alpine issueshttps://gitlab.alpinelinux.org/groups/alpine/-/issues2019-07-23T11:20:03Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9534[3.8] libx11: Multiple vulnerabilities (CVE-2018-14598, CVE-2018-14599, CVE-2...2019-07-23T11:20:03ZAlicha CH[3.8] libx11: Multiple vulnerabilities (CVE-2018-14598, CVE-2018-14599, CVE-2018-14600)CVE-2018-14598: Crash on invalid reply in XListExtensions in ListExt.c
----------------------------------------------------------------------
An issue was discovered in ListExt.c:XListExtensions and
GetFPath.c:XGetFontPath in libX11 thr...CVE-2018-14598: Crash on invalid reply in XListExtensions in ListExt.c
----------------------------------------------------------------------
An issue was discovered in ListExt.c:XListExtensions and
GetFPath.c:XGetFontPath in libX11 through version 1.6.5. A malicious
server can send
a reply in which the first string overflows, causing a variable to be
set to NULL that will be freed later on, leading to DoS (segmentation
fault).
### Fixed In Version:
libX11 1.6.6
### References:
http://www.openwall.com/lists/oss-security/2018/08/21/6
https://lists.x.org/archives/xorg-announce/2018-August/002916.html
### Patch:
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=e83722768fd5c467ef61fa159e8c6278770b45c2
CVE-2018-14599: off-by-one error in XListExtensions in ListExt.c
----------------------------------------------------------------
An issue was discovered in libX11 through 1.6.5. Functions
GetFPath.c:XGetFontPath, ListExt.c:XListExtensions and
FontNames.c:XListFonts are
vulnerable to an off-by-one error when parsing list of strings returned
by malicious server responses, leading to DoS.
### Fixed In Version:
libX11 1.6.6
### References:
http://www.openwall.com/lists/oss-security/2018/08/21/6
https://lists.x.org/archives/xorg-announce/2018-August/002916.html
### Patch:
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=b469da1430cdcee06e31c6251b83aede072a1ff0
CVE-2018-14600: Out of Bounds write in XListExtensions in ListExt.c
-------------------------------------------------------------------
An issue was discovered in libX11 through 1.6.5. Functions
ListExt.c:XListExtensions and GetFPath.c:XGetFontPath interpret a
variable as signed instead
of unsigned, resulting in an out-of-bounds write (of up to 128 bytes),
leading to DoS or remote code execution.
### Fixed In Version:
libX11 1.6.6
### References:
http://www.openwall.com/lists/oss-security/2018/08/21/6
https://lists.x.org/archives/xorg-announce/2018-August/002916.html
### Patch:
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=dbf72805fd9d7b1846fe9a11b46f3994bfc27fea
*(from redmine: issue id 9534, created on 2018-10-08, closed on 2018-10-09)*
* Relations:
* parent #9532
* Changesets:
* Revision d7c441ba3f0fdfc555c09ca51f315ba46459eaa4 by Natanael Copa on 2018-10-08T11:52:16Z:
```
main/libx11: security upgrade to 1.6.6
CVE-2018-14598
CVE-2018-14599
CVE-2018-14600
fixes #9534
```3.8.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9522[3.8] libexif: Out-of-bounds heap read in exif_data_save_data_entry function ...2019-07-23T11:20:11ZAlicha CH[3.8] libexif: Out-of-bounds heap read in exif_data_save_data_entry function (CVE-2017-7544)One heap-based out-of-bounds read vulnerabiltiy exists in
libexif-0.6.21. When saving the data of an entry tagged with
“EXIF\_TAG\_MAKER\_NOTE” to
a buffer and copying the data of the exif entry, there is a mismatch
between the compute...One heap-based out-of-bounds read vulnerabiltiy exists in
libexif-0.6.21. When saving the data of an entry tagged with
“EXIF\_TAG\_MAKER\_NOTE” to
a buffer and copying the data of the exif entry, there is a mismatch
between the computed read size of the entry data and the size of the
allocated entry data.
The vulnerability can cause Denial-of-Service, even Information
Disclosure (disclosing some critical heap chunk metadata, even other
applications’ private data).
### References:
https://sourceforge.net/p/libexif/bugs/130/
https://nvd.nist.gov/vuln/detail/CVE-2017-7544
*(from redmine: issue id 9522, created on 2018-10-08, closed on 2018-10-09)*
* Relations:
* parent #9520
* Changesets:
* Revision a9d9f445b7e40ed463fcdb320cd88cde20b3c714 on 2018-10-08T13:47:16Z:
```
main/libexif: security fix (CVE-2017-7544)
Fixes #9522
```3.8.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9516[3.8] strongswan: heap buffer overflow using crafted certificates (CVE-2018-1...2019-07-23T11:20:18ZAlicha CH[3.8] strongswan: heap buffer overflow using crafted certificates (CVE-2018-17540)The gmp plugin in strongSwan before 5.7.1 has a Buffer Overflow via a
crafted certificate,
the vulnerability was introduced with the patch that fixes
CVE-2018-16151/2.
### References:
https://www.strongswan.org/blog/2018/10/01/strong...The gmp plugin in strongSwan before 5.7.1 has a Buffer Overflow via a
crafted certificate,
the vulnerability was introduced with the patch that fixes
CVE-2018-16151/2.
### References:
https://www.strongswan.org/blog/2018/10/01/strongswan-vulnerability-(cve-2018-17540).html
https://nvd.nist.gov/vuln/detail/CVE-2018-17540
*(from redmine: issue id 9516, created on 2018-10-08, closed on 2018-10-09)*
* Relations:
* parent #9515
* Changesets:
* Revision 5bf14e0f89d033ac01ad2d80fb49921dd7d35a2f on 2018-10-08T13:10:26Z:
```
main/strongswan: security fix (CVE-2018-17540)
Fixes #9516
```3.8.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9499[3.8] gd: Double free in src/gd_bump.c:gdImageBmpPtr() via crafted JPEG (CVE-...2019-07-23T11:20:30ZAlicha CH[3.8] gd: Double free in src/gd_bump.c:gdImageBmpPtr() via crafted JPEG (CVE-2018-1000222)Libgd version 2.2.5 contains a Double Free Vulnerability vulnerability
in gdImageBmpPtr Function that can result
in Remote Code Execution . This attack appear to be exploitable via
Specially Crafted Jpeg Image can trigger double free. ...Libgd version 2.2.5 contains a Double Free Vulnerability vulnerability
in gdImageBmpPtr Function that can result
in Remote Code Execution . This attack appear to be exploitable via
Specially Crafted Jpeg Image can trigger double free.
This vulnerability appears to have been fixed in after commit
ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5.
### References:
https://github.com/libgd/libgd/issues/447
https://nvd.nist.gov/vuln/detail/CVE-2018-1000222
### Patch:
https://github.com/libgd/libgd/commit/ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5
*(from redmine: issue id 9499, created on 2018-10-02, closed on 2018-10-04)*
* Relations:
* parent #9497
* Changesets:
* Revision 0b18843792bc3a090f55ce0f51d3f3049ff91f23 by Natanael Copa on 2018-10-02T14:05:06Z:
```
main/gd: backport security fix for CVE-2018-1000222
fixes #9499
```3.8.2Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9488Crash while running a headless libreoffice spreadsheet conversion2019-07-23T11:20:35ZAlexander StepanovCrash while running a headless libreoffice spreadsheet conversionWhen Libreoffice is used in the headless mode to convert office
documents (texts, spreadsheets, presentations, etc.) inside an
Alpine-based Docker container via UNO interface, it crashes with a
SIGSEGV while converting some documents (se...When Libreoffice is used in the headless mode to convert office
documents (texts, spreadsheets, presentations, etc.) inside an
Alpine-based Docker container via UNO interface, it crashes with a
SIGSEGV while converting some documents (see the attached files).
Steps to reproduce:
1. Run a docker container:
<code>
docker run -it —rm alpine:3.8
</code>
2. Install libreoffice, python and unoconv in the container:
<code>
apk add —update wget libreoffice python3
pip3 install unoconv
</code>
3. Get the test documents and try to convert them:
<code>
unoconv <s>f html test.ods \# has formulas, libreoffice crash</s>
SIGSEGV
unoconv -f html test2.ods \# no formulas, no crash
</code>
A typical stack trace from debug build shows more details:
Thread 7 "cppu_threadpool" received signal SIGSEGV, Segmentation fault.
[Switching to LWP 113]
0x00007fdb8b425d70 in formula::FormulaCompiler::GetToken() ()
from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
(gdb) bt
#0 0x00007fdb8b425d70 in formula::FormulaCompiler::GetToken() ()
from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#1 0x00007fdb8b4277b4 in formula::FormulaCompiler::NextToken() ()
from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#2 0x00007fdb8b426540 in formula::FormulaCompiler::Factor() ()
from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#3 0x00007fdb8b427fef in formula::FormulaCompiler::RangeLine() ()
from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#4 0x00007fdb8b428214 in formula::FormulaCompiler::IntersectionLine() ()
from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#5 0x00007fdb8b4284bd in formula::FormulaCompiler::UnionLine() ()
from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#6 0x00007fdb8b4285f2 in formula::FormulaCompiler::UnaryLine() ()
from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#7 0x00007fdb8b4286af in formula::FormulaCompiler::PowLine() ()
from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#8 0x00007fdb8b4287ed in formula::FormulaCompiler::MulDivLine() ()
from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#9 0x00007fdb8b4288dd in formula::FormulaCompiler::AddSubLine() ()
from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#10 0x00007fdb8b4289cd in formula::FormulaCompiler::ConcatLine() ()
from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#11 0x00007fdb8b428a9d in formula::FormulaCompiler::CompareLine() ()
from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#12 0x00007fdb8b427ed8 in formula::FormulaCompiler::Expression() () from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#13 0x00007fdb8b426cb7 in formula::FormulaCompiler::Factor() () from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#14 0x00007fdb8b427fef in formula::FormulaCompiler::RangeLine() () from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#15 0x00007fdb8b428214 in formula::FormulaCompiler::IntersectionLine() () from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#16 0x00007fdb8b4284bd in formula::FormulaCompiler::UnionLine() () from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#17 0x00007fdb8b4285f2 in formula::FormulaCompiler::UnaryLine() () from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#18 0x00007fdb8b4286af in formula::FormulaCompiler::PowLine() () from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#19 0x00007fdb8b4287ed in formula::FormulaCompiler::MulDivLine() () from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#20 0x00007fdb8b4288dd in formula::FormulaCompiler::AddSubLine() () from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#21 0x00007fdb8b4289cd in formula::FormulaCompiler::ConcatLine() () from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#22 0x00007fdb8b428a9d in formula::FormulaCompiler::CompareLine() () from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#23 0x00007fdb8b427ed8 in formula::FormulaCompiler::Expression() () from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#24 0x00007fdb8b42741b in formula::FormulaCompiler::Factor() () from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#25 0x00007fdb8b427fef in formula::FormulaCompiler::RangeLine() () from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#26 0x00007fdb8b428214 in formula::FormulaCompiler::IntersectionLine() () from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#27 0x00007fdb8b4284bd in formula::FormulaCompiler::UnionLine() () from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#28 0x00007fdb8b4285f2 in formula::FormulaCompiler::UnaryLine() () from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#29 0x00007fdb8b4286af in formula::FormulaCompiler::PowLine() () from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#30 0x00007fdb8b4287ed in formula::FormulaCompiler::MulDivLine() () from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#31 0x00007fdb8b4288dd in formula::FormulaCompiler::AddSubLine() () from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#32 0x00007fdb8b4289cd in formula::FormulaCompiler::ConcatLine() () from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#33 0x00007fdb8b428a9d in formula::FormulaCompiler::CompareLine() () from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#34 0x00007fdb8b427ed8 in formula::FormulaCompiler::Expression() () from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#35 0x00007fdb8b428c62 in formula::FormulaCompiler::CompileTokenArray() () from /opt/libreoffice6.1/lib/libreoffice/program/../program/libforlo.so
#36 0x00007fdb8bcab136 in ScFormulaCell::CompileXML(sc::CompileFormulaContext&, ScProgress&) () from /opt/libreoffice6.1/lib/libreoffice/program/../program/libsclo.so
#37 0x00007fdb8bb788d4 in ScColumn::CompileXML(sc::CompileFormulaContext&, ScProgress&) () from /opt/libreoffice6.1/lib/libreoffice/program/../program/libsclo.so
#38 0x00007fdb8bcf0453 in ScTable::CompileXML(sc::CompileFormulaContext&, ScProgress&) () from /opt/libreoffice6.1/lib/libreoffice/program/../program/libsclo.so
#39 0x00007fdb8bc1ee04 in ScDocument::CompileXML() () from /opt/libreoffice6.1/lib/libreoffice/program/../program/libsclo.so
#40 0x00007fdb8bfabdb8 in ScXMLImport::endDocument() () from /opt/libreoffice6.1/lib/libreoffice/program/../program/libsclo.so
*(from redmine: issue id 9488, created on 2018-09-27, closed on 2018-12-20)*
* Changesets:
* Revision 18821e8e6f9714bf14cac60e1c23d35e3554b332 by Natanael Copa on 2018-09-28T16:55:07Z:
```
community/libreoffice: upgrade to 6.1.0.3
and fix tread stack size issue
ref #9488
```
* Revision 96e1e57fed146a3449b7070143861b7e22ba57f4 by Natanael Copa on 2018-10-01T12:00:55Z:
```
community/libreoffice: fix tread stack size issue
fixes #9488
```
* Uploads:
* [test.ods](/uploads/ea295f5ed4b84aaa975d2f757ef7c53e/test.ods) Two simple formulas - crash
* [test2.ods](/uploads/8c3f2dd4fc8553a4e65a9f20b38dad71/test2.ods) No formula - no crash3.8.2https://gitlab.alpinelinux.org/alpine/aports/-/issues/9484[3.8] strongswan: Multiple vulnerabilities (CVE-2018-16151, CVE-2018-16152)2019-07-23T11:20:40ZAlicha CH[3.8] strongswan: Multiple vulnerabilities (CVE-2018-16151, CVE-2018-16152)**CVE-2018-16151**: In verify\_emsa\_pkcs1\_signature() in
gmp\_rsa\_public\_key.c in the gmp plugin in strongSwan 4.x and 5.x
before 5.7.0,
the RSA implementation based on GMP does not reject excess data after
the encoded algorithm OI...**CVE-2018-16151**: In verify\_emsa\_pkcs1\_signature() in
gmp\_rsa\_public\_key.c in the gmp plugin in strongSwan 4.x and 5.x
before 5.7.0,
the RSA implementation based on GMP does not reject excess data after
the encoded algorithm OID during PKCS\#1 v1.5 signature verification.
Similar to the flaw in the same version of strongSwan regarding
digestAlgorithm.parameters, a remote attacker can forge signatures when
small
public exponents are being used, which could lead to impersonation when
only an RSA signature is used for IKEv2 authentication.
### References:
https://www.strongswan.org/blog/2018/09/24/strongswan-vulnerability-(cve-2018-16151,-cve-2018-16152).html
https://nvd.nist.gov/vuln/detail/CVE-2018-16151
### Patches:
https://download.strongswan.org/patches/27\_gmp\_pkcs1\_verify\_patch/strongswan-5.3.1-5.6.0\_gmp-pkcs1-verify.patch
https://download.strongswan.org/patches/27\_gmp\_pkcs1\_verify\_patch/strongswan-5.6.1-5.6.3\_gmp-pkcs1-verify.patch
**CVE-2018-16152**: In verify\_emsa\_pkcs1\_signature() in
gmp\_rsa\_public\_key.c in the gmp plugin in strongSwan 4.x and 5.x
before 5.7.0,
the RSA implementation based on GMP does not reject excess data in the
digestAlgorithm.parameters field during PKCS\#1 v1.5 signature
verification. Consequently, a remote attacker can forge signatures when
small public exponents are being used, which could lead to
impersonation when only an RSA signature is used for IKEv2
authentication.
### References:
https://www.strongswan.org/blog/2018/09/24/strongswan-vulnerability-(cve-2018-16151,-cve-2018-16152).html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-16152
### Patches:
https://download.strongswan.org/patches/27\_gmp\_pkcs1\_verify\_patch/strongswan-5.3.1-5.6.0\_gmp-pkcs1-verify.patch
https://download.strongswan.org/patches/27\_gmp\_pkcs1\_verify\_patch/strongswan-5.6.1-5.6.3\_gmp-pkcs1-verify.patch
*(from redmine: issue id 9484, created on 2018-09-27, closed on 2018-10-04)*
* Relations:
* parent #9482
* Changesets:
* Revision 142cd0660c759d91ccdd0b6b6fd5f4959413ed93 by Natanael Copa on 2018-10-02T12:20:59Z:
```
main/strongswan: backport security fix (CVE-2018-16151, CVE-2018-16152)
fixes #9484
```3.8.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9478[3.8] nss: ServerHello.random is all zeros when handling a v2-compatible Clie...2019-07-23T11:20:43ZAlicha CH[3.8] nss: ServerHello.random is all zeros when handling a v2-compatible ClientHello (CVE-2018-12384)A flaw was found with NSS library when compiled with a server
application. A man-in-the-middle attacker could use this flaw in a
passive replay attack.
The most severe issue for confidentiality is for stream ciphers (and
AES-GCM), as t...A flaw was found with NSS library when compiled with a server
application. A man-in-the-middle attacker could use this flaw in a
passive replay attack.
The most severe issue for confidentiality is for stream ciphers (and
AES-GCM), as the server may encrypt different data with the exact
same key stream and idempotency, the server may perform same action
multiple times without proper authentication
### Fixed In Version:
nss 3.36.5, nss 3.39
### References:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS\_3.39\_release\_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS\_3.36.5\_release\_notes
### Patches:
https://hg.mozilla.org/projects/nss/rev/2ed9f6afd84e
(NSS\_3\_39\_BRANCH)
https://hg.mozilla.org/projects/nss/rev/46f9a1f40c3d
(NSS\_3\_36\_BRANCH)
*(from redmine: issue id 9478, created on 2018-09-27, closed on 2019-05-04)*
* Relations:
* parent #9476
* Changesets:
* Revision 447318e4bff01df5d8424ebddea8345bd4a29501 by Natanael Copa on 2018-10-02T13:11:45Z:
```
main/nss: backport fix for CVE-2018-12384
fixes #9478
```3.8.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9463[3.8] bind: Update policies krb5-subdomain and ms-subdomain (CVE-2018-5741)2019-07-23T11:20:57ZAlicha CH[3.8] bind: Update policies krb5-subdomain and ms-subdomain (CVE-2018-5741)In order to provide fine-grained controls over the ability to use
Dynamic DNS (DDNS) to update records in a zone, BIND provides a feature
called update-policy. Various rules can be configured to limit the types
of updates that can be per...In order to provide fine-grained controls over the ability to use
Dynamic DNS (DDNS) to update records in a zone, BIND provides a feature
called update-policy. Various rules can be configured to limit the types
of updates that can be performed by a client, depending on the key used
when sending the update request. Unfortunately some rule types were not
initially documented, and when documentation for them was added to the
Administrator Reference Manual (ARM) in change, the language that was
added to the ARM at that time incorrectly described the behavior of two
rule types, krb5-subdomain and ms-subdomain. This incorrect
documentation could mislead operators into believing that policies they
had configured were more restrictive than they actually were.
### Versions affected:
The behavior described is present in all versions of BIND 9 which
contain the krb5-subdomain and ms-subdomain update
policies prior to our upcoming maintenance releases, BIND 9.11.5 and
9.12.3. However, the misleading documentation
is not present in all versions.
### References:
https://kb.isc.org/docs/cve-2018-5741
https://www.openwall.com/lists/oss-security/2018/09/19/11
*(from redmine: issue id 9463, created on 2018-09-25, closed on 2018-12-04)*
* Relations:
* parent #9461
* Changesets:
* Revision e3ed6b4e31abe80f4d89cec79e47d60a9102142e by Natanael Copa on 2018-11-29T14:59:51Z:
```
main/bind: security upgrade to 9.12.3 (CVE-2018-5741)
fixes #9463
```3.8.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9457[3.8] hylafax: JPEG support code execution (CVE-2018-17141)2019-07-23T11:21:02ZAlicha CH[3.8] hylafax: JPEG support code execution (CVE-2018-17141)HylaFAX 6.0.6 and HylaFAX+ 5.6.0 allow remote attackers to execute
arbitrary code via a dial-in session that provides a FAX page
with the JPEG bit enabled, which is mishandled in
FaxModem::writeECMData() in the faxd/CopyQuality.c<span
...HylaFAX 6.0.6 and HylaFAX+ 5.6.0 allow remote attackers to execute
arbitrary code via a dial-in session that provides a FAX page
with the JPEG bit enabled, which is mishandled in
FaxModem::writeECMData() in the faxd/CopyQuality.c<span
class="underline"></span> file.
### References:
https://www.openwall.com/lists/oss-security/2018/09/20/1
https://nvd.nist.gov/vuln/detail/CVE-2018-17141
### Patch:
http://git.hylafax.org/HylaFAX?a=commit;h=82fa7bdbffc253de4d3e80a87d47fdbf68eabe36
*(from redmine: issue id 9457, created on 2018-09-24, closed on 2018-10-09)*
* Relations:
* parent #9455
* Changesets:
* Revision 42946288bdd789821b3c3a957b87d80ed7c9dee3 on 2018-10-09T06:35:00Z:
```
main/hylafax: security fix (CVE-2018-17141)
Fixes #9457
```3.8.2https://gitlab.alpinelinux.org/alpine/aports/-/issues/9454keepalived 2.0.4 is broken2019-07-23T11:21:05ZThomas Liskeliske@ibh.dekeepalived 2.0.4 is brokenAfter (trying) upgrading multiple hosts from Alpine 3.7 to 3.8
keepalived stucks in a segfault loop. The bug seems to be already known
upstream and fixed in keepalived 2.0.5:
* Stop segfaulting when receive a packet (fixing commit 9...After (trying) upgrading multiple hosts from Alpine 3.7 to 3.8
keepalived stucks in a segfault loop. The bug seems to be already known
upstream and fixed in keepalived 2.0.5:
* Stop segfaulting when receive a packet (fixing commit 97aec76).
Commit 97aec76 - "Update config-test option so keepalived exits
with status 1 on failure" had a test for __test_bit(CONFIG_TEST_BIT)
the wrong way round. This commit fixes that.
Can we get keepalived 2.0.5 from edge into Alpine 3.8 so keepalived is
usable again?
TIA,
Thomas
*(from redmine: issue id 9454, created on 2018-09-21, closed on 2018-12-20)*
* Changesets:
* Revision 8fc23ec3d0db936078772cd5d178988961a314be by Roberto Oliveira on 2018-09-24T07:05:14Z:
```
community/keepalived: upgrade to 2.0.5
fixes #9454
(cherry picked from commit bbfbabf7daf1cc35de2ee9c72699d8c9bf4c9025)
```3.8.2https://gitlab.alpinelinux.org/alpine/aports/-/issues/9453[3.8] webkit2gtk: Multiple vulnerabilities (CVE-2018-4246, CVE-2018-4261, CVE...2019-07-23T11:21:06ZAlicha CH[3.8] webkit2gtk: Multiple vulnerabilities (CVE-2018-4246, CVE-2018-4261, CVE-2018-4262, CVE-2018-4263, CVE-2018-4264, CVE-2018-4265, CVE-2018-4266, CVE-2018-4267, CVE-2018-4270, CVE-2018-4272, CVE-2018-4273, CVE-2018-4278, CVE-2018-4284, CVE-2018-12911)**CVE-2018-4246**
Processing maliciously crafted web content may lead to arbitrary code
execution.
A type confusion issue was addressed with improved memory handling.
Versions affected: WebKitGTK+ before 2.20.4
**CVE-2018-4261**
P...**CVE-2018-4246**
Processing maliciously crafted web content may lead to arbitrary code
execution.
A type confusion issue was addressed with improved memory handling.
Versions affected: WebKitGTK+ before 2.20.4
**CVE-2018-4261**
Processing maliciously crafted web content may lead to arbitrary code
execution.
A memory corruption issue was addressed with improved memory handling.
Versions affected: WebKitGTK+ before 2.20.4
**CVE-2018-4262**
Processing maliciously crafted web content may lead to arbitrary code
execution.
A memory corruption issue was addressed with improved memory handling.
Versions affected: WebKitGTK+ before 2.20.4
**CVE-2018-4263**
Processing maliciously crafted web content may lead to arbitrary code
execution.
A memory corruption issue was addressed with improved memory handling.
Versions affected: WebKitGTK+ before 2.20.4
**CVE-2018-4264**
Processing maliciously crafted web content may lead to arbitrary code
execution.
A memory corruption issue was addressed with improved memory handling.
Versions affected: WebKitGTK+ before 2.20.4
**CVE-2018-4265**
Processing maliciously crafted web content may lead to arbitrary code
execution.
A memory corruption issue was addressed with improved memory handling.
Versions affected: WebKitGTK+ before 2.20.4
**CVE-2018-4266**
A malicious website may be able to cause a denial of service.
A race condition was addressed with additional validation.
Versions affected: WebKitGTK+ before 2.20.4 and WPE WebKit before
2.20.2.
**CVE-2018-4267**
Processing maliciously crafted web content may lead to arbitrary code
execution.
A memory corruption issue was addressed with improved memory handling.
Versions affected: WebKitGTK+ before 2.20.4
**CVE-2018-4270**
Processing maliciously crafted web content may lead to an unexpected
application crash.
A memory corruption issue was addressed with improved memory handling.
Versions affected: WebKitGTK+ before 2.20.4
**CVE-2018-4272**
Processing maliciously crafted web content may lead to arbitrary code
execution.
A memory corruption issue was addressed with improved memory handling.
Versions affected: WebKitGTK+ before 2.20.4
**CVE-2018-4273**
Processing maliciously crafted web content may lead to an unexpected
application crash.
A memory corruption issue was addressed with improved input
validation.
Versions affected: WebKitGTK+ before 2.20.4
**CVE-2018-4278**
A malicious website may exfiltrate audio data cross-origin. Sound
fetched through audio elements
may be exfiltrated cross-origin. This issue was addressed with improved
audio taint tracking.
Versions affected: WebKitGTK+ before 2.20.4
**CVE-2018-4284**
Processing maliciously crafted web content may lead to arbitrary code
execution.
A type confusion issue was addressed with improved memory handling
Versions affected: WebKitGTK+ before 2.20.4
.
**CVE-2018-12911**
Processing maliciously crafted web content may lead to arbitrary code
execution.
A buffer overflow issue was addressed with improved memory handling.
Versions affected: WebKitGTK+ before 2.20.4
### Reference:
https://webkitgtk.org/security/WSA-2018-0006.html
*(from redmine: issue id 9453, created on 2018-09-21, closed on 2018-10-02)*
* Relations:
* parent #9451
* Changesets:
* Revision 0af1cbfdb6065fca513ef4d282a2c794faba6c18 by Natanael Copa on 2018-09-27T08:22:24Z:
```
community/webkit2gtk: security upgrade to 2.20.4
CVE-2018-4246, CVE-2018-4261, CVE-2018-4262, CVE-2018-4263,
CVE-2018-4264, CVE-2018-4265, CVE-2018-4266, CVE-2018-4267,
CVE-2018-4270, CVE-2018-4272, CVE-2018-4273, CVE-2018-4278,
CVE-2018-4284, CVE-2018-12911
fixes #9453
```3.8.2https://gitlab.alpinelinux.org/alpine/aports/-/issues/9449[3.8] pango: application crash triggered by unicode chars in pango-emoji.c (C...2019-07-23T11:21:10ZAlicha CH[3.8] pango: application crash triggered by unicode chars in pango-emoji.c (CVE-2018-15120)A flaw was found in Pango since versions 1.40.8 up to newer. Typing
certain invalid Emoji sequences into
a GTK+ application can trigger a Reachable Assertion resulting in an
application crash.
### Fixed In Version:
pango 1.42.4
### ...A flaw was found in Pango since versions 1.40.8 up to newer. Typing
certain invalid Emoji sequences into
a GTK+ application can trigger a Reachable Assertion resulting in an
application crash.
### Fixed In Version:
pango 1.42.4
### References:
https://mail.gnome.org/archives/distributor-list/2018-August/msg00001.html
https://nvd.nist.gov/vuln/detail/CVE-2018-15120
### Patch:
https://gitlab.gnome.org/GNOME/pango/commit/71aaeaf020340412b8d012fe23a556c0420eda5f
*(from redmine: issue id 9449, created on 2018-09-21, closed on 2018-11-08)*
* Relations:
* parent #9448
* Changesets:
* Revision 684888b0f6c5624eef4f30a93821830c29483953 on 2018-11-06T15:48:39Z:
```
main/pango: security fix (CVE-2018-15120)
Fixes #9449
```3.8.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9444[3.8] lcms2: heap-based buffer overflow in SetData function in cmsIT8LoadFrom...2019-07-23T11:21:12ZAlicha CH[3.8] lcms2: heap-based buffer overflow in SetData function in cmsIT8LoadFromFile (CVE-2018-16435)A flaw was found in Little CMS (aka Little Color Management System) 2.9.
An integer overflow
in the AllocateDataSet function in cmscgats.c, leading to a heap-based
buffer overflow in the
SetData function via a crafted file in the sec...A flaw was found in Little CMS (aka Little Color Management System) 2.9.
An integer overflow
in the AllocateDataSet function in cmscgats.c, leading to a heap-based
buffer overflow in the
SetData function via a crafted file in the second argument to
cmsIT8LoadFromFile.
### References:
https://github.com/mm2/Little-CMS/issues/171
https://nvd.nist.gov/vuln/detail/CVE-2018-16435
### Patch:
https://github.com/mm2/Little-CMS/commit/768f70ca405cd3159d990e962d54456773bb8cf8
*(from redmine: issue id 9444, created on 2018-09-21, closed on 2018-11-08)*
* Relations:
* parent #9442
* Changesets:
* Revision 2fabafb2b32d929a4de15f8ae3e7a8379120e495 on 2018-11-06T15:55:20Z:
```
main/lcms2: security fix (CVE-2018-16435)
Fixes #9444
```3.8.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9434[3.8] ghostscript: Incorrect "restoration of privilege" checking when running...2019-07-23T11:21:20ZAlicha CH[3.8] ghostscript: Incorrect "restoration of privilege" checking when running out of stack during exception handling (CVE-2018-16802)An issue was discovered in Artifex Ghostscript before 9.25. Incorrect
“restoration of privilege”
checking when running out of stack during exception handling could be
used by attackers able to supply
crafted PostScript to execute cod...An issue was discovered in Artifex Ghostscript before 9.25. Incorrect
“restoration of privilege”
checking when running out of stack during exception handling could be
used by attackers able to supply
crafted PostScript to execute code using the “pipe” instruction. This is
due to an incomplete fix for CVE-2018-16509.
### References:
https://seclists.org/oss-sec/2018/q3/228
https://seclists.org/oss-sec/2018/q3/229
https://seclists.org/oss-sec/2018/q3/233
### Patches:
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=643b24db
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=3e5d316b
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5812b1b7
*(from redmine: issue id 9434, created on 2018-09-20, closed on 2018-11-08)*
* Relations:
* parent #9432
* Changesets:
* Revision 81f784469ba2ef0a8d3eb4748c1ba9d6269fb430 on 2018-11-07T07:49:24Z:
```
main/ghostscript: security upgrade to 9.25 (CVE-2018-16802)
Fixes #9434
```3.8.2https://gitlab.alpinelinux.org/alpine/aports/-/issues/9428[3.8] libjpeg-turbo: Multiple vulnerabilities (CVE-2018-1152, CVE-2018-11813)2019-07-23T11:21:27ZAlicha CH[3.8] libjpeg-turbo: Multiple vulnerabilities (CVE-2018-1152, CVE-2018-11813)**CVE-2018-1152**: libjpeg-turbo 1.5.90 is vulnerable to a denial of
service vulnerability caused by
a divide by zero when processing a crafted BMP image.
### Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-1152
### Patch:
htt...**CVE-2018-1152**: libjpeg-turbo 1.5.90 is vulnerable to a denial of
service vulnerability caused by
a divide by zero when processing a crafted BMP image.
### Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-1152
### Patch:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/43e84cff1bb2bd8293066f6ac4eb0df61ddddbc6
**CVE-2018-11813**: “cjpeg” utility large loop because read\_pixel in
rdtarga.c mishandles EOF
### Reference:
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/242
### Patch:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/19074854d9d8bc32dff3ed252eed17ed6cc2ecfc
*(from redmine: issue id 9428, created on 2018-09-20, closed on 2018-09-27)*
* Relations:
* parent #9426
* Changesets:
* Revision 61e65acf07fd26940430c2b33381d6c36456790e by Natanael Copa on 2018-09-25T11:01:27Z:
```
main/libjpeg-turbo: backport security fix (CVE-2018-11813)
fixes #9428
```3.8.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9307[3.8] spice: Missing check in demarshal.py:write_validate_array_item() allows...2019-07-23T11:22:55ZAlicha CH[3.8] spice: Missing check in demarshal.py:write_validate_array_item() allows for buffer overflow and denial of service (CVE-2018-10873)A vulnerability was discovered in SPICE before version 0.14.1 where the
generated code used for demarshalling messages
lacked sufficient bounds checks. A malicious client or server, after
authentication, could send specially crafted me...A vulnerability was discovered in SPICE before version 0.14.1 where the
generated code used for demarshalling messages
lacked sufficient bounds checks. A malicious client or server, after
authentication, could send specially crafted messages
to its peer which would result in a crash or, potentially, other
impacts.
### References:
http://openwall.com/lists/oss-security/2018/08/17/1
https://nvd.nist.gov/vuln/detail/CVE-2018-10873
### Patch:
https://gitlab.freedesktop.org/spice/spice-common/commit/bb15d4815ab586b4c4a20f4a565970a44824c42c
*(from redmine: issue id 9307, created on 2018-08-21, closed on 2018-11-08)*
* Relations:
* copied_to #9305
* parent #9305
* Changesets:
* Revision 03fec4585c1e4a7736a7727b5a03e477dbd27bab on 2018-11-07T13:47:26Z:
```
main/spice: security upgrade to 0.14.1 (CVE-2018-10873)
Fixes #9307
```3.8.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9238Python package Requests 2.18.4-r0 failure: pkg_resources.DistributionNotFound2019-07-23T11:23:48ZStephan LinzPython package Requests 2.18.4-r0 failure: pkg_resources.DistributionNotFoundWhen installing `py2-sphinx` and `py2-setuptools` and execute
`/usr/bin/sphinx-build-2` I’m running into this error:
<code class="python">
Traceback (most recent call last):
File "/usr/bin/sphinx-build-2", line 6, in <modu...When installing `py2-sphinx` and `py2-setuptools` and execute
`/usr/bin/sphinx-build-2` I’m running into this error:
<code class="python">
Traceback (most recent call last):
File "/usr/bin/sphinx-build-2", line 6, in <module>
from pkg_resources import load_entry_point
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3086, in <module>
@_call_aside
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3070, in _call_aside
f(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3099, in _initialize_master_working_set
working_set = WorkingSet._build_master()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 576, in _build_master
return cls._build_from_requirements(__requires__)
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 589, in _build_from_requirements
dists = ws.resolve(reqs, Environment())
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 778, in resolve
raise DistributionNotFound(req, requirers)
pkg_resources.DistributionNotFound: The 'idna<2.7,>=2.5' distribution was not found and is required by requests
</code>
The problem is in package `py-requests-2.18.4-r0` that is too old for
the currently installable `py-idna-2.7-r0` package. Python Requests
2.18.4 needs ‘idna<2.7,>=2.5’ that is not resolvable by default.
See https://github.com/requests/requests/blob/v2.18.4/setup.py\#L44
<code class="python">
requires = [
'chardet>=3.0.2,<3.1.0',
'idna>=2.5,<2.7',
'urllib3>=1.21.1,<1.23',
'certifi>=2017.4.17'
]
</code>
The Python Requests package `py-requests-2.19.1-r0` should set from edge
to stabel for v3.8 as soon as possible to avoid this dependency
mismatch, because Python Requests 2.19.0 already needs
‘idna<2.8,>=2.5’ (resolvable by default). See
https://github.com/requests/requests/blob/v2.19.0/setup.py\#L51
<code class="python">
requires = [
'chardet>=3.0.2,<3.1.0',
'idna>=2.5,<2.8',
'urllib3>=1.21.1,<1.24',
'certifi>=2017.4.17'
]
</code>
The same for Python Requests 2.19.1, see
https://github.com/requests/requests/blob/v2.19.1/setup.py\#L51
*(from redmine: issue id 9238, created on 2018-08-13, closed on 2018-12-20)*
* Relations:
* relates #9053
* Changesets:
* Revision add7b6dd3d789534d4cf60dbb7a049da403ee613 by Fabian Affolter on 2018-09-27T06:45:28Z:
```
main/py-requests: upgrade to 2.19.1
fixes #9053
fixes #9238
(cherry picked from commit c2ede3db1fe3906163c2a37177c97d28e3b52490)
```3.8.2https://gitlab.alpinelinux.org/alpine/aports/-/issues/9209[3.8] libao: Invalid memory allocation in _tokenize_matrix function in audio_...2019-07-23T11:24:10ZAlicha CH[3.8] libao: Invalid memory allocation in _tokenize_matrix function in audio_out.c (CVE-2017-11548)The \_tokenize\_matrix function in audio\_out.c in Xiph.Org libao 1.2.0
allows remote attackers to cause
a denial of service (memory corruption) via a crafted MP3 file.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2017-11548 ...The \_tokenize\_matrix function in audio\_out.c in Xiph.Org libao 1.2.0
allows remote attackers to cause
a denial of service (memory corruption) via a crafted MP3 file.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2017-11548
http://seclists.org/fulldisclosure/2017/Jul/84
*(from redmine: issue id 9209, created on 2018-08-08, closed on 2019-01-01)*
* Relations:
* copied_to #9207
* parent #9207
* Changesets:
* Revision 688f0853340c1c7833c971a259db367552d5c537 by Natanael Copa on 2018-12-04T12:17:59Z:
```
main/libao: security fix for CVE-2017-11548
fixes #9209
```3.8.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9190imagemagick: disable OpenMP for stability2023-06-02T03:41:50ZAlexander Edlandimagemagick: disable OpenMP for stabilityImageMagick uses OpenMP for improved performance. For some software
linking ImageMagick, this appears to cause segfaults in OpenMP-related
code, but seemingly only when running on certain processors. My testcase
(non-trivial, an uncommit...ImageMagick uses OpenMP for improved performance. For some software
linking ImageMagick, this appears to cause segfaults in OpenMP-related
code, but seemingly only when running on certain processors. My testcase
(non-trivial, an uncommitted aport) exhibits consistent crashes on one
laptop but runs fine on another. Both laptops perform the same minimal
test in a clean chroot with the same packages from edge. The laptop
exhibiting the crashes has an i5-6200U while the seemingly immune laptop
has an i5-6300HQ. The following two stacks have been observed in gdb:
Program received signal SIGSEGV, Segmentation fault.
#0 0x00007ffff4ae0415 in QueueAuthenticPixels () from /usr/lib/libMagickCore-7.Q16HDRI.so.6
#1 0x00007fffe92e7398 in ?? () from /usr/lib/ImageMagick-7.0.8/modules-Q16HDRI/coders/bmp.so
#2 0x00007ffff4b17892 in ReadImage () from /usr/lib/libMagickCore-7.Q16HDRI.so.6
#3 0x00007ffff526d5c2 in Magick::Image::read(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) () from /usr/lib/libMagick++-7.Q16HDRI.so.4
#4 0x00007ffff526d61f in Magick::Image::Image(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) () from /usr/lib/libMagick++-7.Q16HDRI.so.4
#5 0x00007ffff54978ef in readCreate (in=in@entry=0x5555557cd580, out=out@entry=0x555555a156e0, userData=<optimized out>, core=0x5555557a2560, vsapi=0x7ffff6ebbe40 <vs_internal_vsapi>) at src/filters/imwri/imwri.cpp:784
#6 0x00007ffff6c9442d in VSPlugin::invoke (this=this@entry=0x5555558d5e20, funcName=..., args=...) at src/core/vscore.cpp:1694
#7 0x00007ffff6c8aaed in invoke (plugin=0x5555558d5e20, name=<optimized out>, args=0x5555557cd580) at src/core/vsapi.cpp:386
#8 0x00007ffff6f30177 in __pyx_pf_11vapoursynth_8Function_2__call__ (__pyx_v_kwargs=0x7ffff58d33a8, __pyx_v_args=0x7ffff7e996a0, __pyx_v_self=0x7ffff58aafc0) at src/cython/vapoursynth.c:39415
#9 __pyx_pw_11vapoursynth_8Function_3__call__ (__pyx_v_self=0x7ffff58aafc0, __pyx_args=0x7ffff7e996a0, __pyx_kwds=<optimized out>) at src/cython/vapoursynth.c:38521
#10 0x00007ffff71e4660 in _PyObject_FastCallDict () from /usr/lib/libpython3.6m.so.1.0
#11 0x00007ffff71e4acc in _PyObject_FastCallKeywords () from /usr/lib/libpython3.6m.so.1.0
#12 0x00007ffff727184d in ?? () from /usr/lib/libpython3.6m.so.1.0
#13 0x00007ffff7277626 in _PyEval_EvalFrameDefault () from /usr/lib/libpython3.6m.so.1.0
#14 0x00007ffff72715a5 in ?? () from /usr/lib/libpython3.6m.so.1.0
#15 0x00007ffff72718d5 in PyEval_EvalCodeEx () from /usr/lib/libpython3.6m.so.1.0
#16 0x00007ffff72718f6 in PyEval_EvalCode () from /usr/lib/libpython3.6m.so.1.0
#17 0x00007ffff6f229d6 in __Pyx_PyExec3 (locals=0x7ffff7f25e10, globals=0x7ffff7f25e10, o=0x7ffff58ef810) at src/cython/vapoursynth.c:79365
#18 vpy_evaluateScript (__pyx_v_se=__pyx_v_se@entry=0x5555557d6960, __pyx_v_script=<optimized out>, __pyx_v_scriptFilename=<optimized out>, __pyx_v_scriptFilename@entry=0x7fffffffe4d8 "red.vpy", __pyx_v_flags=__pyx_v_flags@entry=1) at src/cython/vapoursynth.c:41408
#19 0x00007ffff6f2501b in vpy_evaluateFile (__pyx_v_se=0x5555557d6960, __pyx_v_scriptFilename=<optimized out>, __pyx_v_flags=1) at src/cython/vapoursynth.c:42406
#20 0x00007ffff7b6a198 in vsscript_evaluateFile (handle=0x55555575c210 <se>, scriptFilename=0x7fffffffe4d8 "red.vpy", flags=1) at src/vsscript/vsscript.cpp:160
#21 0x0000555555556bda in main (argc=3, argv=<optimized out>) at src/vspipe/vspipe.cpp:669
Program received signal SIGSEGV, Segmentation fault.
#0 0x00007ffff345bfab in omp_get_max_threads () from /usr/lib/libgomp.so.1
#1 0x00007ffff3ae3bb0 in ?? () from /usr/lib/libMagickCore-7.Q16HDRI.so.6
#2 0x00007ffff3a97540 in MagickCoreGenesis () from /usr/lib/libMagickCore-7.Q16HDRI.so.6
#3 0x00007ffff417a63c in Magick::InitializeMagick(char const*) () from /usr/lib/libMagick++-7.Q16HDRI.so.4
#4 0x00007ffff43af835 in initMagick (vsapi=0x7ffff6ebce40 <vs_internal_vsapi>, core=0x55555584f0c0) at src/filters/imwri/imwri.cpp:73
#5 0x00007ffff43b058f in readCreate (in=in@entry=0x555555a9b120, out=out@entry=0x555555a99f80, userData=<optimized out>, core=0x55555584f0c0, vsapi=0x7ffff6ebce40 <vs_internal_vsapi>) at src/filters/imwri/imwri.cpp:748
#6 0x00007ffff6c9542d in VSPlugin::invoke (this=this@entry=0x5555558eb4c0, funcName=..., args=...) at src/core/vscore.cpp:1694
#7 0x00007ffff6c8baed in invoke (plugin=0x5555558eb4c0, name=<optimized out>, args=0x555555a9b120) at src/core/vsapi.cpp:386
#8 0x00007ffff6f31137 in __pyx_pf_11vapoursynth_8Function_2__call__ (__pyx_v_kwargs=0x7ffff58d0af8, __pyx_v_args=0x7ffff7e96898, __pyx_v_self=0x7ffff58d0ab0) at src/cython/vapoursynth.c:39415
#9 __pyx_pw_11vapoursynth_8Function_3__call__ (__pyx_v_self=0x7ffff58d0ab0, __pyx_args=0x7ffff7e96898, __pyx_kwds=<optimized out>) at src/cython/vapoursynth.c:38521
#10 0x00007ffff71e8410 in _PyObject_FastCallDict () from /usr/lib/libpython3.6m.so.1.0
#11 0x00007ffff71e887c in _PyObject_FastCallKeywords () from /usr/lib/libpython3.6m.so.1.0
#12 0x00007ffff72755fd in ?? () from /usr/lib/libpython3.6m.so.1.0
#13 0x00007ffff727b3d6 in _PyEval_EvalFrameDefault () from /usr/lib/libpython3.6m.so.1.0
#14 0x00007ffff7275355 in ?? () from /usr/lib/libpython3.6m.so.1.0
#15 0x00007ffff7275685 in PyEval_EvalCodeEx () from /usr/lib/libpython3.6m.so.1.0
#16 0x00007ffff72756a6 in PyEval_EvalCode () from /usr/lib/libpython3.6m.so.1.0
#17 0x00007ffff6f23996 in __Pyx_PyExec3 (locals=0x7ffff7f26ab0, globals=0x7ffff7f26ab0, o=0x7ffff58ee780) at src/cython/vapoursynth.c:79365
#18 vpy_evaluateScript (__pyx_v_se=__pyx_v_se@entry=0x5555558a2cc0, __pyx_v_script=<optimized out>, __pyx_v_scriptFilename=<optimized out>, __pyx_v_scriptFilename@entry=0x7fffffffe5c8 "red.vpy", __pyx_v_flags=__pyx_v_flags@entry=1) at src/cython/vapoursynth.c:41408
#19 0x00007ffff6f25fdb in vpy_evaluateFile (__pyx_v_se=0x5555558a2cc0, __pyx_v_scriptFilename=<optimized out>, __pyx_v_flags=1) at src/cython/vapoursynth.c:42406
#20 0x00007ffff7b6a198 in vsscript_evaluateFile (handle=0x55555575c210 <se>, scriptFilename=0x7fffffffe5c8 "red.vpy", flags=1) at src/vsscript/vsscript.cpp:160
#21 0x0000555555556bda in main (argc=3, argv=<optimized out>) at src/vspipe/vspipe.cpp:669
…in addition to the following assert when executing the test outside of
gdb:
Assertion failed: id < (int) cache_info->number_threads (MagickCore/cache.c: QueueAuthenticPixels: 4323)
while I cannot find any similar issues where effort has been made to
uncover the underlying problem, most people seem satisfied with the
“fix” of disabling OpenMP:
- https://www.imagemagick.org/discourse-server/viewtopic.php?t=32516
- https://github.com/termux/termux-packages/issues/1314
- https://stackoverflow.com/questions/2838307/why-is-this-rmagick-call-generating-a-segmentation-fault
contrary to what is mentioned in the termux issue, setting
OMP\_NUM\_THREADS=1 does not prevent the segfault in my scenario,
however building ImageMagick with —disable-openmp does.
*(from redmine: issue id 9190, created on 2018-08-05, closed on 2018-12-20)*
* Changesets:
* Revision a23a75a8962b419f92fe63ba60317496bbfbe712 by Natanael Copa on 2018-08-06T10:19:40Z:
```
main/imagemagick: upgrade to 7.0.8.8 and disable openmp
openmp appears to cause problems on some machines. We disable it
everywhere.
fixes #9190
```
* Revision edd37627b316f881325df6073fb379a4671d366e by Natanael Copa on 2018-11-21T14:37:18Z:
```
main/imagemagick: disable openmp
openmp appears to cause problems on some machines. We disable it
everywhere.
fixes #9190
```3.8.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9053Certbot 0.25.1-r0 failure: pkg_resources.DistributionNotFound2019-07-23T11:23:44ZThomas SchneiderCertbot 0.25.1-r0 failure: pkg_resources.DistributionNotFoundHi,
I’ve installed Certbot 0.25.1-r0 and its dependencies w/o issues.
However I cannot run certbot; this error is shown:
<code class="python">
ct102-haproxy:~# certbot --help
Traceback (most recent call last):
File...Hi,
I’ve installed Certbot 0.25.1-r0 and its dependencies w/o issues.
However I cannot run certbot; this error is shown:
<code class="python">
ct102-haproxy:~# certbot --help
Traceback (most recent call last):
File "/usr/bin/certbot", line 6, in <module>
from pkg_resources import load_entry_point
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3086, in <module>
@_call_aside
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3070, in _call_aside
f(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3099, in _initialize_master_working_set
working_set = WorkingSet._build_master()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 574, in _build_master
ws.require(__requires__)
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 892, in require
needed = self.resolve(parse_requirements(requirements))
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 778, in resolve
raise DistributionNotFound(req, requirers)
pkg_resources.DistributionNotFound: The 'requests-toolbelt>=0.3.0' distribution was not found and is required by acme
</code>
This dependency is installed:
ct102-haproxy:~\# apk -vv info| grep requ
py-requests-2.19.1-r0 - A HTTP request library for Python
py2-requests-2.19.1-r0 - A HTTP request library for Python 2
*(from redmine: issue id 9053, created on 2018-07-02, closed on 2018-12-20)*
* Relations:
* relates #9238
* Changesets:
* Revision c11efc25ae73ce597fb91c7daa0192cae9973a1b by Roberto Oliveira on 2018-07-03T11:02:26Z:
```
community/certbot: add missing dependency (fixes #9053)
Add py-requests-toolbelt runtime dependency
```
* Revision 8ad5ad9f75788bd9045b7c4a1199db90d80f24c9 by Carlo Landmeter on 2018-08-06T20:27:07Z:
```
community/certbot: add py-requests-toolbelt to deps
ref #9053
```
* Revision add7b6dd3d789534d4cf60dbb7a049da403ee613 by Fabian Affolter on 2018-09-27T06:45:28Z:
```
main/py-requests: upgrade to 2.19.1
fixes #9053
fixes #9238
(cherry picked from commit c2ede3db1fe3906163c2a37177c97d28e3b52490)
```3.8.2Roberto OliveiraRoberto Oliveira