3/L4 pagetable
freeing
All Xen versions are vulnerable.
### Reference:
http://xenbits.xen.org/xsa/advisory-252.html
**CVE-2018-7541, XSA-255**: grant table v2 ->v1 transition may c...**CVE-2018-7540, XSA-252**: DoS via non-preemptable L3/L4 pagetable
freeing
All Xen versions are vulnerable.
### Reference:
http://xenbits.xen.org/xsa/advisory-252.html
**CVE-2018-7541, XSA-255**: grant table v2 ->v1 transition may crash
Xen
Xen versions 4.0 and newer are vulnerable.
### Reference:
http://xenbits.xen.org/xsa/advisory-255.html
**CVE-2018-7542, XSA-256**: x86 PVH guest without LAPIC may DoS the host
Xen version 4.8 and onwards are vulnerable.
### Reference:
http://xenbits.xen.org/xsa/advisory-256.html
*(from redmine: issue id 8612, created on 2018-03-06, closed on 2018-03-19)*
* Relations:
* copied_to #8613
* copied_to #8614
* copied_to #8615
* copied_to #8616
* copied_to #8617
* child #8613
* child #8614
* child #8615
* child #8616
* child #8617Ariadne Conillariadne@ariadne.spaceAriadne Conillariadne@ariadne.spacehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8611dovecot: TLS logins not working with default configuration2019-07-23T11:34:56ZKaarle Ritvanendovecot: TLS logins not working with default configurationStarting from dovecot version 2.2.34, TLS logins are failing with the
following error message:
Fatal: Unknown ssl\_protocols setting: Unrecognized protocol ‘SSLv2’
Libressl does not support SSLv2, but dovecot assumes the contrary
becau...Starting from dovecot version 2.2.34, TLS logins are failing with the
following error message:
Fatal: Unknown ssl\_protocols setting: Unrecognized protocol ‘SSLv2’
Libressl does not support SSLv2, but dovecot assumes the contrary
because macro SSL\_TXT\_SSLv2 is defined. Manually setting the
ssl\_protocols option resolves the problem.
*(from redmine: issue id 8611, created on 2018-03-06, closed on 2018-03-24)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/8609mkintifs: nlplug-findfs mount zfs filesystems on import2021-09-28T13:23:19ZAlexander Zubkovmkintifs: nlplug-findfs mount zfs filesystems on importHello. As I see nlplug-findgs calls zpool import without any additional
parameters during its work:
https://github.com/alpinelinux/mkinitfs/blob/master/nlplug-findfs.c\#L508
In that case imported pool’s filesystems are mounted by defa...Hello. As I see nlplug-findgs calls zpool import without any additional
parameters during its work:
https://github.com/alpinelinux/mkinitfs/blob/master/nlplug-findfs.c\#L508
In that case imported pool’s filesystems are mounted by default if they
have mounpoint properties.
When later initramfs pivots into new root, they are left there mounted
and can not be used because zfs thinks they are already mounted and
cannot unmount them at the same time.
I think it would be better to do zpool import with “-N” option to not
mount filesystems by default and then mount specified root filesystem
somehow.
Also, I think providing some means to specify “-f” option would be nice
too in cases when pool that was imported to other system needs to be
imported.
*(from redmine: issue id 8609, created on 2018-03-05)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/8608Memcache 1.5.3 not working2019-12-05T06:15:40ZKévin GuignardMemcache 1.5.3 not workingHi, **memcached 1.5.3** of Alpine **3.7** is not working : the basic
test with ***telnet*** give nothing.
The connection is opened but the server doesn’t respond anything.
Also the version 1.4.36 from Alpine 3.6 works like a charm.
...Hi, **memcached 1.5.3** of Alpine **3.7** is not working : the basic
test with ***telnet*** give nothing.
The connection is opened but the server doesn’t respond anything.
Also the version 1.4.36 from Alpine 3.6 works like a charm.
*(from redmine: issue id 8608, created on 2018-03-05)*3.7.4https://gitlab.alpinelinux.org/alpine/aports/-/issues/8607Could someone please create a package for php7-gearman?2019-07-23T11:34:57ZalgitbotCould someone please create a package for php7-gearman?Note:
The pecl repo (https://pecl.php.net/package/gearman) is abandoned, php7
support and v2.0.3 is available from wcgallego on github.
See these for context:
https://github.com/hjr3/pecl-gearman/issues/12
https://github.com/wcgal...Note:
The pecl repo (https://pecl.php.net/package/gearman) is abandoned, php7
support and v2.0.3 is available from wcgallego on github.
See these for context:
https://github.com/hjr3/pecl-gearman/issues/12
https://github.com/wcgallego/pecl-gearman/issues/33
I use the below to build currently and it seems to work ok. Would
someone be able to drop it into a package?
<code>
# Depends
apk add --update -X 'http://dl-cdn.alpinelinux.org/alpine/edge/testing' \
gearman-libs
# Build Depends
apk add --update -X 'http://dl-cdn.alpinelinux.org/alpine/edge/testing' \
gearman-dev \
php7-dev \
build-base
# Build
mkdir -p /tmp/install
cd /tmp/install
wget https://github.com/wcgallego/pecl-gearman/archive/gearman-2.0.3.zip
unzip gearman-*.zip
cd pecl-gearman-gearman-*
phpize
./configure
make install
echo "extension=gearman.so" > /etc/php7/conf.d/51_gearman.ini
rm -rf /tmp/install/
apk del --purge php7-dev build-base gearman-dev
</code>
*(from redmine: issue id 8607, created on 2018-03-05, closed on 2018-03-07)*3.8.0Valery KartelValery Kartelhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8606Compile kernel with AppArmor and SELinux enabled2021-03-18T08:56:19ZVincent BentleyCompile kernel with AppArmor and SELinux enabledWith hardened Alpine Linux kernels likely to be a thing of the past
soon, can we have AppArmor and SELinux enabled in new kernels?
*(from redmine: issue id 8606, created on 2018-03-04)*With hardened Alpine Linux kernels likely to be a thing of the past
soon, can we have AppArmor and SELinux enabled in new kernels?
*(from redmine: issue id 8606, created on 2018-03-04)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/8605Firefox won't start2019-07-14T19:06:01ZFredrik GustafssonFirefox won't startUsing the edge version, firefox won’t start with the following error
message:
XPCOMGlueLoad error for file /usr/lib/firefox-58.0.1/libxul.so:
Error relocating /usr/lib/firefox-58.0.1/libxul.so:
sqlite3\_unlock\_notify: symbol not fou...Using the edge version, firefox won’t start with the following error
message:
XPCOMGlueLoad error for file /usr/lib/firefox-58.0.1/libxul.so:
Error relocating /usr/lib/firefox-58.0.1/libxul.so:
sqlite3\_unlock\_notify: symbol not found
Couldn’t load XPCOM.
*(from redmine: issue id 8605, created on 2018-03-04)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/8604Google maps not working2020-01-19T14:50:04ZFredrik GustafssonGoogle maps not workingusing chromium on edge, google maps hangs every time it’s loaded.
Reproduce:
1. goto maps.google.com
2. try to interact with the page, for example zoom
*(from redmine: issue id 8604, created on 2018-03-04)*using chromium on edge, google maps hangs every time it’s loaded.
Reproduce:
1. goto maps.google.com
2. try to interact with the page, for example zoom
*(from redmine: issue id 8604, created on 2018-03-04)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/8602zipnote crashes when updating filename in a zip file2020-01-19T14:58:42Zalgitbotzipnote crashes when updating filename in a zip fileTrying to use zipnote to change a filename in a zip file results in a
segfault, for e.g.
$ touch a.txt
$ zip files.zip a.txt
adding: a.txt (stored 0%)
$ printf "@ a.txt\n@=b.txt\n" | zipnote -w files.zip
zipnote er...Trying to use zipnote to change a filename in a zip file results in a
segfault, for e.g.
$ touch a.txt
$ zip files.zip a.txt
adding: a.txt (stored 0%)
$ printf "@ a.txt\n@=b.txt\n" | zipnote -w files.zip
zipnote error: Bad file descriptor
zipnote error: Temporary file failure (ziPHFCbk)
zipnote error: Interrupted (aborting)
Segmentation fault (core dumped)
Apparently this is an old bug in zip 3.0 which was only fixed in an
unreleased 3.1b version (according to
https://www.linuxquestions.org/questions/slackware-14/request-slackware-info-zip-zipnote-be-patched-to-support-writing-back-comments-4175502665/).
However, the fix has been applied on other Linux distros (e.g.
https://bugs.archlinux.org/task/47713 and
https://bugzilla.redhat.com/show\_bug.cgi?id=1179420)
I tried the same patch on alpine 3.7 and fixed the issue.
<pre>
$ apk add build-base
$ wget ftp://ftp.info-zip.org/pub/infozip/src/zip30.zip
$ unzip zip30.zip
$ cd zip30
$ cat ../zipnote.patch
a/zipnote.c b/zipnote.c
index 5e02cb6..996f012 100644
—- a/zipnote.c
<span class="underline"></span>+ b/zipnote.c
@@ –661,7 +661,7 @@ char \***argv; /** command line tokens \*/
if ((r = zipcopy(z)) != ZE\_OK)
ziperr(r, “was copying an entry”);
}
- fclose(x);
+ fclose(in\_file);
/\* Write central directory and end of central directory with new
comments \*/
if ((c = zftello(y)) == (zoff\_t)–1) /\* get start of central \*/
$ patch -p1 < ../zipnote.patch
$ make -f unix/Makefile generic
$ printf “@ a.txt\\n@=b.txt\\n” | zip30/zipnote -w files.zip
$ unzip -l files.zip
Archive: files.zip
Length Date Time Name
————- ————— ——- ——
0 03-03-2018 04:17 b.txt
———— ———-
0 1 files
*(from redmine: issue id 8602, created on 2018-03-03)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/8601if grub is used, why to load /etc/update-extlinux.conf2019-07-23T11:34:58Zjiri bif grub is used, why to load /etc/update-extlinux.confHi,
apk del syslinux
apk add grub
…so one wants to use grub. but why is grub patched to load a kind of
syslinux (extlinux) related script?
1. grep -nC3 /etc/update-extlinux.conf /etc/grub.d/10\_linux
21-exec\_prefix=“/usr”
...Hi,
apk del syslinux
apk add grub
…so one wants to use grub. but why is grub patched to load a kind of
syslinux (extlinux) related script?
1. grep -nC3 /etc/update-extlinux.conf /etc/grub.d/10\_linux
21-exec\_prefix=“/usr”
22-datarootdir=“/usr/share”
23-
24:. /etc/update-extlinux.conf
25-. “$pkgdatadir/grub-mkconfig\_lib”
26-
27-GRUB\_CMDLINE\_LINUX\_DEFAULT=“modules=${modules}
${default\_kernel\_opts} ${GRUB\_CMDLINE\_LINUX\_DEFAULT}”
imo there should be condition if possible.
*(from redmine: issue id 8601, created on 2018-03-02, closed on 2019-01-23)*
* Changesets:
* Revision cb6c7c4b66dc4640425f875c7d9545dad9e7823c by Natanael Copa on 2019-01-17T18:59:46Z:
```
main/grub: misc alpine fixes for /etc/grub.d/10_linux
- do not depend on /etc/update-extlinux.conf
- remove GNU when GRUB_DISTRIBUTOR="Alpine"
- clean up initramfs search
fixes #8601
```3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8600bird multihoming2020-05-08T16:51:16Zalgitbotbird multihomingI have installed bird from edge testing and it is missing multihoming,
making it impossible to run dual stacked IPv4/IPv6 bgp by default.
Could you please make it grab 2 configs by default, in a such way, for
example, Debian has:
bird...I have installed bird from edge testing and it is missing multihoming,
making it impossible to run dual stacked IPv4/IPv6 bgp by default.
Could you please make it grab 2 configs by default, in a such way, for
example, Debian has:
bird has 2 instances compiled, bird6, which is looking for
/etc/bird6.conf by default (and also provides bird6c binary) and bird
that lookups /etc/bird.conf.
*(from redmine: issue id 8600, created on 2018-03-02)*3.12.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/8599sysctl doesn't set net.ipv6.conf.all.forwarding2020-01-23T10:22:28Zalgitbotsysctl doesn't set net.ipv6.conf.all.forwardingI have a fresh installed Alpine 3.7 extended installation and wanted to
set a sysctl value \`net.ipv6.conf.all.forwarding\` to 1 upon boot.
What I did is added a line \`net.ipv6.conf.all.forwarding = 1\` to
/etc/sysctl.d/00-alpine.conf...I have a fresh installed Alpine 3.7 extended installation and wanted to
set a sysctl value \`net.ipv6.conf.all.forwarding\` to 1 upon boot.
What I did is added a line \`net.ipv6.conf.all.forwarding = 1\` to
/etc/sysctl.d/00-alpine.conf at the end of file with 3 newlines after
the line.
The values remains 0 after reboot, but all other parameters are being
set fine, such as custom net.ipv4.ip\_forward value.
I have tried what bernhardgruen suggested on IRC, creating
/etc/conf.d/sysctl with \`rc\_need=“net”\` line and following with
rc-update -u, which doesn’t provide any positive effect. I have tried
with rc\_need=“net.eth0”, rc\_need=“networking” but it didn’t help.
I have IPv6 address configured in /etc/network/interfaces and it comes
up at boot, but there seems to be some problem with sysctl settings for
IPv6 which i was not able to identify.
Is there way to set this parameter to 1 at boot without touching
anything else but sysctl and inventing additional boot scripts?
*(from redmine: issue id 8599, created on 2018-03-02)*3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8598LibreOffice inputting Umlauts fails2020-01-19T14:30:52ZalgitbotLibreOffice inputting Umlauts failsWhenever I try to input Umlauts (ä,ö,ü) into LibreOffice
(libreoffice-5.4.5.1-r0),
I get weird looking characters back:
Input (ö):
ö
Input (ä):
ä
Input (ü):
ü
I am using edge (updated on 2018-02-28), I have exported LC\...Whenever I try to input Umlauts (ä,ö,ü) into LibreOffice
(libreoffice-5.4.5.1-r0),
I get weird looking characters back:
Input (ö):
ö
Input (ä):
ä
Input (ü):
ü
I am using edge (updated on 2018-02-28), I have exported LC\_ALL as
en\_US.UTF-8.
Other applications like the my terminal emulator (st)
my browser (chromium) and others handle umlauts perfectly fine.
There is no other way to force UTF-8 in LibreOffice, unfortunately.
Documents that have umlauts in them get rendered correctly.
Another user, mps in \#alpine-linux in Freenode has the same problem.
*(from redmine: issue id 8598, created on 2018-02-28)*https://gitlab.alpinelinux.org/alpine/aports/-/issues/8597Package libseccomp-dev missing dependency2019-07-23T11:34:59ZS PPackage libseccomp-dev missing dependencyCompiling applications which depend on seccomp headers from
libseccomp-dev fails with:
/usr/include/seccomp.h:27:24: fatal error: asm/unistd.h: No such file or directory
#include <asm/unistd.h>
This is included in the linux-he...Compiling applications which depend on seccomp headers from
libseccomp-dev fails with:
/usr/include/seccomp.h:27:24: fatal error: asm/unistd.h: No such file or directory
#include <asm/unistd.h>
This is included in the linux-headers package.
*(from redmine: issue id 8597, created on 2018-02-28, closed on 2019-05-03)*
* Changesets:
* Revision d37676f48eed2de36e0522f4970214def1e722f9 by Natanael Copa on 2018-02-28T11:37:36Z:
```
main/libseccomp: fix depends for -dev
libseccomp-dev needs linux-headers
ref #8597
```
* Revision b683e4ccc61b0e1d1108f663b0e63bf61ef26371 by Natanael Copa on 2018-02-28T11:38:40Z:
```
main/libseccomp: fix depends for -dev
libseccomp-dev needs linux-headers
fixes #8597
```3.7.1https://gitlab.alpinelinux.org/alpine/aports/-/issues/8596[3.4] wavpack: Multiple vulnerabilities (CVE-2018-6767, CVE-2018-7253, CVE-20...2019-07-23T11:35:00ZAlicha CH[3.4] wavpack: Multiple vulnerabilities (CVE-2018-6767, CVE-2018-7253, CVE-2018-7254)CVE-2018-6767: stack buffer overread via crafted wav file
---------------------------------------------------------
A stack-based buffer over-read in the ParseRiffHeaderConfig function of
cli/riff.c file of WavPack 5.1.0 allows a remote...CVE-2018-6767: stack buffer overread via crafted wav file
---------------------------------------------------------
A stack-based buffer over-read in the ParseRiffHeaderConfig function of
cli/riff.c file of WavPack 5.1.0 allows a remote
attacker to cause a denial-of-service attack or possibly have
unspecified other impact via a maliciously crafted RF64 file.
### References:
https://github.com/dbry/WavPack/issues/27
https://nvd.nist.gov/vuln/detail/CVE-2018-6767
### Patch:
https://github.com/dbry/WavPack/commit/d5bf76b5a88d044a1be1d5656698e3ba737167e5
CVE-2018-7253: Heap-based buffer over-read in ParseDsdiffHeaderConfig function in cli/dsdiff.c
----------------------------------------------------------------------------------------------
The ParseDsdiffHeaderConfig function of the cli/dsdiff.c file of WavPack
5.1.0 allows a remote attacker to cause a
denial-of-service (heap-based buffer over-read) or possibly overwrite
the heap via a maliciously crafted DSDIFF file.
### References:
https://github.com/dbry/WavPack/issues/28
https://nvd.nist.gov/vuln/detail/CVE-2018-7253
### Patch:
https://github.com/dbry/WavPack/commit/36a24c7881427d2e1e4dc1cef58f19eee0d13aec
CVE-2018-7254: Heap-based buffer over-read in ParseCaffHeaderConfig function in cli/caff.c
------------------------------------------------------------------------------------------
The ParseCaffHeaderConfig function of the cli/caff.c file of WavPack
5.1.0 allows a remote attacker to cause a denial-of-service
(global buffer over-read), or possibly trigger a buffer overflow or
incorrect memory allocation, via a maliciously crafted CAF file.
### References:
https://github.com/dbry/WavPack/issues/26
### Patch:
https://github.com/dbry/WavPack/commit/8e3fe45a7bac31d9a3b558ae0079e2d92a04799e
*(from redmine: issue id 8596, created on 2018-02-28, closed on 2018-08-29)*
* Relations:
* copied_to #8591
* parent #8591
* Changesets:
* Revision 9dfd25362f073d372045e0b2f575b99adca85ce3 on 2018-06-11T09:26:02Z:
```
main/wavpack: security fixes
CVE-2018-6767, CVE-2018-7253, CVE-2018-7254
Fixes #8596
```3.4.7Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8595[3.5] wavpack: Multiple vulnerabilities (CVE-2018-6767, CVE-2018-7253, CVE-20...2019-07-23T11:35:02ZAlicha CH[3.5] wavpack: Multiple vulnerabilities (CVE-2018-6767, CVE-2018-7253, CVE-2018-7254)CVE-2018-6767: stack buffer overread via crafted wav file
---------------------------------------------------------
A stack-based buffer over-read in the ParseRiffHeaderConfig function of
cli/riff.c file of WavPack 5.1.0 allows a remote...CVE-2018-6767: stack buffer overread via crafted wav file
---------------------------------------------------------
A stack-based buffer over-read in the ParseRiffHeaderConfig function of
cli/riff.c file of WavPack 5.1.0 allows a remote
attacker to cause a denial-of-service attack or possibly have
unspecified other impact via a maliciously crafted RF64 file.
### References:
https://github.com/dbry/WavPack/issues/27
https://nvd.nist.gov/vuln/detail/CVE-2018-6767
### Patch:
https://github.com/dbry/WavPack/commit/d5bf76b5a88d044a1be1d5656698e3ba737167e5
CVE-2018-7253: Heap-based buffer over-read in ParseDsdiffHeaderConfig function in cli/dsdiff.c
----------------------------------------------------------------------------------------------
The ParseDsdiffHeaderConfig function of the cli/dsdiff.c file of WavPack
5.1.0 allows a remote attacker to cause a
denial-of-service (heap-based buffer over-read) or possibly overwrite
the heap via a maliciously crafted DSDIFF file.
### References:
https://github.com/dbry/WavPack/issues/28
https://nvd.nist.gov/vuln/detail/CVE-2018-7253
### Patch:
https://github.com/dbry/WavPack/commit/36a24c7881427d2e1e4dc1cef58f19eee0d13aec
CVE-2018-7254: Heap-based buffer over-read in ParseCaffHeaderConfig function in cli/caff.c
------------------------------------------------------------------------------------------
The ParseCaffHeaderConfig function of the cli/caff.c file of WavPack
5.1.0 allows a remote attacker to cause a denial-of-service
(global buffer over-read), or possibly trigger a buffer overflow or
incorrect memory allocation, via a maliciously crafted CAF file.
### References:
https://github.com/dbry/WavPack/issues/26
### Patch:
https://github.com/dbry/WavPack/commit/8e3fe45a7bac31d9a3b558ae0079e2d92a04799e
*(from redmine: issue id 8595, created on 2018-02-28, closed on 2018-08-29)*
* Relations:
* copied_to #8591
* parent #8591
* Changesets:
* Revision fb7b00ff6a263a7328d8ef29ef262efdd3979420 on 2018-06-11T09:23:41Z:
```
main/wavpack: security fixes
CVE-2018-6767, CVE-2018-7253, CVE-2018-7254
Fixes #8595
```3.5.3Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/8594[3.6] wavpack: Multiple vulnerabilities (CVE-2018-6767, CVE-2018-7253, CVE-20...2019-07-23T11:35:03ZAlicha CH[3.6] wavpack: Multiple vulnerabilities (CVE-2018-6767, CVE-2018-7253, CVE-2018-7254)CVE-2018-6767: stack buffer overread via crafted wav file
---------------------------------------------------------
A stack-based buffer over-read in the ParseRiffHeaderConfig function of
cli/riff.c file of WavPack 5.1.0 allows a remote...CVE-2018-6767: stack buffer overread via crafted wav file
---------------------------------------------------------
A stack-based buffer over-read in the ParseRiffHeaderConfig function of
cli/riff.c file of WavPack 5.1.0 allows a remote
attacker to cause a denial-of-service attack or possibly have
unspecified other impact via a maliciously crafted RF64 file.
### References:
https://github.com/dbry/WavPack/issues/27
https://nvd.nist.gov/vuln/detail/CVE-2018-6767
### Patch:
https://github.com/dbry/WavPack/commit/d5bf76b5a88d044a1be1d5656698e3ba737167e5
CVE-2018-7253: Heap-based buffer over-read in ParseDsdiffHeaderConfig function in cli/dsdiff.c
----------------------------------------------------------------------------------------------
The ParseDsdiffHeaderConfig function of the cli/dsdiff.c file of WavPack
5.1.0 allows a remote attacker to cause a
denial-of-service (heap-based buffer over-read) or possibly overwrite
the heap via a maliciously crafted DSDIFF file.
### References:
https://github.com/dbry/WavPack/issues/28
https://nvd.nist.gov/vuln/detail/CVE-2018-7253
### Patch:
https://github.com/dbry/WavPack/commit/36a24c7881427d2e1e4dc1cef58f19eee0d13aec
CVE-2018-7254: Heap-based buffer over-read in ParseCaffHeaderConfig function in cli/caff.c
------------------------------------------------------------------------------------------
The ParseCaffHeaderConfig function of the cli/caff.c file of WavPack
5.1.0 allows a remote attacker to cause a denial-of-service
(global buffer over-read), or possibly trigger a buffer overflow or
incorrect memory allocation, via a maliciously crafted CAF file.
### References:
https://github.com/dbry/WavPack/issues/26
### Patch:
https://github.com/dbry/WavPack/commit/8e3fe45a7bac31d9a3b558ae0079e2d92a04799e
*(from redmine: issue id 8594, created on 2018-02-28, closed on 2018-08-29)*
* Relations:
* copied_to #8591
* parent #8591
* Changesets:
* Revision f33256418323bfc32d596c316881a3f72f885045 on 2018-06-11T08:39:28Z:
```
main/wavpack: security fixes
CVE-2018-6767, CVE-2018-7253, CVE-2018-7254
Fixes #8594
```3.6.3Natanael CopaNatanael Copa