aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2019-07-23T11:18:35Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9668[3.9] cabextract: Buffer overflow (CVE-2018-18584)2019-07-23T11:18:35ZAlicha CH[3.9] cabextract: Buffer overflow (CVE-2018-18584)cabextract before 1.8, the CAB block input buffer is one byte too small
for the maximal Quantum block,
leading to an out-of-bounds write.
### Fixed In Version:
cabextract 1.8
### References:
https://www.cabextract.org.uk
https://...cabextract before 1.8, the CAB block input buffer is one byte too small
for the maximal Quantum block,
leading to an out-of-bounds write.
### Fixed In Version:
cabextract 1.8
### References:
https://www.cabextract.org.uk
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18584
https://www.openwall.com/lists/oss-security/2018/10/22/1
*(from redmine: issue id 9668, created on 2018-11-21, closed on 2018-11-28)*
* Relations:
* parent #96673.9.0Leonardo ArenaLeonardo Arenahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9663[3.9] libmspack: Multiple vulnerabilities (CVE-2018-18584, CVE-2018-18585, CV...2019-07-23T11:18:41ZAlicha CH[3.9] libmspack: Multiple vulnerabilities (CVE-2018-18584, CVE-2018-18585, CVE-2018-18586)CVE-2018-18584: A CAB file with a Quantum-compressed block of exactly 38912 bytes will write one byte beyond the end of the input buffer
----------------------------------------------------------------------------------------------------...CVE-2018-18584: A CAB file with a Quantum-compressed block of exactly 38912 bytes will write one byte beyond the end of the input buffer
----------------------------------------------------------------------------------------------------------------------------------------
In mspack/cab.h in libmspack before 0.8alpha and cabextract before 1.8,
the CAB
block input buffer is one byte too small for the maximal Quantum block,
leading to an out-of-bounds write.
### References:
https://www.cabextract.org.uk/libmspack/
https://nvd.nist.gov/vuln/detail/CVE-2018-18584
### Patch:
https://github.com/kyz/libmspack/commit/40ef1b4093d77ad3a5cfcee1f5cb6108b3a3bcc2
CVE-2018-18585: CHM files with blank filenames (by having embedded nulls) are allowed, which trips up clients that expect non-blank filenames
---------------------------------------------------------------------------------------------------------------------------------------------
chmd\_read\_headers in mspack/chmd.c in libmspack before 0.8alpha
accepts a filename
that has ‘\\0’ as its first or second character (such as the “/\\0”
name).
### References:
https://www.cabextract.org.uk/libmspack/
https://nvd.nist.gov/vuln/detail/CVE-2018-18585
### Patch:
https://github.com/kyz/libmspack/commit/8759da8db6ec9e866cb8eb143313f397f925bb4f
CVE-2018-18586: chmextract makes no attempt to protect you from relative/absolute paths in CHM filenames
--------------------------------------------------------------------------------------------------------
DISPUTED chmextract.c in the chmextract sample program, as distributed
with libmspack before 0.8alpha, does not protect against
absolute/relative pathnames in CHM files, leading to Directory
Traversal. NOTE: the vendor disputes that this is a libmspack
vulnerability, because chmextract.c was only intended as a source-code
example, not a supported application.
### References:
https://www.cabextract.org.uk/libmspack/
https://nvd.nist.gov/vuln/detail/CVE-2018-18586
### Patch:
https://github.com/kyz/libmspack/commit/7cadd489698be117c47efcadd742651594429e6d
*(from redmine: issue id 9663, created on 2018-11-21, closed on 2018-11-28)*
* Relations:
* parent #9662
* Changesets:
* Revision 3a49d88a9384e72b92ad518a7f8cf56dfe1c4513 by Natanael Copa on 2018-11-27T12:30:37Z:
```
main/libmspack: security upgrade to 0.8_alpha
CVE-2018-18584, CVE-2018-18585, CVE-2018-18586
fixes #9663
```3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9611[3.9] curl: Multiple vulnerabilities (CVE-2018-16839, CVE-2018-16840, CVE-201...2019-07-23T11:19:01ZAlicha CH[3.9] curl: Multiple vulnerabilities (CVE-2018-16839, CVE-2018-16840, CVE-2018-16842)CVE-2018-16839: SASL password overflow via integer overflow
-----------------------------------------------------------
The internal function Curl\_auth\_create\_plain\_message fails to
correctly verify that the passed in lengths
for ...CVE-2018-16839: SASL password overflow via integer overflow
-----------------------------------------------------------
The internal function Curl\_auth\_create\_plain\_message fails to
correctly verify that the passed in lengths
for name and password aren’t too long, then calculates a buffer size to
allocate.
On systems with a 32 bit size\_t, the math to calculate the buffer size
triggers an integer overflow when the user name length exceeds 2GB (2^31
bytes).
This integer overflow usually causes a very small buffer to actually get
allocated instead of the intended very huge one, making the use of that
buffer end up in a heap buffer overflow.
### Affected versions:
libcurl 7.33.0 to and including 7.61.1
### Not affected versions:
libcurl < 7.33.0 and >= 7.62.0
### Reference:
https://curl.haxx.se/docs/CVE-2018-16839.html
### Patch:
https://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5
CVE-2018-16840: use-after-free in handle close
----------------------------------------------
When closing and cleaning up an “easy” handle in the Curl\_close()
function, the library code first frees a struct (without nulling the
pointer) and might
then subsequently erroneously write to a struct field within that
already freed struct.
### Affected versions:
libcurl 7.59.0 to and including 7.61.1
### Not affected versions:
libcurl < 7.59.0 and >= 7.62.0
### Reference:
https://curl.haxx.se/docs/CVE-2018-16840.html
### Patch:
https://github.com/curl/curl/commit/81d135d67155c5295b1033679c606165d4e28f3f
CVE-2018-16842: warning message out-of-buffer read
--------------------------------------------------
The command line tool has a generic function for displaying warning and
informational messages to stderr for various
situations. For example if an unknown command line argument is used, or
passed to it in a “config” file.
This display function formats the output to wrap at 80 columns. The wrap
logic is however flawed, so if a single word in the message is itself
longer than 80 bytes
the buffer arithmetic calculates the remainder wrong and will end up
reading behind the end of the buffer. This could lead to information
disclosure or crash.
### Reference:
https://curl.haxx.se/docs/CVE-2018-16842.html
### Patch:
https://github.com/curl/curl/commit/d530e92f59ae9bb2d47066c3c460b25d2ffeb211
*(from redmine: issue id 9611, created on 2018-11-01, closed on 2018-11-08)*
* Relations:
* parent #9610
* Changesets:
* Revision 8776c8cc044196f8f87d6fbc51e38dfa0f5aa438 on 2018-11-05T08:17:04Z:
```
main/curl: security upgrade to 7.62.0
CVE-2018-16839, CVE-2018-16840, CVE-2018-16842
Fixes #9611
```3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9602[3.9] wireshark: Multiple vulnerabilities (CVE-2018-12086, CVE-2018-18225, CV...2019-07-23T11:19:09ZAlicha CH[3.9] wireshark: Multiple vulnerabilities (CVE-2018-12086, CVE-2018-18225, CVE-2018-18226, CVE-2018-18227)CVE-2018-12086: OpcUa dissector crash
-------------------------------------
Affected versions: 2.6.0 to 2.6.3, 2.4.0 to 2.4.9
Fixed versions: 2.6.4, 2.4.10
### References:
https://www.wireshark.org/security/wnpa-sec-2018-50.html
CV...CVE-2018-12086: OpcUa dissector crash
-------------------------------------
Affected versions: 2.6.0 to 2.6.3, 2.4.0 to 2.4.9
Fixed versions: 2.6.4, 2.4.10
### References:
https://www.wireshark.org/security/wnpa-sec-2018-50.html
CVE-2018-18225: CoAP dissector crash
------------------------------------
Affected versions: 2.6.0 to 2.6.3
Fixed versions: 2.6.4
### References:
https://www.wireshark.org/security/wnpa-sec-2018-49.html
https://bugs.wireshark.org/bugzilla/show\_bug.cgi?id=15172
CVE-2018-18226: Steam IHS Discovery dissector memory leak
---------------------------------------------------------
Affected versions: 2.6.0 to 2.6.3
Fixed versions: 2.6.4
### References:
https://bugs.wireshark.org/bugzilla/show\_bug.cgi?id=15171
https://www.wireshark.org/security/wnpa-sec-2018-48.html
CVE-2018-18227: MS-WSP dissector crash
--------------------------------------
Affected versions: 2.6.0 to 2.6.3, 2.4.0 to 2.4.9
Fixed versions: 2.6.4, 2.4.10
### References:
https://www.wireshark.org/security/wnpa-sec-2018-47.html
https://www.wireshark.org/security/wnpa-sec-2018-48.html
*(from redmine: issue id 9602, created on 2018-10-29, closed on 2018-10-30)*
* Relations:
* parent #9601
* Changesets:
* Revision 9f7a391b8a4478f35a1b1f3b3b49a51a820e005e by Natanael Copa on 2018-10-29T17:16:56Z:
```
community/wireshark: security upgrade to 2.6.4
CVE-2018-12086, CVE-2018-18225, CVE-2018-18226, CVE-2018-18227
fixes #9602
```3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9597[3.9] xorg-server: Incorrect permission check in Xorg X server allows for pri...2019-07-23T11:19:15ZAlicha CH[3.9] xorg-server: Incorrect permission check in Xorg X server allows for privilege escalation (CVE-2018-14665)A flaw was found in xorg-x11-server before 1.20.3. An incorrect
permission check for -modulepath and -logfile options when
starting Xorg. X server allows unprivileged users with the ability to
log in to the system via physical console ...A flaw was found in xorg-x11-server before 1.20.3. An incorrect
permission check for -modulepath and -logfile options when
starting Xorg. X server allows unprivileged users with the ability to
log in to the system via physical console to escalate their
privileges and run arbitrary code under root privileges.
### Fixed In Version:
xorg-server 1.20.3
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-14665
https://marc.info/?l=oss-security&m=154047832307726&w=2
### Patch:
Introduced by:
https://gitlab.freedesktop.org/xorg/xserver/commit/032b1d79b7d04d47814a5b3a9fdd162249fea74c
(1.19.0)
Fixed by:
https://gitlab.freedesktop.org/xorg/xserver/commit/50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e
*(from redmine: issue id 9597, created on 2018-10-29, closed on 2018-10-30)*
* Relations:
* copied_to #9596
* parent #95963.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9583[3.9] tiff: Multiple vulnerabilities (CVE-2018-10779, CVE-2018-17100, CVE-201...2019-07-23T11:19:23ZAlicha CH[3.9] tiff: Multiple vulnerabilities (CVE-2018-10779, CVE-2018-17100, CVE-2018-17101)**CVE-2018-10779**: Heap Buffer Overflow in TIFFWriteScanline of
tif\_write.c
### References:
http://bugzilla.maptools.org/show\_bug.cgi?id=2788
https://nvd.nist.gov/vuln/detail/CVE-2018-10779
### Patch:
https://gitlab.com/libtiff/...**CVE-2018-10779**: Heap Buffer Overflow in TIFFWriteScanline of
tif\_write.c
### References:
http://bugzilla.maptools.org/show\_bug.cgi?id=2788
https://nvd.nist.gov/vuln/detail/CVE-2018-10779
### Patch:
https://gitlab.com/libtiff/libtiff/commit/981e43ecae83935625c86c9118c0778c942c7048
**CVE-2018-17100**: An issue was discovered in LibTIFF 4.0.9. There is a
int32 overflow in multiply\_ms in tools/ppm2tiff.c,
which can cause a denial of service (crash) or possibly have unspecified
other impact via a crafted image file.
### References:
http://bugzilla.maptools.org/show\_bug.cgi?id=2810
### Patch:
https://gitlab.com/libtiff/libtiff/merge\_requests/33/diffs?commit\_id=6da1fb3f64d43be37e640efbec60400d1f1ac39e
**CVE-2018-17101**: An issue was discovered in LibTIFF 4.0.9. There are
two out-of-bounds writes in cpTags in tools/tiff2bw.c and
tools/pal2rgb.c,
which can cause a denial of service (application crash) or possibly have
unspecified other impact via a crafted image file.
### References:
http://bugzilla.maptools.org/show\_bug.cgi?id=2807
### Patch:
https://gitlab.com/libtiff/libtiff/merge\_requests/33/diffs?commit\_id=f1b94e8a3ba49febdd3361c0214a1d1149251577
*(from redmine: issue id 9583, created on 2018-10-25, closed on 2018-11-08)*
* Relations:
* parent #9582
* Changesets:
* Revision fb2c4a5aa0c36030c950f7885b60c306268666c8 on 2018-11-06T15:33:55Z:
```
main/tiff: security fixes
(CVE-2018-10779, CVE-2018-17100, CVE-2018-17101)
Fixes #9583
```3.9.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/9577[3.9] apache2: DoS for HTTP/2 connections by continuous SETTINGS (CVE-2018-11...2019-07-23T11:19:30ZAlicha CH[3.9] apache2: DoS for HTTP/2 connections by continuous SETTINGS (CVE-2018-11763)In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large
SETTINGS frames a client can occupy a connection, server thread and CPU
time
without any connection timeout coming to effect. This affects only
HTTP/2 connections. A ...In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large
SETTINGS frames a client can occupy a connection, server thread and CPU
time
without any connection timeout coming to effect. This affects only
HTTP/2 connections. A possible mitigation is to not enable the h2
protocol.
### Fixed in Version:
Apache httpd 2.4.35
### References:
https://httpd.apache.org/security/vulnerabilities\_24.html
*(from redmine: issue id 9577, created on 2018-10-25, closed on 2018-10-29)*
* Relations:
* parent #9576
* Changesets:
* Revision f6d1356e6015d7539e9c147abbd2e13d4e2e0251 by Andy Postnikov on 2018-10-25T10:07:45Z:
```
main/apache2: security upgrade to 2.4.35 (CVE-2018-11763)
fixes #9577
```3.9.0Kaarle RitvanenKaarle Ritvanenhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9564[3.9] libxml2: Multiple vulnerabilities (CVE-2018-9251, CVE-2018-14404, CVE-2...2019-07-23T11:19:43ZAlicha CH[3.9] libxml2: Multiple vulnerabilities (CVE-2018-9251, CVE-2018-14404, CVE-2018-14567)**CVE-2018-9251**: The xz\_decomp function in xzlib.c in libxml2 2.9.8,
if —with-lzma is used, allows remote attackers to cause a denial of
service (infinite loop) via
a crafted XML file that triggers LZMA\_MEMLIMIT\_ERROR, as demonstr...**CVE-2018-9251**: The xz\_decomp function in xzlib.c in libxml2 2.9.8,
if —with-lzma is used, allows remote attackers to cause a denial of
service (infinite loop) via
a crafted XML file that triggers LZMA\_MEMLIMIT\_ERROR, as demonstrated
by xmllint, a different vulnerability than CVE-2015-8035.
### References:
https://bugzilla.gnome.org/show\_bug.cgi?id=794914
### Patch:
https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74
**CVE-2018-14404**: A NULL pointer dereference vulnerability exists in
the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when
parsing an invalid XPath expression in the XPATH\_OP\_AND or
XPATH\_OP\_OR case. Applications processing untrusted XSL format inputs
with the use of the libxml2 library may be vulnerable to a denial of
service attack due to a crash of the application.
### References:
https://gitlab.gnome.org/GNOME/libxml2/issues/5
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14404.html
### Patch:
https://gitlab.gnome.org/GNOME/libxml2/commit/a436374994c47b12d5de1b8b1d191a098fa23594
**CVE-2018-14567**: libxml2 2.9.8, if —with-lzma is used, allows remote
attackers to cause a denial of service (infinite loop) via a crafted XML
file that triggers
LZMA\_MEMLIMIT\_ERROR, as demonstrated by xmllint, a different
vulnerability than CVE-2015-8035 and CVE-2018-9251.
### References:
https://gitlab.gnome.org/GNOME/libxml2/issues/13
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14567.html
### Patch:
https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74
*(from redmine: issue id 9564, created on 2018-10-23, closed on 2018-10-25)*
* Relations:
* parent #9563
* Changesets:
* Revision a6c278e2f3d21e7ffc9b25ad0cd3845c3caafcf9 by Natanael Copa on 2018-10-24T16:18:38Z:
```
main/libxml2: backport security fixes
- CVE-2018-9251
- CVE-2018-14404
- CVE-2018-14567
fixes #9564
```3.9.0Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9558glib-dev 2.58: don't depend on perl2019-07-23T11:19:46ZMohammed Sadiqglib-dev 2.58: don't depend on perlglib-dev, since 2.58, no longer requires perl. All scripts are now
ported to python.
*(from redmine: issue id 9558, created on 2018-10-19, closed on 2019-01-10)*
* Changesets:
* Revision 3d02166a3dfa7b700716202544ed8b5eab146ee4 by N...glib-dev, since 2.58, no longer requires perl. All scripts are now
ported to python.
*(from redmine: issue id 9558, created on 2018-10-19, closed on 2019-01-10)*
* Changesets:
* Revision 3d02166a3dfa7b700716202544ed8b5eab146ee4 by Natanael Copa on 2018-10-30T10:18:09Z:
```
main/glib: replace perl depends with python
upsteram has ported all perl scripts to python
fixes #9558
```3.9.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/9533[3.9] libx11: Multiple vulnerabilities (CVE-2018-14598, CVE-2018-14599, CVE-2...2019-07-23T11:20:04ZAlicha CH[3.9] libx11: Multiple vulnerabilities (CVE-2018-14598, CVE-2018-14599, CVE-2018-14600)CVE-2018-14598: Crash on invalid reply in XListExtensions in ListExt.c
----------------------------------------------------------------------
An issue was discovered in ListExt.c:XListExtensions and
GetFPath.c:XGetFontPath in libX11 thr...CVE-2018-14598: Crash on invalid reply in XListExtensions in ListExt.c
----------------------------------------------------------------------
An issue was discovered in ListExt.c:XListExtensions and
GetFPath.c:XGetFontPath in libX11 through version 1.6.5. A malicious
server can send
a reply in which the first string overflows, causing a variable to be
set to NULL that will be freed later on, leading to DoS (segmentation
fault).
### Fixed In Version:
libX11 1.6.6
### References:
http://www.openwall.com/lists/oss-security/2018/08/21/6
https://lists.x.org/archives/xorg-announce/2018-August/002916.html
### Patch:
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=e83722768fd5c467ef61fa159e8c6278770b45c2
CVE-2018-14599: off-by-one error in XListExtensions in ListExt.c
----------------------------------------------------------------
An issue was discovered in libX11 through 1.6.5. Functions
GetFPath.c:XGetFontPath, ListExt.c:XListExtensions and
FontNames.c:XListFonts are
vulnerable to an off-by-one error when parsing list of strings returned
by malicious server responses, leading to DoS.
### Fixed In Version:
libX11 1.6.6
### References:
http://www.openwall.com/lists/oss-security/2018/08/21/6
https://lists.x.org/archives/xorg-announce/2018-August/002916.html
### Patch:
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=b469da1430cdcee06e31c6251b83aede072a1ff0
CVE-2018-14600: Out of Bounds write in XListExtensions in ListExt.c
-------------------------------------------------------------------
An issue was discovered in libX11 through 1.6.5. Functions
ListExt.c:XListExtensions and GetFPath.c:XGetFontPath interpret a
variable as signed instead
of unsigned, resulting in an out-of-bounds write (of up to 128 bytes),
leading to DoS or remote code execution.
### Fixed In Version:
libX11 1.6.6
### References:
http://www.openwall.com/lists/oss-security/2018/08/21/6
https://lists.x.org/archives/xorg-announce/2018-August/002916.html
### Patch:
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=dbf72805fd9d7b1846fe9a11b46f3994bfc27fea
*(from redmine: issue id 9533, created on 2018-10-08, closed on 2018-10-09)*
* Relations:
* parent #9532
* Changesets:
* Revision f673b89cd43dc3fe12a443558e82318ed03fb6ef by Natanael Copa on 2018-10-08T11:49:37Z:
```
main/libx11: security upgrade to 1.6.6
CVE-2018-14598
CVE-2018-14599
CVE-2018-14600
fixes #9533
```3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9521[3.9] libexif: Out-of-bounds heap read in exif_data_save_data_entry function ...2019-07-23T11:20:12ZAlicha CH[3.9] libexif: Out-of-bounds heap read in exif_data_save_data_entry function (CVE-2017-7544)One heap-based out-of-bounds read vulnerabiltiy exists in
libexif-0.6.21. When saving the data of an entry tagged with
“EXIF\_TAG\_MAKER\_NOTE” to
a buffer and copying the data of the exif entry, there is a mismatch
between the compute...One heap-based out-of-bounds read vulnerabiltiy exists in
libexif-0.6.21. When saving the data of an entry tagged with
“EXIF\_TAG\_MAKER\_NOTE” to
a buffer and copying the data of the exif entry, there is a mismatch
between the computed read size of the entry data and the size of the
allocated entry data.
The vulnerability can cause Denial-of-Service, even Information
Disclosure (disclosing some critical heap chunk metadata, even other
applications’ private data).
### References:
https://sourceforge.net/p/libexif/bugs/130/
https://nvd.nist.gov/vuln/detail/CVE-2017-7544
*(from redmine: issue id 9521, created on 2018-10-08, closed on 2018-10-09)*
* Relations:
* parent #9520
* Changesets:
* Revision 9d34941961856b21028cb4a838a1218a8edf332b on 2018-10-08T13:45:08Z:
```
main/libexif: security fix (CVE-2017-7544)
Fixes #9521
```3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9498[3.9] gd: Double free in src/gd_bump.c:gdImageBmpPtr() via crafted JPEG (CVE-...2019-07-23T11:20:31ZAlicha CH[3.9] gd: Double free in src/gd_bump.c:gdImageBmpPtr() via crafted JPEG (CVE-2018-1000222)Libgd version 2.2.5 contains a Double Free Vulnerability vulnerability
in gdImageBmpPtr Function that can result
in Remote Code Execution . This attack appear to be exploitable via
Specially Crafted Jpeg Image can trigger double free. ...Libgd version 2.2.5 contains a Double Free Vulnerability vulnerability
in gdImageBmpPtr Function that can result
in Remote Code Execution . This attack appear to be exploitable via
Specially Crafted Jpeg Image can trigger double free.
This vulnerability appears to have been fixed in after commit
ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5.
### References:
https://github.com/libgd/libgd/issues/447
https://nvd.nist.gov/vuln/detail/CVE-2018-1000222
### Patch:
https://github.com/libgd/libgd/commit/ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5
*(from redmine: issue id 9498, created on 2018-10-02, closed on 2018-10-04)*
* Relations:
* parent #9497
* Changesets:
* Revision 406fd782d7205c90c4586a1716ec8f6698263dd3 by Natanael Copa on 2018-10-02T14:04:27Z:
```
main/gd: backport security fix for CVE-2018-1000222
fixes #9498
```3.9.0Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9483[3.9] strongswan: Multiple vulnerabilities (CVE-2018-16151, CVE-2018-16152)2019-07-23T11:20:40ZAlicha CH[3.9] strongswan: Multiple vulnerabilities (CVE-2018-16151, CVE-2018-16152)**CVE-2018-16151**: In verify\_emsa\_pkcs1\_signature() in
gmp\_rsa\_public\_key.c in the gmp plugin in strongSwan 4.x and 5.x
before 5.7.0,
the RSA implementation based on GMP does not reject excess data after
the encoded algorithm OI...**CVE-2018-16151**: In verify\_emsa\_pkcs1\_signature() in
gmp\_rsa\_public\_key.c in the gmp plugin in strongSwan 4.x and 5.x
before 5.7.0,
the RSA implementation based on GMP does not reject excess data after
the encoded algorithm OID during PKCS\#1 v1.5 signature verification.
Similar to the flaw in the same version of strongSwan regarding
digestAlgorithm.parameters, a remote attacker can forge signatures when
small
public exponents are being used, which could lead to impersonation when
only an RSA signature is used for IKEv2 authentication.
### References:
https://www.strongswan.org/blog/2018/09/24/strongswan-vulnerability-(cve-2018-16151,-cve-2018-16152).html
https://nvd.nist.gov/vuln/detail/CVE-2018-16151
### Patches:
https://download.strongswan.org/patches/27\_gmp\_pkcs1\_verify\_patch/strongswan-5.3.1-5.6.0\_gmp-pkcs1-verify.patch
https://download.strongswan.org/patches/27\_gmp\_pkcs1\_verify\_patch/strongswan-5.6.1-5.6.3\_gmp-pkcs1-verify.patch
**CVE-2018-16152**: In verify\_emsa\_pkcs1\_signature() in
gmp\_rsa\_public\_key.c in the gmp plugin in strongSwan 4.x and 5.x
before 5.7.0,
the RSA implementation based on GMP does not reject excess data in the
digestAlgorithm.parameters field during PKCS\#1 v1.5 signature
verification. Consequently, a remote attacker can forge signatures when
small public exponents are being used, which could lead to
impersonation when only an RSA signature is used for IKEv2
authentication.
### References:
https://www.strongswan.org/blog/2018/09/24/strongswan-vulnerability-(cve-2018-16151,-cve-2018-16152).html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-16152
### Patches:
https://download.strongswan.org/patches/27\_gmp\_pkcs1\_verify\_patch/strongswan-5.3.1-5.6.0\_gmp-pkcs1-verify.patch
https://download.strongswan.org/patches/27\_gmp\_pkcs1\_verify\_patch/strongswan-5.6.1-5.6.3\_gmp-pkcs1-verify.patch
*(from redmine: issue id 9483, created on 2018-09-27, closed on 2018-10-04)*
* Relations:
* parent #9482
* Changesets:
* Revision 69cb3c4ebb573f4427b512a8f3ce9f8da6edc356 on 2018-10-02T08:30:00Z:
```
main/strongswan: security upgrade to 5.7.0
- CVE-2018-16151
- CVE-2018-16152
fixes #9483
```3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9462[3.9] bind: Update policies krb5-subdomain and ms-subdomain (CVE-2018-5741)2019-07-23T11:20:58ZAlicha CH[3.9] bind: Update policies krb5-subdomain and ms-subdomain (CVE-2018-5741)In order to provide fine-grained controls over the ability to use
Dynamic DNS (DDNS) to update records in a zone, BIND provides a feature
called update-policy. Various rules can be configured to limit the types
of updates that can be per...In order to provide fine-grained controls over the ability to use
Dynamic DNS (DDNS) to update records in a zone, BIND provides a feature
called update-policy. Various rules can be configured to limit the types
of updates that can be performed by a client, depending on the key used
when sending the update request. Unfortunately some rule types were not
initially documented, and when documentation for them was added to the
Administrator Reference Manual (ARM) in change, the language that was
added to the ARM at that time incorrectly described the behavior of two
rule types, krb5-subdomain and ms-subdomain. This incorrect
documentation could mislead operators into believing that policies they
had configured were more restrictive than they actually were.
### Versions affected:
The behavior described is present in all versions of BIND 9 which
contain the krb5-subdomain and ms-subdomain update
policies prior to our upcoming maintenance releases, BIND 9.11.5 and
9.12.3. However, the misleading documentation
is not present in all versions.
### References:
https://kb.isc.org/docs/cve-2018-5741
https://www.openwall.com/lists/oss-security/2018/09/19/11
*(from redmine: issue id 9462, created on 2018-09-25, closed on 2018-12-04)*
* Relations:
* parent #9461
* Changesets:
* Revision 51978afa8a1151a013383d4dfe8297e90c29ff31 by Taner Tas on 2018-11-29T14:47:56Z:
```
main/bind: Upgrade to 9.12.3
* Add "--disable-isc-spnego" to use gss-spnego instead.
fixes #9462
```3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9456[3.9] hylafax: JPEG support code execution (CVE-2018-17141)2019-07-23T11:21:03ZAlicha CH[3.9] hylafax: JPEG support code execution (CVE-2018-17141)HylaFAX 6.0.6 and HylaFAX+ 5.6.0 allow remote attackers to execute
arbitrary code via a dial-in session that provides a FAX page
with the JPEG bit enabled, which is mishandled in
FaxModem::writeECMData() in the faxd/CopyQuality.c<span
...HylaFAX 6.0.6 and HylaFAX+ 5.6.0 allow remote attackers to execute
arbitrary code via a dial-in session that provides a FAX page
with the JPEG bit enabled, which is mishandled in
FaxModem::writeECMData() in the faxd/CopyQuality.c<span
class="underline"></span> file.
### References:
https://www.openwall.com/lists/oss-security/2018/09/20/1
https://nvd.nist.gov/vuln/detail/CVE-2018-17141
### Patch:
http://git.hylafax.org/HylaFAX?a=commit;h=82fa7bdbffc253de4d3e80a87d47fdbf68eabe36
*(from redmine: issue id 9456, created on 2018-09-24, closed on 2018-10-09)*
* Relations:
* parent #9455
* Changesets:
* Revision d4ebd7cc66c32690a483cb6e2b1d825429a4920c on 2018-10-09T06:08:39Z:
```
main/hylafax: security fix (CVE-2018-17141)
Fixes #9456
```3.9.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/9452[3.9] webkit2gtk: Multiple vulnerabilities (CVE-2018-4246, CVE-2018-4261, CVE...2019-07-23T11:21:07ZAlicha CH[3.9] webkit2gtk: Multiple vulnerabilities (CVE-2018-4246, CVE-2018-4261, CVE-2018-4262, CVE-2018-4263, CVE-2018-4264, CVE-2018-4265, CVE-2018-4266, CVE-2018-4267, CVE-2018-4270, CVE-2018-4272, CVE-2018-4273, CVE-2018-4278, CVE-2018-4284, CVE-2018-12911)**CVE-2018-4246**
Processing maliciously crafted web content may lead to arbitrary code
execution.
A type confusion issue was addressed with improved memory handling.
Versions affected: WebKitGTK+ before 2.20.4
**CVE-2018-4261**
P...**CVE-2018-4246**
Processing maliciously crafted web content may lead to arbitrary code
execution.
A type confusion issue was addressed with improved memory handling.
Versions affected: WebKitGTK+ before 2.20.4
**CVE-2018-4261**
Processing maliciously crafted web content may lead to arbitrary code
execution.
A memory corruption issue was addressed with improved memory handling.
Versions affected: WebKitGTK+ before 2.20.4
**CVE-2018-4262**
Processing maliciously crafted web content may lead to arbitrary code
execution.
A memory corruption issue was addressed with improved memory handling.
Versions affected: WebKitGTK+ before 2.20.4
**CVE-2018-4263**
Processing maliciously crafted web content may lead to arbitrary code
execution.
A memory corruption issue was addressed with improved memory handling.
Versions affected: WebKitGTK+ before 2.20.4
**CVE-2018-4264**
Processing maliciously crafted web content may lead to arbitrary code
execution.
A memory corruption issue was addressed with improved memory handling.
Versions affected: WebKitGTK+ before 2.20.4
**CVE-2018-4265**
Processing maliciously crafted web content may lead to arbitrary code
execution.
A memory corruption issue was addressed with improved memory handling.
Versions affected: WebKitGTK+ before 2.20.4
**CVE-2018-4266**
A malicious website may be able to cause a denial of service.
A race condition was addressed with additional validation.
Versions affected: WebKitGTK+ before 2.20.4 and WPE WebKit before
2.20.2.
**CVE-2018-4267**
Processing maliciously crafted web content may lead to arbitrary code
execution.
A memory corruption issue was addressed with improved memory handling.
Versions affected: WebKitGTK+ before 2.20.4
**CVE-2018-4270**
Processing maliciously crafted web content may lead to an unexpected
application crash.
A memory corruption issue was addressed with improved memory handling.
Versions affected: WebKitGTK+ before 2.20.4
**CVE-2018-4272**
Processing maliciously crafted web content may lead to arbitrary code
execution.
A memory corruption issue was addressed with improved memory handling.
Versions affected: WebKitGTK+ before 2.20.4
**CVE-2018-4273**
Processing maliciously crafted web content may lead to an unexpected
application crash.
A memory corruption issue was addressed with improved input
validation.
Versions affected: WebKitGTK+ before 2.20.4
**CVE-2018-4278**
A malicious website may exfiltrate audio data cross-origin. Sound
fetched through audio elements
may be exfiltrated cross-origin. This issue was addressed with improved
audio taint tracking.
Versions affected: WebKitGTK+ before 2.20.4
**CVE-2018-4284**
Processing maliciously crafted web content may lead to arbitrary code
execution.
A type confusion issue was addressed with improved memory handling
Versions affected: WebKitGTK+ before 2.20.4
.
**CVE-2018-12911**
Processing maliciously crafted web content may lead to arbitrary code
execution.
A buffer overflow issue was addressed with improved memory handling.
Versions affected: WebKitGTK+ before 2.20.4
### Reference:
https://webkitgtk.org/security/WSA-2018-0006.html
*(from redmine: issue id 9452, created on 2018-09-21, closed on 2018-10-02)*
* Relations:
* parent #9451
* Changesets:
* Revision 609fbb0235cf6440f5d502885c4e0531c835aed7 by Natanael Copa on 2018-09-27T10:37:24Z:
```
community/webkit2gtk: upgrade to 2.22.2
fixes #9473
fixes #9452
```3.9.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/9443[3.9] lcms2: heap-based buffer overflow in SetData function in cmsIT8LoadFrom...2019-07-23T11:21:13ZAlicha CH[3.9] lcms2: heap-based buffer overflow in SetData function in cmsIT8LoadFromFile (CVE-2018-16435)A flaw was found in Little CMS (aka Little Color Management System) 2.9.
An integer overflow
in the AllocateDataSet function in cmscgats.c, leading to a heap-based
buffer overflow in the
SetData function via a crafted file in the sec...A flaw was found in Little CMS (aka Little Color Management System) 2.9.
An integer overflow
in the AllocateDataSet function in cmscgats.c, leading to a heap-based
buffer overflow in the
SetData function via a crafted file in the second argument to
cmsIT8LoadFromFile.
### References:
https://github.com/mm2/Little-CMS/issues/171
https://nvd.nist.gov/vuln/detail/CVE-2018-16435
### Patch:
https://github.com/mm2/Little-CMS/commit/768f70ca405cd3159d990e962d54456773bb8cf8
*(from redmine: issue id 9443, created on 2018-09-21, closed on 2018-11-08)*
* Relations:
* parent #9442
* Changesets:
* Revision 348c14c7421c7d8fcdc82fd7014fb75eed11f56f on 2018-11-06T15:54:09Z:
```
main/lcms2: security fix (CVE-2018-16435)
Fixes #9443
```3.9.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9441mariadb: testsuite hangs on aarch642019-07-23T11:21:15ZNatanael Copamariadb: testsuite hangs on aarch64build-edge-aarch64:~/aports/main/mariadb/src/mariadb-10.3.9$ ctest -V -I 20,20 -E test-connect
UpdateCTestConfiguration from :/home/buildozer/aports/main/mariadb/src/mariadb-10.3.9/DartConfiguration.tcl
UpdateCTestConfiguration...build-edge-aarch64:~/aports/main/mariadb/src/mariadb-10.3.9$ ctest -V -I 20,20 -E test-connect
UpdateCTestConfiguration from :/home/buildozer/aports/main/mariadb/src/mariadb-10.3.9/DartConfiguration.tcl
UpdateCTestConfiguration from :/home/buildozer/aports/main/mariadb/src/mariadb-10.3.9/DartConfiguration.tcl
Test project /home/buildozer/aports/main/mariadb/src/mariadb-10.3.9
Constructing a list of tests
Done constructing a list of tests
Updating test list for fixtures
Added 0 tests to meet fixture requirements
Checking test dependency graph...
Checking test dependency graph end
test 20
Start 20: my_apc
20: Test command: /home/buildozer/aports/main/mariadb/src/mariadb-10.3.9/unittest/sql/my_apc-t
20: Test timeout computed to be: 10000000
20: 1..1
20: # Testing APC delivery and execution
20: # test_apc_service_thread started
20: # test_apc_requestor_thread started
20: # test_apc_requestor_thread started
20: # test_apc_requestor_thread started
20: # test_apc_requestor_thread started
20: # test_apc_requestor_thread started
20: # test_apc_requestor_thread started
20: # test_apc_requestor_thread started
20: # test_apc_requestor_thread started
20: # test_apc_requestor_thread started
20: # test_apc_requestor_thread started
20: # test_apc_requestor_thread started
20: # test_apc_requestor_thread started
20: # test_apc_requestor_thread started
20: # test_apc_requestor_thread started
20: # test_apc_requestor_thread started
20: # test_apc_requestor_thread started
20: # test_apc_requestor_thread started
20: # test_apc_requestor_thread started
20: # test_apc_requestor_thread started
20: # test_apc_requestor_thread started
20: # test_apc_requestor_thread started
20: # test_apc_requestor_thread started
20: # test_apc_requestor_thread started
20: # 832 APCs served 0 missed
20: # 1646 APCs served 0 missed
20: # 2468 APCs served 0 missed
20: # 3272 APCs served 0 missed
20: # 4088 APCs served 0 missed
20: # 4924 APCs served 0 missed
20: # 5770 APCs served 0 missed
20: # 6577 APCs served 0 missed
20: # 7389 APCs served 0 missed
20: # 8232 APCs served 0 missed
20: # 9035 APCs served 0 missed
20: # 9847 APCs served 0 missed
20: # 10651 APCs served 0 missed
20: # 11477 APCs served 0 missed
20: # 12306 APCs served 0 missed
20: # Shutting down requestors
20: # test_apc_requestor_thread exiting
20: # test_apc_requestor_thread exiting
20: # test_apc_requestor_thread exiting
20: # test_apc_requestor_thread exiting
20: # test_apc_requestor_thread exiting
20: # test_apc_requestor_thread exiting
20: # test_apc_requestor_thread exiting
20: # test_apc_requestor_thread exiting
20: # test_apc_requestor_thread exiting
20: # test_apc_requestor_thread exiting
20: # test_apc_requestor_thread exiting
20: # test_apc_requestor_thread exiting
20: # test_apc_requestor_thread exiting
20: # test_apc_requestor_thread exiting
20: # test_apc_requestor_thread exiting
20: # # # # test_apc_requestor_thread exiting
*(from redmine: issue id 9441, created on 2018-09-21, closed on 2019-01-10)*3.9.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/9433[3.9] ghostscript: Incorrect "restoration of privilege" checking when running...2019-07-23T11:21:21ZAlicha CH[3.9] ghostscript: Incorrect "restoration of privilege" checking when running out of stack during exception handling (CVE-2018-16802)An issue was discovered in Artifex Ghostscript before 9.25. Incorrect
“restoration of privilege”
checking when running out of stack during exception handling could be
used by attackers able to supply
crafted PostScript to execute cod...An issue was discovered in Artifex Ghostscript before 9.25. Incorrect
“restoration of privilege”
checking when running out of stack during exception handling could be
used by attackers able to supply
crafted PostScript to execute code using the “pipe” instruction. This is
due to an incomplete fix for CVE-2018-16509.
### References:
https://seclists.org/oss-sec/2018/q3/228
https://seclists.org/oss-sec/2018/q3/229
https://seclists.org/oss-sec/2018/q3/233
### Patches:
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=643b24db
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=3e5d316b
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5812b1b7
*(from redmine: issue id 9433, created on 2018-09-20, closed on 2018-11-08)*
* Relations:
* copied_to #9432
* parent #94323.9.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/9427[3.9] libjpeg-turbo: "cjpeg" utility large loop because read_pixel in rdtarga...2019-07-23T11:11:16ZAlicha CH[3.9] libjpeg-turbo: "cjpeg" utility large loop because read_pixel in rdtarga.c mishandles EOF (CVE-2018-11813)“cjpeg” utility large loop because read\_pixel in rdtarga.c mishandles
EOF
### Reference:
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/242
### Patch:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/19074854d9d8bc32dff3...“cjpeg” utility large loop because read\_pixel in rdtarga.c mishandles
EOF
### Reference:
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/242
### Patch:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/19074854d9d8bc32dff3ed252eed17ed6cc2ecfc
*(from redmine: issue id 9427, created on 2018-09-20, closed on 2018-09-27)*
* Relations:
* parent #9426
* Changesets:
* Revision d99aa8e3f0c88299d5094270594708793d135723 by Natanael Copa on 2018-09-25T11:00:55Z:
```
main/libjpeg-turbo: backport security fix (CVE-2018-11813)
fixes #9427
```3.9.0Natanael CopaNatanael Copa