alpine issueshttps://gitlab.alpinelinux.org/groups/alpine/-/issues2022-04-26T05:57:58Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/11324remove dns-root-hints2022-04-26T05:57:58ZAlex Xu (Hello71)remove dns-root-hintson Alpine, dns-root-hints contains 1) dns root hints, 2) script to update dns root hints.
I checked fedora, debian, and arch, and as far as I can tell, only debian packages 1, and nobody packages 2. I checked knot-resolver and unbound a...on Alpine, dns-root-hints contains 1) dns root hints, 2) script to update dns root hints.
I checked fedora, debian, and arch, and as far as I can tell, only debian packages 1, and nobody packages 2. I checked knot-resolver and unbound at fedora, and both packages are maintained by the software author and don't contain or depend on any sort of update script.
my conclusion is that such a script is not necessary. the dns root addresses change infrequently, and even when they do, the resolvers still work fine. 90% of a full root hints file is basically as good as 100%, because you can fetch the remaining addresses (`dig . ns @whateveryouhave`). the same is not true for dnssec roots, which, if you believe in dnssec (I don't, but that's not the point), missing any keys breaks the whole system. that's why Arch packages dnssec-anchors. but the PKGBUILD is very simple, it only has about 10 lines of code (i.e. not metadata): https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/dnssec-anchors. this is similar to Alpine dnssec-root, which is also static.
anyways, I think it doesn't make sense for minimalist Alpine to force all dns server users to install gnupg and dependencies (between glib and gcrypt, it looks like about 14 MB) for this negligible benefit. other distros work just fine using the default root hints, and Alpine is supposed to be more minimal, both in terms of differing from upstream as well as disk space, so I say kill it.3.14.0Jakub JirutkaJakub Jirutkahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12484grub: allow disabling trigger2024-03-27T19:28:56ZAlex Xu (Hello71)grub: allow disabling triggermany people want to write custom grub.cfg instead of using grub-mkconfig. i think it can be considered the "alpine way". we should make this less painful.many people want to write custom grub.cfg instead of using grub-mkconfig. i think it can be considered the "alpine way". we should make this less painful.3.19.0https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10801Annoy the user when pinning packages from incompatible repositories2022-12-21T19:37:22ZAlex Xu (Hello71)Annoy the user when pinning packages from incompatible repositoriesMany users are following poorly-written tutorials and installing packages from incompatible repositories. For some non-Alpine distros, this may be allowed, but for Alpine it is not permitted to mix packages from different releases. There...Many users are following poorly-written tutorials and installing packages from incompatible repositories. For some non-Alpine distros, this may be allowed, but for Alpine it is not permitted to mix packages from different releases. There should be some mechanism for apk to tell the user that this is not supported. Two simple heuristics for Alpine would be checking the repository URL and the repository version, and if these don't match then raise an error. However, this may not work for third-party repositories or non-Alpine distros.v3.1https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10755replaced files are not restored when uninstalling replacing package2022-12-21T20:28:45ZAlex Xu (Hello71)replaced files are not restored when uninstalling replacing packageexample: install libc6-compat, then install gcompat, then remove gcompat. expected behavior is libc6-compat files are restored, but this doesn't happenexample: install libc6-compat, then install gcompat, then remove gcompat. expected behavior is libc6-compat files are restored, but this doesn't happenv3.1https://gitlab.alpinelinux.org/alpine/aports/-/issues/14222highway, libjxl: upgrade to 1.0.1, 0.7.02024-02-22T00:22:45ZAlex Xu (Hello71)highway, libjxl: upgrade to 1.0.1, 0.7.0tracking issue for WIP https://gitlab.alpinelinux.org/alxu/aports/-/merge_requests/13tracking issue for WIP https://gitlab.alpinelinux.org/alxu/aports/-/merge_requests/13Alex Xu (Hello71)Alex Xu (Hello71)https://gitlab.alpinelinux.org/alpine/tsc/-/issues/45ban indiscriminate setcap usage2023-06-15T11:04:44ZAlex Xu (Hello71)ban indiscriminate setcap usagemany aports use setcap on globally-executable programs. almost always, this is wrong. one egregious example is earlyoom, which does `setcap 'cap_kill,cap_ipc_lock,cap_setpcap=+ep' usr/bin/earlyoom`. this allows any user on the system to ...many aports use setcap on globally-executable programs. almost always, this is wrong. one egregious example is earlyoom, which does `setcap 'cap_kill,cap_ipc_lock,cap_setpcap=+ep' usr/bin/earlyoom`. this allows any user on the system to trivially kill selective processes by simply running `earlyoom -m 99 --prefer whatever`. `cap_setpcap` is even more terrible, since it could potentially allow bypassing the entire multi-user security framework, and apparently isn't even needed by earlyoom? similarly, timed does `setcap cap_sys_time+ep "$pkgdir"/usr/bin/timed-qt5`, which i believe allows anybody on the system to arbitrarily manipulate the system clock.
most packages do not do such terrible things, and only unnecessarily set cap_net_bind_service=+ep, or worse, cap_net_bind_service+eip, on main binary. while low-port security is not a critical aspect of modern Linux security, this could potentially be combined with e.g. killing sshd (see earlier) to install a fake sshd on port 22 to harvest passwords (albeit with wrong host keys).
it appears that in most cases, this is used as a dangerously insecure alternative to proper privilege separation in init script. the correct solution is to either use the program's own privilege dropping, or `setpriv --reuid=UID --regid=GID --init-groups --inh-caps +whatever --ambient-caps +whatever`, or some capsh equivalent. the latter two require separate helper programs to be installed (busybox setpriv is near-useless).
of current aports, kwin and powerdevil are ok because they use setcap to remove caps, not add them; netdata, wireshark, and i believe fping are ok because the programs are specifically designed to be suid; mpd and sn0int are dubious; earlyoom, timed, and probably corerad, nebula, ubridge, conntracct, and pcsx2 have serious vulnerabilities; and the rest give everybody cap_net_bind_service which is insecure but probably not horribly so.
in general, simply installing packages should not introduce new security vulnerabilities. using setcap on programs which were not specifically designed for it almost always results in this. therefore, i believe such usage should be prohibited, with exceptions on a case-by-case basis (netdata, wireshark, fping).https://gitlab.alpinelinux.org/alpine/tsc/-/issues/35sse2 usage for programming languages (#20 part 1.5)2023-12-14T14:20:28ZAlex Xu (Hello71)sse2 usage for programming languages (#20 part 1.5)the resolution in #20 doesn't address a point which is relevant but was not brought up in that issue: what to do with programming language implementations and other packages with observable excess floating-point precision differences. fo...the resolution in #20 doesn't address a point which is relevant but was not brought up in that issue: what to do with programming language implementations and other packages with observable excess floating-point precision differences. for example, php "guarantees" ieee 754 floating-point support, but we don't provide that on x86-32. there have been several issues filed to this effect, such as aports#11645. fixing this issue for x86-64 simply required not gratuitously setting the fpu control word, but according to @dalias, it is not possible to fully implement standard ieee 754 floats on x86-32 without either sse2 or software emulation. a somewhat similar issue affects rust, which always uses sse2 on x86-32. a freebsd patch exists to get rid of it but of somewhat dubious quality (afaik not actually tested on no-sse2 machines).
this issue is not addressed by the resolution in #20; based on my interpretation of that, we should compile qt no-sse2, as there are minimal user-facing impacts other than it running slightly slower. however, if we compile php or go or rust without sse2, then all x86-32 users will get observably different floating-point results. if we compile with sse2, then they will not run on no-sse2 cpus, which i guess is not a huge issue for php or go, but may be an issue for rust.https://gitlab.alpinelinux.org/alpine/aports/-/issues/13442compiling linux kernel very slow with busybox awk, much faster with gawk2022-03-07T11:04:22ZAlex Xu (Hello71)compiling linux kernel very slow with busybox awk, much faster with gawkpossibly mallocng related, strace showed many paired mmap/munmap. installing gawk saves some 10-20 minutes on linux compilepossibly mallocng related, strace showed many paired mmap/munmap. installing gawk saves some 10-20 minutes on linux compileNatanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/alpine-conf/-/issues/10498setup-disk crypt doesn't add mkinitfs disk features2022-05-18T06:43:42ZAlex Xu (Hello71)setup-disk crypt doesn't add mkinitfs disk featureshttps://gitlab.alpinelinux.org/alpine/mkinitfs/-/issues/21Switch default compressor to zstd2021-12-09T18:59:29ZAlex Xu (Hello71)Switch default compressor to zstdDue to small window size, gzip does not take full advantage of the inter-file correlations. All other modern compressors do better; however, only a few options are actually useful. xz is slow to compress and decompress; the latter is par...Due to small window size, gzip does not take full advantage of the inter-file correlations. All other modern compressors do better; however, only a few options are actually useful. xz is slow to compress and decompress; the latter is particularly bad during boot, as the 16-bit real mode kernel decompressor stub is even slower. zstd is a good option because it decompresses quickly. It can use excessive ram when compressing small files at very high compression levels, but for typical initramfs size (around 15 MB) and zstd -19, it uses only about 150 MB.
Implementing this would decrease the initramfs size by about 3 MB and speed up boot by about 0.1 seconds on a 3 GHz amd64 CPU; on a non-overclocked RPi Zero, that could be almost half a second of boot speed-up, plus the decreased I/O (another few hundreds of ms on a slow SD card).https://gitlab.alpinelinux.org/alpine/mkinitfs/-/issues/20Apply --size-hint when compressing to zstd2021-12-09T18:48:11ZAlex Xu (Hello71)Apply --size-hint when compressing to zstdzstd allocates an excessive amount of memory when compressing small files from stdin at high compression presets. this can be avoided by using --size-hint. the size can be estimated by adding up the size of each file plus the size of the...zstd allocates an excessive amount of memory when compressing small files from stdin at high compression presets. this can be avoided by using --size-hint. the size can be estimated by adding up the size of each file plus the size of the file names plus 106 for each file, but since all the files will most likely fit into RAM, the easiest way is to simply generate the cpio twice: once to get the size, and once to actually compress it.https://gitlab.alpinelinux.org/alpine/mkinitfs/-/issues/19Decompress kernel modules for initramfs2021-12-09T18:28:47ZAlex Xu (Hello71)Decompress kernel modules for initramfsCompressing already-compressed files increases the size. Additionally, it prevents the outer compressor from taking full advantage of inter-file correlations. This accounts for about 1.5 MB of the size increase from 3.14 to 3.15 ISO.Compressing already-compressed files increases the size. Additionally, it prevents the outer compressor from taking full advantage of inter-file correlations. This accounts for about 1.5 MB of the size increase from 3.14 to 3.15 ISO.https://gitlab.alpinelinux.org/alpine/aports/-/issues/13246Modernize toolchain security flags2023-06-30T23:19:42ZAlex Xu (Hello71)Modernize toolchain security flagsbased on https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc, https://wiki.debian.org/Hardening, https://manpages.debian.org/unstable/dpkg-dev/dpkg-buildflags.1.en.html, and https://github.com/archlinux/svntogit-p...based on https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc, https://wiki.debian.org/Hardening, https://manpages.debian.org/unstable/dpkg-dev/dpkg-buildflags.1.en.html, and https://github.com/archlinux/svntogit-packages/blob/master/pacman/trunk/makepkg.conf:
-z relro is already enabled by https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/binutils/APKBUILD#L90 and can be removed from specs.
-z now is still needed to enable full relro for musl (it expands linker-marked relro region).
-fstack-clash-protection should probably be enabled by default.
-Wformat -Werror=format-security should be enabled in abuild.
-D_GLIBCXX_ASSERTIONS I think needs some investigation on binary size and performance.
-fcf-protection needs more investigation on which archs are compatible and what happens if specified on unsupported arch. afaik size/runtime cost is negligible though so probably should be enabled where supported.
-fasynchronous-unwind-tables is a debugging/backtrace flag, not security. already enabled by default upstream for aarch64, powerpc, s390, x86/x86_64.
-fexceptions for table thread cancellation I believe is not needed for musl because it just doesn't unwind on cancellation.
-D_FORTIFY_SOURCE, -fPIE -pie, -z relro, -z now, notext, -fstack-protector-strong are already enabled/used by default via gcc patches, specs, gcc/binutils configure args, and abuild.Ariadne Conillariadne@ariadne.spaceAriadne Conillariadne@ariadne.spacehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/13229minio: multiple vulnerabilities (CVE-2021-21287, CVE-2021-21362, CVE-2021-21390)2022-03-18T11:57:13ZAlex Xu (Hello71)minio: multiple vulnerabilities (CVE-2021-21287, CVE-2021-21362, CVE-2021-21390)CVE-2021-21287: MinIO is a High Performance Object Storage released under Apache License v2.0. In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-side request forgery vulnerability. The target application may have fun...CVE-2021-21287: MinIO is a High Performance Object Storage released under Apache License v2.0. In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-side request forgery vulnerability. The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.). In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed. This is fixed in version RELEASE.2021-01-30T00-20-58Z, all users are advised to upgrade. As a workaround you can disable the browser front-end with "MINIO_BROWSER=off" environment variable.
CVE-2021-21362: MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary 'mc share upload' URL. Everyone is impacted who uses MinIO multi-users. This is fixed in version RELEASE.2021-03-04T00-53-13Z. As a workaround, one can disable uploads with `Content-Type: multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO.
CVE-2021-21390: MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-17T02-33-02Z, there is a vulnerability which enables MITM modification of request bodies that are meant to have integrity guaranteed by chunk signatures. In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk. This check can be skipped if the client sends a false chunk size that is much greater than the actual data sent: the server accepts and completes the request without ever reaching the end of the chunk + thereby without ever checking the chunk signature. This is fixed in version RELEASE.2021-03-17T02-33-02Z. As a workaround one can avoid using "aws-chunked" encoding-based chunk signature upload requests instead use TLS. MinIO SDKs automatically disable chunked encoding signature when the server endpoint is configured with TLS.Ariadne Conillariadne@ariadne.spaceAriadne Conillariadne@ariadne.spacehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/13067remove obsolete lcms(1)2021-10-08T15:27:21ZAlex Xu (Hello71)remove obsolete lcms(1)only pulled in by inkscape and wine, but not actually used. !26211, !26212.only pulled in by inkscape and wine, but not actually used. !26211, !26212.https://gitlab.alpinelinux.org/alpine/awall/-/issues/9648dns names starting with numbers are ignored2021-09-21T18:31:45ZAlex Xu (Hello71)dns names starting with numbers are ignored```
$ drill acme-staging-v02.api.letsencrypt.org
[ ... ]
56a5f4b0bc8146689ec3e272c43525f9.pacloudflare.com. 300 IN A 172.65.46.172
```
rejected by https://gitlab.alpinelinux.org/alpine/awall/-/blob/master/awall/famil...```
$ drill acme-staging-v02.api.letsencrypt.org
[ ... ]
56a5f4b0bc8146689ec3e272c43525f9.pacloudflare.com. 300 IN A 172.65.46.172
```
rejected by https://gitlab.alpinelinux.org/alpine/awall/-/blob/master/awall/family.lua#L10 but according to https://serverfault.com/questions/638260/is-it-valid-for-a-hostname-to-start-with-a-digit this was made valid by RFC 1123https://gitlab.alpinelinux.org/alpine/abuild/-/issues/10040libc6-compat has wrong provides2021-08-12T20:12:50ZAlex Xu (Hello71)libc6-compat has wrong provideshttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12909Package request: sof (sound open firmware)2021-09-04T17:43:57ZAlex Xu (Hello71)Package request: sof (sound open firmware)https://gitlab.alpinelinux.org/alpine/aports/-/issues/12889community/qt5-*-dbg has no debugging symbols2022-12-30T10:06:18ZAlex Xu (Hello71)community/qt5-*-dbg has no debugging symbols```
$ gdb /lib/libc.musl-x86_64.so.1
GNU gdb (GDB) 10.2
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and red...```
$ gdb /lib/libc.musl-x86_64.so.1
GNU gdb (GDB) 10.2
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-alpine-linux-musl".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /lib/libc.musl-x86_64.so.1...
Reading symbols from /usr/lib/debug//lib/ld-musl-x86_64.so.1.debug...
(gdb) q
$ gdb /usr/lib/libQt5Core.so.5.15.3
GNU gdb (GDB) 10.2
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-alpine-linux-musl".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/lib/libQt5Core.so.5.15.3...
Reading symbols from /usr/lib/debug//usr/lib/libQt5Core.so.5.15.3.debug...
(No debugging symbols found in /usr/lib/debug//usr/lib/libQt5Core.so.5.15.3.debug)
(gdb)
```https://gitlab.alpinelinux.org/alpine/aports/-/issues/12888Remove insecure and unmaintained qtwebkit2022-09-12T09:31:00ZAlex Xu (Hello71)Remove insecure and unmaintained qtwebkitsee https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/GXVEFT7VY5DQNATX6FHJBQBRDHRC3NRN/, https://bugs.gentoo.org/684580.
switch to webengine:
- [x] community/alkimia: https://github.com/KDE/alkimia/blob/master/...see https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/GXVEFT7VY5DQNATX6FHJBQBRDHRC3NRN/, https://bugs.gentoo.org/684580.
switch to webengine:
- [x] community/alkimia: https://github.com/KDE/alkimia/blob/master/CMakeLists.txt#L92
- [x] community/kmymoney: https://github.com/KDE/kmymoney/blob/master/CMakeLists.txt#L256
- [ ] testing/notepadqq: update to v2.0.0-beta for https://github.com/notepadqq/notepadqq/pull/669
- [x] community/ktorrent: https://github.com/KDE/ktorrent/commit/f5a1958ebdcacac8dd22a43623356dbf6bf6c34a
remove webkit dep:
- [x] community/rocs: https://github.com/KDE/rocs/commit/e1171bfaecb9c719b89f8ed04d60ad76ea4088dd
- [x] community/shotcut: https://github.com/mltframework/shotcut/commit/a44fe75a4dc7410668935cd0d3470994f5997571
- [x] community/umbrello: https://gitweb.gentoo.org/repo/gentoo.git/tree/kde-apps/umbrello/files/umbrello-20.08.3-no-qtwebkit.patch
- [x] testing/recoll: https://framagit.org/medoc92/recoll/-/commit/504705879b7ad900b9f3924ca959978f8619c815
remove package:
- [x] community/qt5-qtwebkit
- [x] community/kdewebkit: kde wrapper for qtwebkit
- [x] community/wkhtmltopdf: basically unmaintained upstream, and wanted special qtwebkit patches anyways. (less featured) alternatives exist, and those who want insecure implementation should download binary manually (and run in a sandbox...)
- [x] testing/py3-pdfkit: requires wkhtmltopdf