alpine issueshttps://gitlab.alpinelinux.org/groups/alpine/-/issues2019-07-23T11:18:57Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9615[3.5] curl: Multiple vulnerabilities (CVE-2018-16839, CVE-2018-16840, CVE-201...2019-07-23T11:18:57ZAlicha CH[3.5] curl: Multiple vulnerabilities (CVE-2018-16839, CVE-2018-16840, CVE-2018-16842)CVE-2018-16839: SASL password overflow via integer overflow
-----------------------------------------------------------
The internal function Curl\_auth\_create\_plain\_message fails to
correctly verify that the passed in lengths
for ...CVE-2018-16839: SASL password overflow via integer overflow
-----------------------------------------------------------
The internal function Curl\_auth\_create\_plain\_message fails to
correctly verify that the passed in lengths
for name and password aren’t too long, then calculates a buffer size to
allocate.
On systems with a 32 bit size\_t, the math to calculate the buffer size
triggers an integer overflow when the user name length exceeds 2GB (2^31
bytes).
This integer overflow usually causes a very small buffer to actually get
allocated instead of the intended very huge one, making the use of that
buffer end up in a heap buffer overflow.
### Affected versions:
libcurl 7.33.0 to and including 7.61.1
### Not affected versions:
libcurl < 7.33.0 and >= 7.62.0
### Reference:
https://curl.haxx.se/docs/CVE-2018-16839.html
### Patch:
https://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5
CVE-2018-16840: use-after-free in handle close
----------------------------------------------
When closing and cleaning up an “easy” handle in the Curl\_close()
function, the library code first frees a struct (without nulling the
pointer) and might
then subsequently erroneously write to a struct field within that
already freed struct.
### Affected versions:
libcurl 7.59.0 to and including 7.61.1
### Not affected versions:
libcurl < 7.59.0 and >= 7.62.0
### Reference:
https://curl.haxx.se/docs/CVE-2018-16840.html
### Patch:
https://github.com/curl/curl/commit/81d135d67155c5295b1033679c606165d4e28f3f
CVE-2018-16842: warning message out-of-buffer read
--------------------------------------------------
The command line tool has a generic function for displaying warning and
informational messages to stderr for various
situations. For example if an unknown command line argument is used, or
passed to it in a “config” file.
This display function formats the output to wrap at 80 columns. The wrap
logic is however flawed, so if a single word in the message is itself
longer than 80 bytes
the buffer arithmetic calculates the remainder wrong and will end up
reading behind the end of the buffer. This could lead to information
disclosure or crash.
### Reference:
https://curl.haxx.se/docs/CVE-2018-16842.html
### Patch:
https://github.com/curl/curl/commit/d530e92f59ae9bb2d47066c3c460b25d2ffeb211
*(from redmine: issue id 9615, created on 2018-11-01, closed on 2018-11-08)*
* Relations:
* parent #9610
* Changesets:
* Revision 73c7cfb12e9bf26f050b7ad2b5975c7b8c737f76 on 2018-11-06T14:48:41Z:
```
main/curl: security fixes
(CVE-2018-16839, CVE-2018-16840, CVE-2018-16842)
Fixes #9615
```3.5.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9568[3.5] libxml2: Multiple vulnerabilities (CVE-2018-9251, CVE-2018-14404, CVE-2...2019-07-23T11:19:38ZAlicha CH[3.5] libxml2: Multiple vulnerabilities (CVE-2018-9251, CVE-2018-14404, CVE-2018-14567)**CVE-2018-9251**: The xz\_decomp function in xzlib.c in libxml2 2.9.8,
if —with-lzma is used, allows remote attackers to cause a denial of
service (infinite loop) via
a crafted XML file that triggers LZMA\_MEMLIMIT\_ERROR, as demonstr...**CVE-2018-9251**: The xz\_decomp function in xzlib.c in libxml2 2.9.8,
if —with-lzma is used, allows remote attackers to cause a denial of
service (infinite loop) via
a crafted XML file that triggers LZMA\_MEMLIMIT\_ERROR, as demonstrated
by xmllint, a different vulnerability than CVE-2015-8035.
### References:
https://bugzilla.gnome.org/show\_bug.cgi?id=794914
### Patch:
https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74
**CVE-2018-14404**: A NULL pointer dereference vulnerability exists in
the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when
parsing an invalid XPath expression in the XPATH\_OP\_AND or
XPATH\_OP\_OR case. Applications processing untrusted XSL format inputs
with the use of the libxml2 library may be vulnerable to a denial of
service attack due to a crash of the application.
### References:
https://gitlab.gnome.org/GNOME/libxml2/issues/5
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14404.html
### Patch:
https://gitlab.gnome.org/GNOME/libxml2/commit/a436374994c47b12d5de1b8b1d191a098fa23594
**CVE-2018-14567**: libxml2 2.9.8, if —with-lzma is used, allows remote
attackers to cause a denial of service (infinite loop) via a crafted XML
file that triggers
LZMA\_MEMLIMIT\_ERROR, as demonstrated by xmllint, a different
vulnerability than CVE-2015-8035 and CVE-2018-9251.
### References:
https://gitlab.gnome.org/GNOME/libxml2/issues/13
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14567.html
### Patch:
https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74
*(from redmine: issue id 9568, created on 2018-10-23, closed on 2018-10-25)*
* Relations:
* parent #9563
* Changesets:
* Revision 878af9b6555b9b812151e55fd3294c89cf0f53ba by Natanael Copa on 2018-10-24T16:43:50Z:
```
main/libxml2: backport security fixes
- CVE-2018-9251
- CVE-2018-14404
- CVE-2018-14567
fixes #9568
```3.5.4Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9537[3.5] libx11: Multiple vulnerabilities (CVE-2018-14598, CVE-2018-14599, CVE-2...2019-07-23T11:20:00ZAlicha CH[3.5] libx11: Multiple vulnerabilities (CVE-2018-14598, CVE-2018-14599, CVE-2018-14600)CVE-2018-14598: Crash on invalid reply in XListExtensions in ListExt.c
----------------------------------------------------------------------
An issue was discovered in ListExt.c:XListExtensions and
GetFPath.c:XGetFontPath in libX11 thr...CVE-2018-14598: Crash on invalid reply in XListExtensions in ListExt.c
----------------------------------------------------------------------
An issue was discovered in ListExt.c:XListExtensions and
GetFPath.c:XGetFontPath in libX11 through version 1.6.5. A malicious
server can send
a reply in which the first string overflows, causing a variable to be
set to NULL that will be freed later on, leading to DoS (segmentation
fault).
### Fixed In Version:
libX11 1.6.6
### References:
http://www.openwall.com/lists/oss-security/2018/08/21/6
https://lists.x.org/archives/xorg-announce/2018-August/002916.html
### Patch:
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=e83722768fd5c467ef61fa159e8c6278770b45c2
CVE-2018-14599: off-by-one error in XListExtensions in ListExt.c
----------------------------------------------------------------
An issue was discovered in libX11 through 1.6.5. Functions
GetFPath.c:XGetFontPath, ListExt.c:XListExtensions and
FontNames.c:XListFonts are
vulnerable to an off-by-one error when parsing list of strings returned
by malicious server responses, leading to DoS.
### Fixed In Version:
libX11 1.6.6
### References:
http://www.openwall.com/lists/oss-security/2018/08/21/6
https://lists.x.org/archives/xorg-announce/2018-August/002916.html
### Patch:
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=b469da1430cdcee06e31c6251b83aede072a1ff0
CVE-2018-14600: Out of Bounds write in XListExtensions in ListExt.c
-------------------------------------------------------------------
An issue was discovered in libX11 through 1.6.5. Functions
ListExt.c:XListExtensions and GetFPath.c:XGetFontPath interpret a
variable as signed instead
of unsigned, resulting in an out-of-bounds write (of up to 128 bytes),
leading to DoS or remote code execution.
### Fixed In Version:
libX11 1.6.6
### References:
http://www.openwall.com/lists/oss-security/2018/08/21/6
https://lists.x.org/archives/xorg-announce/2018-August/002916.html
### Patch:
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=dbf72805fd9d7b1846fe9a11b46f3994bfc27fea
*(from redmine: issue id 9537, created on 2018-10-08, closed on 2018-10-09)*
* Relations:
* parent #9532
* Changesets:
* Revision e9064e9114d515f0f789828a1b8c7390c135f541 by Natanael Copa on 2018-10-08T12:02:30Z:
```
main/libx11: security upgrade to 1.6.6
CVE-2018-14598
CVE-2018-14599
CVE-2018-14600
fixes #9537
```3.5.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9519[3.5] strongswan: heap buffer overflow using crafted certificates (CVE-2018-1...2019-07-23T11:20:14ZAlicha CH[3.5] strongswan: heap buffer overflow using crafted certificates (CVE-2018-17540)The gmp plugin in strongSwan before 5.7.1 has a Buffer Overflow via a
crafted certificate,
the vulnerability was introduced with the patch that fixes
CVE-2018-16151/2.
### References:
https://www.strongswan.org/blog/2018/10/01/strong...The gmp plugin in strongSwan before 5.7.1 has a Buffer Overflow via a
crafted certificate,
the vulnerability was introduced with the patch that fixes
CVE-2018-16151/2.
### References:
https://www.strongswan.org/blog/2018/10/01/strongswan-vulnerability-(cve-2018-17540).html
https://nvd.nist.gov/vuln/detail/CVE-2018-17540
*(from redmine: issue id 9519, created on 2018-10-08, closed on 2018-10-09)*
* Relations:
* parent #9515
* Changesets:
* Revision d01a6eb23f238d10cc1b2a2e3cbfd15ca2f4b3c2 on 2018-10-08T13:33:28Z:
```
main/strongswan: security fixes
CVE-2018-16151, CVE-2018-16152, CVE-2018-17540
Fixes #9519
```3.5.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9487[3.5] strongswan: Multiple vulnerabilities (CVE-2018-16151, CVE-2018-16152)2019-07-23T11:20:36ZAlicha CH[3.5] strongswan: Multiple vulnerabilities (CVE-2018-16151, CVE-2018-16152)**CVE-2018-16151**: In verify\_emsa\_pkcs1\_signature() in
gmp\_rsa\_public\_key.c in the gmp plugin in strongSwan 4.x and 5.x
before 5.7.0,
the RSA implementation based on GMP does not reject excess data after
the encoded algorithm OI...**CVE-2018-16151**: In verify\_emsa\_pkcs1\_signature() in
gmp\_rsa\_public\_key.c in the gmp plugin in strongSwan 4.x and 5.x
before 5.7.0,
the RSA implementation based on GMP does not reject excess data after
the encoded algorithm OID during PKCS\#1 v1.5 signature verification.
Similar to the flaw in the same version of strongSwan regarding
digestAlgorithm.parameters, a remote attacker can forge signatures when
small
public exponents are being used, which could lead to impersonation when
only an RSA signature is used for IKEv2 authentication.
### References:
https://www.strongswan.org/blog/2018/09/24/strongswan-vulnerability-(cve-2018-16151,-cve-2018-16152).html
https://nvd.nist.gov/vuln/detail/CVE-2018-16151
### Patches:
https://download.strongswan.org/patches/27\_gmp\_pkcs1\_verify\_patch/strongswan-5.3.1-5.6.0\_gmp-pkcs1-verify.patch
https://download.strongswan.org/patches/27\_gmp\_pkcs1\_verify\_patch/strongswan-5.6.1-5.6.3\_gmp-pkcs1-verify.patch
**CVE-2018-16152**: In verify\_emsa\_pkcs1\_signature() in
gmp\_rsa\_public\_key.c in the gmp plugin in strongSwan 4.x and 5.x
before 5.7.0,
the RSA implementation based on GMP does not reject excess data in the
digestAlgorithm.parameters field during PKCS\#1 v1.5 signature
verification. Consequently, a remote attacker can forge signatures when
small public exponents are being used, which could lead to
impersonation when only an RSA signature is used for IKEv2
authentication.
### References:
https://www.strongswan.org/blog/2018/09/24/strongswan-vulnerability-(cve-2018-16151,-cve-2018-16152).html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-16152
### Patches:
https://download.strongswan.org/patches/27\_gmp\_pkcs1\_verify\_patch/strongswan-5.3.1-5.6.0\_gmp-pkcs1-verify.patch
https://download.strongswan.org/patches/27\_gmp\_pkcs1\_verify\_patch/strongswan-5.6.1-5.6.3\_gmp-pkcs1-verify.patch
*(from redmine: issue id 9487, created on 2018-09-27, closed on 2018-10-04)*
* Relations:
* parent #9482
* Changesets:
* Revision fae42a57529214cd7ee88738466541ee2f7f3643 by Natanael Copa on 2018-10-02T12:50:55Z:
```
main/strongswan: backport security fix (CVE-2018-16151, CVE-2018-16152)
fixes #9487
```3.5.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9466[3.5] bind: Update policies krb5-subdomain and ms-subdomain (CVE-2018-5741)2019-07-23T11:20:53ZAlicha CH[3.5] bind: Update policies krb5-subdomain and ms-subdomain (CVE-2018-5741)In order to provide fine-grained controls over the ability to use
Dynamic DNS (DDNS) to update records in a zone, BIND provides a feature
called update-policy. Various rules can be configured to limit the types
of updates that can be per...In order to provide fine-grained controls over the ability to use
Dynamic DNS (DDNS) to update records in a zone, BIND provides a feature
called update-policy. Various rules can be configured to limit the types
of updates that can be performed by a client, depending on the key used
when sending the update request. Unfortunately some rule types were not
initially documented, and when documentation for them was added to the
Administrator Reference Manual (ARM) in change, the language that was
added to the ARM at that time incorrectly described the behavior of two
rule types, krb5-subdomain and ms-subdomain. This incorrect
documentation could mislead operators into believing that policies they
had configured were more restrictive than they actually were.
### Versions affected:
The behavior described is present in all versions of BIND 9 which
contain the krb5-subdomain and ms-subdomain update
policies prior to our upcoming maintenance releases, BIND 9.11.5 and
9.12.3. However, the misleading documentation
is not present in all versions.
### References:
https://kb.isc.org/docs/cve-2018-5741
https://www.openwall.com/lists/oss-security/2018/09/19/11
*(from redmine: issue id 9466, created on 2018-09-25, closed on 2018-11-29)*
* Relations:
* parent #94613.5.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9460[3.5] hylafax: JPEG support code execution (CVE-2018-17141)2019-07-23T11:21:00ZAlicha CH[3.5] hylafax: JPEG support code execution (CVE-2018-17141)HylaFAX 6.0.6 and HylaFAX+ 5.6.0 allow remote attackers to execute
arbitrary code via a dial-in session that provides a FAX page
with the JPEG bit enabled, which is mishandled in
FaxModem::writeECMData() in the faxd/CopyQuality.c<span
...HylaFAX 6.0.6 and HylaFAX+ 5.6.0 allow remote attackers to execute
arbitrary code via a dial-in session that provides a FAX page
with the JPEG bit enabled, which is mishandled in
FaxModem::writeECMData() in the faxd/CopyQuality.c<span
class="underline"></span> file.
### References:
https://www.openwall.com/lists/oss-security/2018/09/20/1
https://nvd.nist.gov/vuln/detail/CVE-2018-17141
### Patch:
http://git.hylafax.org/HylaFAX?a=commit;h=82fa7bdbffc253de4d3e80a87d47fdbf68eabe36
*(from redmine: issue id 9460, created on 2018-09-24, closed on 2018-10-09)*
* Relations:
* parent #9455
* Changesets:
* Revision 237666ca2867db3218e5a1cb628fceb554023c53 on 2018-10-09T06:41:37Z:
```
main/hylafax: security fix (CVE-2018-17141)
Fixes #9460
```3.5.4https://gitlab.alpinelinux.org/alpine/aports/-/issues/9437[3.5] ghostscript: Incorrect "restoration of privilege" checking when running...2019-07-23T11:21:17ZAlicha CH[3.5] ghostscript: Incorrect "restoration of privilege" checking when running out of stack during exception handling (CVE-2018-16802)An issue was discovered in Artifex Ghostscript before 9.25. Incorrect
“restoration of privilege”
checking when running out of stack during exception handling could be
used by attackers able to supply
crafted PostScript to execute cod...An issue was discovered in Artifex Ghostscript before 9.25. Incorrect
“restoration of privilege”
checking when running out of stack during exception handling could be
used by attackers able to supply
crafted PostScript to execute code using the “pipe” instruction. This is
due to an incomplete fix for CVE-2018-16509.
### References:
https://seclists.org/oss-sec/2018/q3/228
https://seclists.org/oss-sec/2018/q3/229
https://seclists.org/oss-sec/2018/q3/233
### Patches:
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=643b24db
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=3e5d316b
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5812b1b7
*(from redmine: issue id 9437, created on 2018-09-20, closed on 2018-11-08)*
* Relations:
* parent #9432
* Changesets:
* Revision 2c95720d66c8167a4dbe82ef7f5e9e5a05a9d8f1 on 2018-11-07T08:09:16Z:
```
main/ghostscript: security upgrade to 9.25 (CVE-2018-16802)
Fixes #9437
```3.5.4https://gitlab.alpinelinux.org/alpine/aports/-/issues/9431[3.5] libjpeg-turbo: Multiple vulnerabilities (CVE-2017-15232, CVE-2018-1152,...2019-07-23T11:21:24ZAlicha CH[3.5] libjpeg-turbo: Multiple vulnerabilities (CVE-2017-15232, CVE-2018-1152, CVE-2018-11813)**CVE-2017-15232**: libjpeg-turbo 1.5.2 has a NULL Pointer Dereference
in jdpostct.c and jquant1.c
via a crafted JPEG file.
### References:
https://github.com/libjpeg-turbo/libjpeg-turbo/pull/182
https://nvd.nist.gov/vuln/detail/CV...**CVE-2017-15232**: libjpeg-turbo 1.5.2 has a NULL Pointer Dereference
in jdpostct.c and jquant1.c
via a crafted JPEG file.
### References:
https://github.com/libjpeg-turbo/libjpeg-turbo/pull/182
https://nvd.nist.gov/vuln/detail/CVE-2017-15232
**CVE-2018-1152**: libjpeg-turbo 1.5.90 is vulnerable to a denial of
service vulnerability caused by
a divide by zero when processing a crafted BMP image.
### Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-1152
### Patch:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/43e84cff1bb2bd8293066f6ac4eb0df61ddddbc6
**CVE-2018-11813**: “cjpeg” utility large loop because read\_pixel in
rdtarga.c mishandles EOF
### Reference:
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/242
### Patch:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/19074854d9d8bc32dff3ed252eed17ed6cc2ecfc
*(from redmine: issue id 9431, created on 2018-09-20, closed on 2018-09-27)*
* Relations:
* parent #9426
* Changesets:
* Revision 604d9ad89136c18da99e4b5ff53e9e4592490a72 by Natanael Copa on 2018-09-25T12:56:59Z:
```
main/libjpeg-turbo: security upgrade to 1.5.3 (CVE-2017-15232)
ref #9431
```
* Revision 40f5397ff51533bc91833333e4b8848708b9a7f2 on 2018-09-25T12:57:25Z:
```
main/libjpeg-turbo: Backport fix for CVE-2018-1152
Cherry-pick commit f1322ac from the 1.5.x branch
ref #9431
Signed-off-by: Euan Harris <euan.harris@docker.com>
(cherry picked from commit 8d429487fdfea72fe6b0e45659274a62fa8c89bd)
```
* Revision 1c66dc7010b4434252678917dc4e05d860cc13a2 by Natanael Copa on 2018-09-25T12:58:16Z:
```
main/libjpeg-turbo: backport security fix (CVE-2018-11813)
fixes #9431
```3.5.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9397[3.5] curl: NTLM password overflow via integer overflow (CVE-2018-14618)2019-07-23T11:21:43ZAlicha CH[3.5] curl: NTLM password overflow via integer overflow (CVE-2018-14618)The internal function Curl\_ntlm\_core\_mk\_nt\_hash multiplies the
length of the password by two (SUM)
to figure out how large temporary storage area to allocate from the
heap. The length value is then subsequently
used to iterate o...The internal function Curl\_ntlm\_core\_mk\_nt\_hash multiplies the
length of the password by two (SUM)
to figure out how large temporary storage area to allocate from the
heap. The length value is then subsequently
used to iterate over the password and generate output into the allocated
storage buffer. On systems with a 32 bit size\_t,
the math to calculate SUM triggers an integer overflow when the password
length exceeds 2GB (2^31 bytes). This integer
overflow usually causes a very small buffer to actually get allocated
instead of the intended very huge one, making the
use of that buffer end up in a heap buffer overflow.
### Affected versions:
libcurl 7.15.4 to and including 7.61.0
### Not affected versions:
libcurl < 7.15.4 and >= 7.61.1
### References:
https://curl.haxx.se/docs/CVE-2018-14618.html
### Patch:
https://github.com/curl/curl/commit/57d299a499155d4b327e341c6024e293b0418243.patch
*(from redmine: issue id 9397, created on 2018-09-06, closed on 2018-09-20)*
* Relations:
* parent #9392
* Changesets:
* Revision be16f8462ac404319cf0dcf6c6311e873fde118f by Natanael Copa on 2018-09-19T11:31:53Z:
```
main/curl: security upgrade to 7.61.1 (CVE-2018-14618)
fixes #9397
```3.5.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9386[3.5] ghostscript: Multiple vulnerabilities (CVE-2018-10194, CVE-2018-15908, ...2019-07-23T11:21:51ZAlicha CH[3.5] ghostscript: Multiple vulnerabilities (CVE-2018-10194, CVE-2018-15908, CVE-2018-15909, CVE-2018-15910, CVE-2018-15911)**CVE-2018-10194**: The set\_text\_distance function in
devices/vector/gdevpdts.c in the pdfwrite component in Artifex
Ghostscript
through 9.22 does not prevent overflows in text-positioning calculation,
which allows remote attackers t...**CVE-2018-10194**: The set\_text\_distance function in
devices/vector/gdevpdts.c in the pdfwrite component in Artifex
Ghostscript
through 9.22 does not prevent overflows in text-positioning calculation,
which allows remote attackers to cause a denial of service
(application crash) or possibly have unspecified other impact via a
crafted PDF document.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-10194
http://www.openwall.com/lists/oss-security/2018/04/19/5
### Patch:
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=39b1e54b2968620723bf32e96764c88797714879
**CVE-2018-15908**: In Artifex Ghostscript 9.23 before 2018-08-23,
attackers are able to supply malicious
PostScript files to bypass .tempfile restrictions and write files.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-15908
### Patch:
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=0d3901189f245232f0161addf215d7268c4d05a3
**CVE-2018-15909**: In Artifex Ghostscript 9.23 before 2018-08-24, a
type confusion using the .shfill operator could be used by
attackers able to supply crafted PostScript files to crash the
interpreter or potentially execute code.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-15909
### Patches:
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=0b6cd1918e1ec4ffd087400a754a845180a4522b
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e01e77a36cbb2e0277bc3a63852244bec41be0f6
**CVE-2018-15910**: In Artifex Ghostscript 9.23 before 2018-08-23,
attackers able to supply crafted PostScript files
could use a type confusion in the LockDistillerParams parameter to crash
the interpreter or execute code.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-15910
### Patch:
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=c3476dde7743761a4e1d39a631716199b696b880
**CVE-2018-15911**: In Artifex Ghostscript 9.23 before 2018-08-24,
attackers able to supply crafted PostScript could use uninitialized
memory access in the aesdecode operator to crash the interpreter or
potentially execute code.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-15911
### Patch:
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=8e9ce5016db968b40e4ec255a3005f2786cce45f
*(from redmine: issue id 9386, created on 2018-09-04, closed on 2018-09-20)*
* Relations:
* parent #9381
* Changesets:
* Revision dd646650fecf6b0d42ffc26eed4a6da53a6040e5 by Andy Postnikov on 2018-09-20T08:28:26Z:
```
main/ghostscript: security upgrade to 9.24
CVE-2018-15908, CVE-2018-15909, CVE-2018-15910, CVE-2018-15911
CVE-2018-10194
fixes #9386
(cherry picked from commit c13758613f3110e14c2e9eda818406f235d996c1)
```3.5.4https://gitlab.alpinelinux.org/alpine/aports/-/issues/9380[3.5] dnsmasq: Improper validation of wildcard synthesized NSEC records (CVE-...2019-07-23T11:21:58ZAlicha CH[3.5] dnsmasq: Improper validation of wildcard synthesized NSEC records (CVE-2017-15107)A vulnerability was found in the implementation of DNSSEC in Dnsmasq up
to and including 2.78. Wildcard synthesized
NSEC records could be improperly interpreted to prove the non-existence
of hostnames that actually exist.
### Referenc...A vulnerability was found in the implementation of DNSSEC in Dnsmasq up
to and including 2.78. Wildcard synthesized
NSEC records could be improperly interpreted to prove the non-existence
of hostnames that actually exist.
### References:
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2018q1/011896.html
https://nvd.nist.gov/vuln/detail/CVE-2017-15107
### Patch:
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=4fe6744a220eddd3f1749b40cac3dfc510787de6
*(from redmine: issue id 9380, created on 2018-09-04, closed on 2018-09-20)*
* Relations:
* parent #9377
* Changesets:
* Revision 2e8a7481f51b779996e20514a1e3b950796e8fa8 by Natanael Copa on 2018-09-20T08:00:13Z:
```
main/dnsmasq: backport security fix (CVE-2017-15107)
fixes #9380
```3.5.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9351[3.5] dropbear: User enumeration vulnerability (CVE-2018-15599)2019-07-23T11:22:23ZAlicha CH[3.5] dropbear: User enumeration vulnerability (CVE-2018-15599)The recv\_msg\_userauth\_request function in svr-auth.c in Dropbear
through 2018.76 is prone to a user enumeration vulnerability because
username
validity affects how fields in SSH\_MSG\_USERAUTH messages are handled,
a similar issue t...The recv\_msg\_userauth\_request function in svr-auth.c in Dropbear
through 2018.76 is prone to a user enumeration vulnerability because
username
validity affects how fields in SSH\_MSG\_USERAUTH messages are handled,
a similar issue to CVE-2018-15473 in an unrelated codebase.
### References:
http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2018q3/002108.html
https://nvd.nist.gov/vuln/detail/CVE-2018-15599
### Patch:
https://secure.ucc.asn.au/hg/dropbear/rev/5d2d1021ca00
*(from redmine: issue id 9351, created on 2018-08-28, closed on 2018-11-08)*
* Relations:
* parent #9346
* Changesets:
* Revision 8c2d71dd458536e9d5a49d021487f3e805b9d190 on 2018-11-07T10:35:15Z:
```
main/dropbear: security fix (CVE-2018-15599)
Fixes #9351
```3.5.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9321[3.5] openssh: User enumeration via malformed packets in authentication reque...2019-07-23T11:22:44ZAlicha CH[3.5] openssh: User enumeration via malformed packets in authentication requests (CVE-2018-15473)OpenSSH through 7.7 is prone to a user enumeration vulnerability due to
not delaying bailout for
an invalid authenticating user until after the packet containing the
request has been fully parsed,
related to auth2-gss.c, auth2-hostba...OpenSSH through 7.7 is prone to a user enumeration vulnerability due to
not delaying bailout for
an invalid authenticating user until after the packet containing the
request has been fully parsed,
related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.
### References:
http://www.openwall.com/lists/oss-security/2018/08/15/5
https://nvd.nist.gov/vuln/detail/CVE-2018-15473
### Patch:
https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0
*(from redmine: issue id 9321, created on 2018-08-22, closed on 2018-09-20)*
* Relations:
* parent #9316
* Changesets:
* Revision adb2a2ada250b5756ac84b9f8ccbef204cc545f4 by Natanael Copa on 2018-09-20T10:30:19Z:
```
main/openssh: backport security fix (CVE-2018-15473)
fixes #9321
```3.5.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9313[3.5] spice: Missing check in demarshal.py:write_validate_array_item() allows...2019-07-23T11:22:51ZAlicha CH[3.5] spice: Missing check in demarshal.py:write_validate_array_item() allows for buffer overflow and denial of service (CVE-2018-10873)A vulnerability was discovered in SPICE before version 0.14.1 where the
generated code used for demarshalling messages
lacked sufficient bounds checks. A malicious client or server, after
authentication, could send specially crafted me...A vulnerability was discovered in SPICE before version 0.14.1 where the
generated code used for demarshalling messages
lacked sufficient bounds checks. A malicious client or server, after
authentication, could send specially crafted messages
to its peer which would result in a crash or, potentially, other
impacts.
### References:
http://openwall.com/lists/oss-security/2018/08/17/1
https://nvd.nist.gov/vuln/detail/CVE-2018-10873
### Patch:
https://gitlab.freedesktop.org/spice/spice-common/commit/bb15d4815ab586b4c4a20f4a565970a44824c42c
*(from redmine: issue id 9313, created on 2018-08-21, closed on 2018-11-08)*
* Relations:
* copied_to #9305
* parent #9305
* Changesets:
* Revision 4e7f2805ed301344dfc227ec46ed3db0338fdd15 on 2018-11-07T14:12:42Z:
```
main/spice: security fix (CVE-2018-10873)
Fixes #9313
```3.5.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9304[3.5] krb5: Multiple vulnerabilities (CVE-2017-15088, CVE-2018-5709, CVE-2018...2019-07-23T11:22:57ZAlicha CH[3.5] krb5: Multiple vulnerabilities (CVE-2017-15088, CVE-2018-5709, CVE-2018-5710)CVE-2017-15088: Buffer overflow in get\_matching\_data()
--------------------------------------------------------
plugins/preauth/pkinit/pkinit\_crypto\_openssl.c in MIT Kerberos 5 (aka
krb5) through 1.15.2 mishandles Distinguished Name...CVE-2017-15088: Buffer overflow in get\_matching\_data()
--------------------------------------------------------
plugins/preauth/pkinit/pkinit\_crypto\_openssl.c in MIT Kerberos 5 (aka
krb5) through 1.15.2 mishandles Distinguished Name
(DN) fields, which allows remote attackers to execute arbitrary code or
cause a denial of service (buffer overflow and application
crash) in situations involving untrusted X.509 data, related to the
get\_matching\_data and X509\_NAME\_oneline\_ex functions.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2017-15088
https://github.com/krb5/krb5/pull/707
### Patch:
https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4
CVE-2018-5709: integer overflow in dbentry->n\_key\_data in kadmin/dbutil/dump.c
-----------------------------------------------------------------------------------
An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There
is a variable “dbentry->n\_key\_data” in kadmin/dbutil/dump.c
that can store 16-bit data but unknowingly the developer has assigned a
“u4” variable to it, which is for 32-bit data. An attacker can use
this
vulnerability to affect other artifacts of the database as we know that
a Kerberos database dump file contains trusted data.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-5709
https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities
CVE-2018-5710: null pointer deference in strlen function in plugins/kdb/ldap/libkdb\_ldap/ldap\_principal2.c
------------------------------------------------------------------------------------------------------------
An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. The
pre-defined function “strlen” is getting a “NULL” string as a
parameter
value in plugins/kdb/ldap/libkdb\_ldap/ldap\_principal2.c in the Key
Distribution Center (KDC), which allows remote authenticated users
to cause a denial of service (NULL pointer dereference) via a modified
kadmin client.
### References:
https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Denial%20Of%20Service%28DoS%29
https://nvd.nist.gov/vuln/detail/CVE-2018-5710
*(from redmine: issue id 9304, created on 2018-08-21, closed on 2019-05-04)*
* Relations:
* copied_to #9299
* parent #92993.5.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9298[3.5] xen: Multiple vulnerabilities (CVE-2018-3620, CVE-2018-3646, CVE-2018-1...2019-07-23T11:23:02ZAlicha CH[3.5] xen: Multiple vulnerabilities (CVE-2018-3620, CVE-2018-3646, CVE-2018-14007, CVE-2018-14678, CVE-2018-15468, CVE-2018-15469, CVE-2018-15470, CVE-2018-15471)**CVE-2018-15469, XSA-268**: Use of v2 grant tables may cause crash on
Arm
### Reference:
http://xenbits.xen.org/xsa/advisory-268.html
**CVE-2018-15468, XSA-269**: x86: Incorrect MSR\_DEBUGCTL handling lets
guests enable BTS
### Refe...**CVE-2018-15469, XSA-268**: Use of v2 grant tables may cause crash on
Arm
### Reference:
http://xenbits.xen.org/xsa/advisory-268.html
**CVE-2018-15468, XSA-269**: x86: Incorrect MSR\_DEBUGCTL handling lets
guests enable BTS
### Reference:
http://xenbits.xen.org/xsa/advisory-269.html
**CVE-2018-15471, XSA-270**: Linux netback driver OOB access in hash
handling
### Reference:
http://xenbits.xen.org/xsa/advisory-270.html
**CVE-2018-14007, XSA-271**: XAPI HTTP directory traversal
### Reference:
http://xenbits.xen.org/xsa/advisory-271.html
**CVE-2018-15470, XSA-272**: oxenstored does not apply quota-maxentity
### Reference:
http://xenbits.xen.org/xsa/advisory-272.html
**CVE-2018-3620, CVE-2018-3646, XSA-273**: L1 Terminal Fault speculative
side channel
### Reference:
http://xenbits.xen.org/xsa/advisory-273.html
**CVE-2018-14678, XSA-274**: Linux: Uninitialized state in x86 PV
failsafe callback path
### Reference:
http://xenbits.xen.org/xsa/advisory-274.html
*(from redmine: issue id 9298, created on 2018-08-21, closed on 2019-05-04)*
* Relations:
* copied_to #9293
* parent #92933.5.4Ariadne Conillariadne@ariadne.spaceAriadne Conillariadne@ariadne.spacehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9276[3.5] coreutils: privilege escalation via recursive dereferences (CVE-2017-18...2019-07-23T11:23:20ZAlicha CH[3.5] coreutils: privilege escalation via recursive dereferences (CVE-2017-18018)In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not
prevent replacement of a plain file with
a symlink during use of the POSIX “-R -L” options, which allows local
users to modify the ownership of
arbitrary files b...In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not
prevent replacement of a plain file with
a symlink during use of the POSIX “-R -L” options, which allows local
users to modify the ownership of
arbitrary files by leveraging a race condition.
### References:
http://www.openwall.com/lists/oss-security/2018/01/04/3
https://nvd.nist.gov/vuln/detail/CVE-2017-18018
*(from redmine: issue id 9276, created on 2018-08-17, closed on 2019-05-04)*
* Relations:
* copied_to #9272
* parent #92723.5.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9244[3.5] avahi: Multicast DNS responds to unicast queries outside of local netwo...2019-07-23T11:23:43ZAlicha CH[3.5] avahi: Multicast DNS responds to unicast queries outside of local network (CVE-2017-6519)avahi-daemon in Avahi through 0.6.32 inadvertently responds to IPv6
unicast queries with source addresses
that are not on-link, which allows remote attackers to cause a denial of
service (traffic amplification) or obtain potentially
...avahi-daemon in Avahi through 0.6.32 inadvertently responds to IPv6
unicast queries with source addresses
that are not on-link, which allows remote attackers to cause a denial of
service (traffic amplification) or obtain potentially
sensitive information via port-5353 UDP packets. NOTE: this may overlap
CVE-2015-2809.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2017-6519
*(from redmine: issue id 9244, created on 2018-08-14, closed on 2019-05-04)*
* Relations:
* copied_to #9241
* parent #92413.5.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9236[3.5] libsndfile: Multiple vulnerabilities (CVE-2017-14245, CVE-2017-17456, ...2019-07-23T11:23:50ZAlicha CH[3.5] libsndfile: Multiple vulnerabilities (CVE-2017-14245, CVE-2017-17456, CVE-2017-17457, CVE-2018-13139)**CVE-2017-14245**: An out of bounds read in the function
d2alaw\_array() in alaw.c of libsndfile 1.0.28 may lead
to a remote DoS attack or information disclosure, related to mishandling
of the NAN and INFINITY floating-point values.
...**CVE-2017-14245**: An out of bounds read in the function
d2alaw\_array() in alaw.c of libsndfile 1.0.28 may lead
to a remote DoS attack or information disclosure, related to mishandling
of the NAN and INFINITY floating-point values.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2017-14245
https://github.com/erikd/libsndfile/issues/317
**CVE-2017-17456**: The function d2alaw\_array() in alaw.c of libsndfile
1.0.29pre1 may lead to a remote DoS attack
(SEGV on unknown address 0x000000000000), a different vulnerability than
CVE-2017-14245.
### References:
https://github.com/erikd/libsndfile/issues/344
https://nvd.nist.gov/vuln/detail/CVE-2017-17456
**CVE-2017-17457**: The function d2ulaw\_array() in ulaw.c of libsndfile
1.0.29pre1 may lead to a remote DoS attack
(SEGV on unknown address 0x000000000000), a different vulnerability than
CVE-2017-14246.
### References:
https://github.com/erikd/libsndfile/issues/344
**CVE-2018-13139**: A stack-based buffer overflow in psf\_memset in
common.c in libsndfile 1.0.28 allows remote
attackers to cause a denial of service (application crash) or possibly
have unspecified other impact via a crafted audio file.
The vulnerability can be triggered by the executable
sndfile-deinterleave.
### References:
https://github.com/erikd/libsndfile/issues/397
https://nvd.nist.gov/vuln/detail/CVE-2018-13139
*(from redmine: issue id 9236, created on 2018-08-13, closed on 2019-05-04)*
* Relations:
* copied_to #9231
* parent #9231
* Changesets:
* Revision b67fcde7e22cf8aba7f571dd4df51c07e318760b on 2018-09-19T12:14:07Z:
```
main/libsndfile: security fix (CVE-2018-13139)
Partially fixes #9236
```
* Revision 90497e314c0f7ee1c6804d0819315700efd762b9 on 2018-12-31T10:12:49Z:
```
main/libsndfile: security fixes (CVE-2017-17456, CVE-2017-17457, CVE-2018-19661, CVE-2018-19662)
This is upstream commit 8ddc442d539ca775d80cdbc7af17a718634a743f
Partially fixes #9236
```3.5.4Natanael CopaNatanael Copa