alpine issueshttps://gitlab.alpinelinux.org/groups/alpine/-/issues2021-04-01T20:46:58Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12565webkit2gtk: Multiple vulnerabilities (CVE-2021-1788, CVE-2021-1844, CVE-2021-...2021-04-01T20:46:58ZAlicha CHwebkit2gtk: Multiple vulnerabilities (CVE-2021-1788, CVE-2021-1844, CVE-2021-1871)### CVE-2021-1788
* Versions affected: WebKitGTK before 2.32.0 and WPE WebKit before 2.32.0.
* Processing maliciously crafted web content may lead to arbitrary code execution.
* A use after free issue was addressed with improved memory...### CVE-2021-1788
* Versions affected: WebKitGTK before 2.32.0 and WPE WebKit before 2.32.0.
* Processing maliciously crafted web content may lead to arbitrary code execution.
* A use after free issue was addressed with improved memory management.
### CVE-2021-1844
* Versions affected: WebKitGTK before 2.32.0 and WPE WebKit before 2.32.0.
* Processing maliciously crafted web content may lead to arbitrary code execution.
* A memory corruption issue was addressed with improved validation.
### CVE-2021-1871
* Versions affected: WebKitGTK before 2.32.0 and WPE WebKit before 2.32.0.
* A remote attacker may be able to cause arbitrary code execution.
#### Reference:
https://webkitgtk.org/security/WSA-2021-0003.html
### Affected branches:
* [x] master
* [x] 3.13-stableRasmus Thomsenoss@cogitri.devRasmus Thomsenoss@cogitri.devhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12566busybox: invalid free or segmentation fault via malformed gzip data (CVE-2021...2021-03-31T04:59:32ZAlicha CHbusybox: invalid free or segmentation fault via malformed gzip data (CVE-2021-28831)decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.
#### References:
* https://nvd.nist.gov/vuln/detail/...decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.
#### References:
* https://nvd.nist.gov/vuln/detail/CVE-2021-28831
* https://security-tracker.debian.org/tracker/CVE-2021-28831
#### Patch:
https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd
### Affected branches:
* [x] master: 1.33.0-r5 (8457a320f13d202a1c65be2652f0d030880f17f0)
* [x] 3.13-stable: 1.32.1-r4 (7acc3190c16c19db5767c094d5ea6de75bbc2ae8)
* [x] 3.12-stable: 1.31.1-r20 (0d639f13e315e43a11821d963031ed5b49b15a15)
* [x] 3.11-stable: 1.31.1-r10 (7332e004b92f2a688a28eee7628a1e6e16d76147)
* [x] 3.10-stable: 1.30.1-r5 (26527b0535f65a4ac0ae7f3c9afb2294885b21cc)Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/125673.13 busybox: apk upgrade shows help for stat2021-03-31T10:49:05ZSimon Fsimon-alpine@fraho.eu3.13 busybox: apk upgrade shows help for statRunning `apk upgrade` on an alpine 3.13 system shows the busybox stat help message.
```
PS C:\Users\john> docker pull alpine:3.13
3.13: Pulling from library/alpine
9aae54b2144e: Pull complete
Digest: sha256:826f70e0ac33e99a72cf20fb05712...Running `apk upgrade` on an alpine 3.13 system shows the busybox stat help message.
```
PS C:\Users\john> docker pull alpine:3.13
3.13: Pulling from library/alpine
9aae54b2144e: Pull complete
Digest: sha256:826f70e0ac33e99a72cf20fb0571245a8fee52d68cb26d8bc58e53bfa65dcdfa
Status: Downloaded newer image for alpine:3.13
docker.io/library/alpine:3.13
PS C:\Users\john> docker run --rm -it alpine:3.13
/ # apk update
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
v3.13.3-22-g7acc3190c1 [https://dl-cdn.alpinelinux.org/alpine/v3.13/main]
v3.13.3-21-g2f0cab651f [https://dl-cdn.alpinelinux.org/alpine/v3.13/community]
OK: 13885 distinct packages available
/ # apk upgrade
(1/2) Upgrading busybox (1.32.1-r3 -> 1.32.1-r4)
Executing busybox-1.32.1-r4.post-upgrade
BusyBox v1.32.1 () multi-call binary.
Usage: stat [OPTIONS] FILE...
Display file (default) or filesystem status
-c FMT Use the specified format
-f Display filesystem status
-L Follow links
-t Terse display
FMT sequences for files:
%a Access rights in octal
%A Access rights in human readable form
%b Number of blocks allocated (see %B)
%B Size in bytes of each block reported by %b
%d Device number in decimal
%D Device number in hex
%f Raw mode in hex
%F File type
%g Group ID
%G Group name
%h Number of hard links
%i Inode number
%n File name
%N File name, with -> TARGET if symlink
%o I/O block size
%s Total size in bytes
%t Major device type in hex
%T Minor device type in hex
%u User ID
%U User name
%x Time of last access
%X Time of last access as seconds since Epoch
%y Time of last modification
%Y Time of last modification as seconds since Epoch
%z Time of last change
%Z Time of last change as seconds since Epoch
FMT sequences for file systems:
%a Free blocks available to non-superuser
%b Total data blocks
%c Total file nodes
%d Free file nodes
%f Free blocks
%i File System ID in hex
%l Maximum length of filenames
%n File name
%s Block size (for faster transfer)
%S Fundamental block size (for block counts)
%t Type in hex
%T Type in human readable form
(2/2) Upgrading ssl_client (1.32.1-r3 -> 1.32.1-r4)
Executing busybox-1.32.1-r4.trigger
OK: 6 MiB in 14 packages
/ # echo $?
0
/ #
```
busybox on edge is fine:
```
PS C:\Users\john> docker run --rm -it alpine:edge
Unable to find image 'alpine:edge' locally
edge: Pulling from library/alpine
fa7045767063: Pull complete
Digest: sha256:fa3bd1cb8b0d2d6a4de1ea7e52dffee36896bc2b1566e9a89c16637051467225
Status: Downloaded newer image for alpine:edge
/ # apk update
fetch https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
v20210212-2688-gd4b1b0d678 [https://dl-cdn.alpinelinux.org/alpine/edge/main]
v20210212-2693-gec9c654473 [https://dl-cdn.alpinelinux.org/alpine/edge/community]
OK: 14223 distinct packages available
/ # apk upgrade
Upgrading critical system libraries and apk-tools:
(1/1) Upgrading apk-tools (2.12.3-r0 -> 2.12.4-r0)
Executing busybox-1.33.0-r2.trigger
Continuing the upgrade transaction with new apk-tools:
(1/7) Upgrading musl (1.2.2-r1 -> 1.2.2-r2)
(2/7) Upgrading busybox (1.33.0-r2 -> 1.33.0-r5)
Executing busybox-1.33.0-r5.post-upgrade
(3/7) Upgrading alpine-baselayout (3.2.0-r9 -> 3.2.0-r11)
Executing alpine-baselayout-3.2.0-r11.pre-upgrade
Executing alpine-baselayout-3.2.0-r11.post-upgrade
(4/7) Upgrading libcrypto1.1 (1.1.1i-r0 -> 1.1.1k-r0)
(5/7) Upgrading libssl1.1 (1.1.1i-r0 -> 1.1.1k-r0)
(6/7) Upgrading ssl_client (1.33.0-r2 -> 1.33.0-r5)
(7/7) Upgrading musl-utils (1.2.2-r1 -> 1.2.2-r2)
Executing busybox-1.33.0-r5.trigger
OK: 6 MiB in 14 packages
/ #
```https://gitlab.alpinelinux.org/alpine/abuild/-/issues/10027setfattr causes error (in Gitlab CI pipeline)2021-07-18T07:23:54ZWimer Hazenbergsetfattr causes error (in Gitlab CI pipeline)I'm using abuild in a script to build nginx with the geoip2 module in Docker, [following these instructions](https://github.com/nginxinc/docker-nginx/tree/master/modules). I'm using the Alpine version.
This all works fine locally, but w...I'm using abuild in a script to build nginx with the geoip2 module in Docker, [following these instructions](https://github.com/nginxinc/docker-nginx/tree/master/modules). I'm using the Alpine version.
This all works fine locally, but when building the same Dockerfile in a Gitlab CI setup, it breaks.
I've narrowed it down to this step:
```
>>> nginx-module-geoip2-dbg: Running split function dbg...
setfattr: ngx_http_geoip2_module-debug.so: Not supported
>>> ERROR: nginx-module-geoip2-dbg: dbg failed
>>> ERROR: nginx-module-geoip2: prepare_subpackages failed
>>> ERROR: nginx-module-geoip2: rootpkg failed
```
Seems abuild uses `setfattr`, which apparently isn't supported in every environment.
[Thresheek](https://github.com/thresheek) of Nginx helped me to [provide a fix](https://github.com/nginxinc/docker-nginx/issues/525) by disabling the functions where `setfattr` are called, but this also leads to bigger builds.
It might be good to either not call `setfattr` if it isn't available (I don't know if this has any implications) or provide an option to skip it.
Any other ideas?https://gitlab.alpinelinux.org/alpine/aports/-/issues/12569nodejs, nodejs-current: security release on April 6th, 20212021-04-13T17:20:06ZMichał Polańskinodejs, nodejs-current: security release on April 6th, 2021### Source
https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/
### Summary
The Node.js project will release new versions of all supported release lines on or shortly after Tuesday, April 6th, 2021.
### Impact
* The ...### Source
https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/
### Summary
The Node.js project will release new versions of all supported release lines on or shortly after Tuesday, April 6th, 2021.
### Impact
* The 15.x release line of Node.js is vulnerable to two high severity issues.
* The 14.x release line of Node.js is vulnerable to three high severity issues.
* The 12.x release line of Node.js is vulnerable to three high severity issues.
* The 10.x release line of Node.js is vulnerable to three high severity issues.
### Affected aports with active support
* [x] ~~master: nodejs-current 15.13.0-r0 (community)~~ not affected
* [x] master: nodejs 14.16.0-r0 (main)
* [x] ~~3.13-stable: nodejs-current 15.10.0-r0 (community)~~ not affected
* [x] 3.13-stable: nodejs 14.16.0-r0 (main)
* [x] 3.12-stable: nodejs 12.21.0-r0 (main)
* [x] 3.11-stable: nodejs 12.21.0-r0 (main)
* [x] 3.10-stable: nodejs 10.24.0-r0 (main)Jakub JirutkaJakub Jirutka2021-04-06https://gitlab.alpinelinux.org/alpine/awall/-/issues/9647adp-router.json spoofing error2021-06-21T07:42:03ZTheThiefadp-router.json spoofing errorThe anti-spoofing filter in adp-router.json looks like this:
```json
"filter": [
{
"in": "adp-wan",
"dest": "$adp_lan_private_addrs",
"action": "drop"
}
]
```
but this has the side effect of dropping any port forwarding ...The anti-spoofing filter in adp-router.json looks like this:
```json
"filter": [
{
"in": "adp-wan",
"dest": "$adp_lan_private_addrs",
"action": "drop"
}
]
```
but this has the side effect of dropping any port forwarding rules also, as dnat (for port forward rules) happens in _pre-routing_ and so the packet ends up being processed in the in/forward/out as having an _in interface of WAN_ and a _dest of an internal IP_ - matching this drop rule! This can be worked around by adding `"before": "adp-router",` to any port-forwarding rules.
Unfortunately the above also breaks the default icmp-routing rules that are supposed to allow icmp types 3, 11, and 12 - but get added to the chains _after_ the above supposed anti-spoofing rule and as such get blocked by it.
Shouldn't anti-spoofing be `"src": "$adp_lan_private_addrs",` anyway? A packet with a dest addr of your private IP would never be routed to your WAN interface in the first place, spoofing attacks normally use a forged "src", not "dest".https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10741[CVE-2021-30139] Out-of-bounds read during tar parsing2021-04-14T08:43:50ZSören Tempel[CVE-2021-30139] Out-of-bounds read during tar parsing## Description
apk performs insufficient sanity checks on tar entries. The [GNU Tar format specification](https://www.gnu.org/software/tar/manual/html_node/Standard.html) states the following on fields in tar entries:
> The `name`, `li...## Description
apk performs insufficient sanity checks on tar entries. The [GNU Tar format specification](https://www.gnu.org/software/tar/manual/html_node/Standard.html) states the following on fields in tar entries:
> The `name`, `linkname`, `magic`, `uname`, and `gname` are null-terminated character strings. All other fields are zero-filled octal numbers in ASCII.
The code for parsing tar entries in apk is here:
https://gitlab.alpinelinux.org/alpine/apk-tools/-/blob/354713d2f746c197eed6a1feb4c6af3420af6c15/src/io_archive.c#L143
This code just **assumes** that `uname`, etc are null-terminated and uses string function on them without a prior check if null terminators are actually present. For example:
```C
.uid = apk_resolve_uid(idc, buf.uname, GET_OCTAL(buf.uid)),
```
will use `strlen()` internally on `buf.uname`. This will cause an out-of-bounds read. This code is run before the signature is validated.
## Reproducing
This issue can be reproduced using [out-of-bounds-read-apk-tar-uname.apk](/uploads/bbb6de44db177aaeab78099617ccc71f/out-of-bounds-read-apk-tar-uname.apk) and `valgrind`:
```
$ valgrind ./src/apk.static add /tmp/out-of-bounds-read-apk-tar-uname.apk
==31584== Memcheck, a memory error detector
==31584== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==31584== Using Valgrind-3.17.0 and LibVEX; rerun with -h for copyright info
==31584== Command: ./src/apk.static --initdb --root ./root/ add /tmp/out-of-bounds-read-apk-tar-uname.apk
==31584==
==31584== Warning: invalid file descriptor -1 in syscall read()
==31584== Warning: invalid file descriptor -1 in syscall close()
==31584== Warning: invalid file descriptor -1 in syscall read()
==31584== Warning: invalid file descriptor -1 in syscall close()
==31584== Conditional jump or move depends on uninitialised value(s)
==31584== at 0x5C8CA5: strlen (strlen.c:17)
==31584== by 0x432575: APK_BLOB_STR (apk_blob.h:79)
==31584== by 0x4350EB: apk_resolve_uid (io.c:1112)
==31584== by 0x43696C: apk_tar_parse (io_archive.c:152)
==31584== by 0x4271BC: apk_pkg_read (package.c:929)
==31584== by 0x402D75: add_main (app_add.c:163)
==31584== by 0x40D5FF: main (apk-static.c:516)
==31584==
==31584== Conditional jump or move depends on uninitialised value(s)
==31584== at 0x5C8CB0: strlen (strlen.c:20)
==31584== by 0x432575: APK_BLOB_STR (apk_blob.h:79)
==31584== by 0x4350EB: apk_resolve_uid (io.c:1112)
==31584== by 0x43696C: apk_tar_parse (io_archive.c:152)
==31584== by 0x4271BC: apk_pkg_read (package.c:929)
==31584== by 0x402D75: add_main (app_add.c:163)
==31584== by 0x40D5FF: main (apk-static.c:516)
==31584==
==31584== Use of uninitialised value of size 8
==31584== at 0x4313FB: apk_hash_get_hashed (hash.c:61)
==31584== by 0x434F73: resolve_cache_item (io.c:1064)
==31584== by 0x435107: apk_resolve_uid (io.c:1112)
==31584== by 0x43696C: apk_tar_parse (io_archive.c:152)
==31584== by 0x4271BC: apk_pkg_read (package.c:929)
==31584== by 0x402D75: add_main (app_add.c:163)
==31584== by 0x40D5FF: main (apk-static.c:516)
==31584==
==31584== Use of uninitialised value of size 8
==31584== at 0x4310F0: hlist_add_head (apk_defines.h:231)
==31584== by 0x4314F4: apk_hash_insert_hashed (hash.c:78)
==31584== by 0x434FF1: resolve_cache_item (io.c:1074)
==31584== by 0x435107: apk_resolve_uid (io.c:1112)
==31584== by 0x43696C: apk_tar_parse (io_archive.c:152)
==31584== by 0x4271BC: apk_pkg_read (package.c:929)
==31584== by 0x402D75: add_main (app_add.c:163)
==31584== by 0x40D5FF: main (apk-static.c:516)
==31584==
==31584== Use of uninitialised value of size 8
==31584== at 0x431118: hlist_add_head (apk_defines.h:234)
==31584== by 0x4314F4: apk_hash_insert_hashed (hash.c:78)
==31584== by 0x434FF1: resolve_cache_item (io.c:1074)
==31584== by 0x435107: apk_resolve_uid (io.c:1112)
==31584== by 0x43696C: apk_tar_parse (io_archive.c:152)
==31584== by 0x4271BC: apk_pkg_read (package.c:929)
==31584== by 0x402D75: add_main (app_add.c:163)
==31584== by 0x40D5FF: main (apk-static.c:516)
==31584==
==31584== Warning: invalid file descriptor -1 in syscall read()
==31584== Warning: invalid file descriptor -1 in syscall close()
==31584== Conditional jump or move depends on uninitialised value(s)
==31584== at 0x5C8CA5: strlen (strlen.c:17)
==31584== by 0x432575: APK_BLOB_STR (apk_blob.h:79)
==31584== by 0x435207: apk_resolve_gid (io.c:1154)
==31584== by 0x4369A9: apk_tar_parse (io_archive.c:153)
==31584== by 0x4271BC: apk_pkg_read (package.c:929)
==31584== by 0x402D75: add_main (app_add.c:163)
==31584== by 0x40D5FF: main (apk-static.c:516)
==31584==
==31584== Conditional jump or move depends on uninitialised value(s)
==31584== at 0x5C8CB0: strlen (strlen.c:20)
==31584== by 0x432575: APK_BLOB_STR (apk_blob.h:79)
==31584== by 0x435207: apk_resolve_gid (io.c:1154)
==31584== by 0x4369A9: apk_tar_parse (io_archive.c:153)
==31584== by 0x4271BC: apk_pkg_read (package.c:929)
==31584== by 0x402D75: add_main (app_add.c:163)
==31584== by 0x40D5FF: main (apk-static.c:516)
==31584==
==31584== Use of uninitialised value of size 8
==31584== at 0x4313FB: apk_hash_get_hashed (hash.c:61)
==31584== by 0x434F73: resolve_cache_item (io.c:1064)
==31584== by 0x435223: apk_resolve_gid (io.c:1154)
==31584== by 0x4369A9: apk_tar_parse (io_archive.c:153)
==31584== by 0x4271BC: apk_pkg_read (package.c:929)
==31584== by 0x402D75: add_main (app_add.c:163)
==31584== by 0x40D5FF: main (apk-static.c:516)
==31584==
==31584== Use of uninitialised value of size 8
==31584== at 0x4310F0: hlist_add_head (apk_defines.h:231)
==31584== by 0x4314F4: apk_hash_insert_hashed (hash.c:78)
==31584== by 0x434FF1: resolve_cache_item (io.c:1074)
==31584== by 0x435223: apk_resolve_gid (io.c:1154)
==31584== by 0x4369A9: apk_tar_parse (io_archive.c:153)
==31584== by 0x4271BC: apk_pkg_read (package.c:929)
==31584== by 0x402D75: add_main (app_add.c:163)
==31584== by 0x40D5FF: main (apk-static.c:516)
==31584==
==31584== Use of uninitialised value of size 8
==31584== at 0x431118: hlist_add_head (apk_defines.h:234)
==31584== by 0x4314F4: apk_hash_insert_hashed (hash.c:78)
==31584== by 0x434FF1: resolve_cache_item (io.c:1074)
==31584== by 0x435223: apk_resolve_gid (io.c:1154)
==31584== by 0x4369A9: apk_tar_parse (io_archive.c:153)
==31584== by 0x4271BC: apk_pkg_read (package.c:929)
==31584== by 0x402D75: add_main (app_add.c:163)
==31584== by 0x40D5FF: main (apk-static.c:516)
==31584==
==31584== Warning: invalid file descriptor -1 in syscall read()
==31584== Warning: invalid file descriptor -1 in syscall close()
ERROR: /tmp/out-of-bounds-read-apk-tar-uname.apk: BAD archive
==31584==
==31584== HEAP SUMMARY:
==31584== in use at exit: 0 bytes in 0 blocks
==31584== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==31584==
==31584== All heap blocks were freed -- no leaks are possible
==31584==
==31584== Use --track-origins=yes to see where uninitialised values come from
==31584== For lists of detected and suppressed errors, rerun with: -s
==31584== ERROR SUMMARY: 16 errors from 10 contexts (suppressed: 0 from 0)
```
## Hotfix
```diff
diff --git a/src/io_archive.c b/src/io_archive.c
index de4741e..d68263b 100644
--- a/src/io_archive.c
+++ b/src/io_archive.c
@@ -51,6 +51,7 @@ struct tar_header {
#define GET_OCTAL(s) get_octal(s, sizeof(s))
#define PUT_OCTAL(s,v) put_octal(s, sizeof(s), v)
+#define HAS_NULLTERM(a) memchr(a, '\0', sizeof(a))
static unsigned int get_octal(char *s, size_t l)
{
@@ -147,6 +148,14 @@ int apk_tar_parse(struct apk_istream *is, apk_archive_entry_parser parser,
continue;
}
+ /* Ensure that fields which should be null-terminated
+ * are null-terminated to use string functions on them. */
+ if (!HAS_NULLTERM(buf.uname) || !HAS_NULLTERM(buf.gname) ||
+ !HAS_NULLTERM(buf.linkname) || !HAS_NULLTERM(buf.magic) ||
+ !HAS_NULLTERM(buf.name)) {
+ goto err;
+ }
+
entry = (struct apk_file_info){
.size = GET_OCTAL(buf.size),
.uid = apk_resolve_uid(idc, buf.uname, GET_OCTAL(buf.uid)),
```Timo TeräsTimo Teräshttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12570vips is not built with text rendering support2021-04-03T07:34:44ZRenaud Chaputvips is not built with text rendering supportThe vips package in aports is currently not built with text-rendering support.
In the [build log](https://build.alpinelinux.org/buildlogs/build-edge-x86/community/vips/vips-8.10.6-r0.log):
```
text rendering with pangoft2: no
```
Thi...The vips package in aports is currently not built with text-rendering support.
In the [build log](https://build.alpinelinux.org/buildlogs/build-edge-x86/community/vips/vips-8.10.6-r0.log):
```
text rendering with pangoft2: no
```
This requires the `pango` library at runtime and `pango-dev` when building.
Would it be possible to add it by default, or is this unwanted as it adds another dependancy and a custom package would be the way to go here?
As a side note, the project website changed to https://libvips.github.io/libvips/, the old one is still used in the package.
Thanks!
cc @wjordanhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12571Adding vlan package to apkovl renders custom ISO unbootable2021-05-09T19:33:24ZAlex HaydockAdding vlan package to apkovl renders custom ISO unbootableI'm hitting an issue where an Alpine ISO stops booting completely if I add the `vlan` package to a custom ISO and include it in `/etc/apk/world` in an `apkovl` file embedded into the ISO [as described on the wiki page for custom builds](...I'm hitting an issue where an Alpine ISO stops booting completely if I add the `vlan` package to a custom ISO and include it in `/etc/apk/world` in an `apkovl` file embedded into the ISO [as described on the wiki page for custom builds](https://wiki.alpinelinux.org/wiki/How_to_make_a_custom_ISO_image_with_mkimage#Making_packages_available_on_boot).
An example of the error can be found below, booted in QEMU:
![Bug Report](https://gitlab.com/alexhaydock/alpine-apkovl-vlan-bugreport/-/raw/master/screenshot.png "Bug Report")
Inspecting the `vlan` package shows it only contains a few scripts, and all live inside either `/etc/if-pre-up.d` or `/etc/if-post-down.d`. I'm wondering if there's some kind of race condition with networking and runlevels that gets introduced when the `vlan` package is layered into the live system, but I'm struggling to work out what it might be.
For convenience, I've put together a complete MVP proof of concept that will produce a bugged ISO [in this repository](https://gitlab.com/alexhaydock/alpine-apkovl-vlan-bugreport). Running it as-is will produce the broken ISO. Removing the `vlan` package from the `genapkovl-bugreport.sh` file stops the problem from occurring and the generated ISO is fully functional.
Any ideas what I'm missing here? I'd really like to be able to build a read-only system that can boot from RAM as a router and having VLAN support is critical for this.https://gitlab.alpinelinux.org/alpine/abuild/-/issues/10028abuild-keygen fails without aborting if run as a non-root user and sudo isn't...2021-07-18T07:23:53ZNewbyteabuild-keygen fails without aborting if run as a non-root user and sudo isn't installedCurrently, abuild-keygen fails to install the pubkey to `/etc/apk/keys` if it's run as a non-root user and sudo is not installed (and `$SUDO` isn't set). This makes sense, however the problem is that the script goes on anyway and - to my...Currently, abuild-keygen fails to install the pubkey to `/etc/apk/keys` if it's run as a non-root user and sudo is not installed (and `$SUDO` isn't set). This makes sense, however the problem is that the script goes on anyway and - to my knowledge - does not provide a trivial way to redo this process short of doing it manually yourself. While this definitely works, I think it would be preferable if the script aborted early if it is in a situation where it won't be able to execute itself in its entirety. I imagine this would be implemented by checking whether `$SUDO` is an executable, and if not it checks if it can write to `/etc/apk/keys`, but suggestions for better solutions are welcome.https://gitlab.alpinelinux.org/alpine/aports/-/issues/12572community/xterm: segfault when selecting text (363-r1)2021-04-06T19:59:42ZMarkcommunity/xterm: segfault when selecting text (363-r1)Since updating to xterm-363-r1, I get segfaults after selecting text.
Previously this was ok; I don't know how to see which previous version was in use, but it was recent (is there a log?)
xterm-367 from upstream does not seem to be af...Since updating to xterm-363-r1, I get segfaults after selecting text.
Previously this was ok; I don't know how to see which previous version was in use, but it was recent (is there a log?)
xterm-367 from upstream does not seem to be affected. Upstream doesn't have a commit history I can check or bisect for information about this bug.
I have some customisation in Xdefaults.
```
$ gdb --args xterm
GNU gdb (GDB) 10.1
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-alpine-linux-musl".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from xterm...
(No debugging symbols found in xterm)
(gdb) run
Starting program: /usr/bin/xterm
[Detaching after fork from child process 7621]
Program received signal SIGSEGV, Segmentation fault.
get_meta (p=p@entry=0x7ffff7a29120 "\n\n\n\n\n\n")
at src/malloc/mallocng/meta.h:141
141 src/malloc/mallocng/meta.h: No such file or directory.
(gdb) bt
#0 get_meta (p=p@entry=0x7ffff7a29120 "\n\n\n\n\n\n")
at src/malloc/mallocng/meta.h:141
#1 0x00007ffff7f8abe7 in __libc_free (p=0x7ffff7a29120)
at src/malloc/mallocng/free.c:105
#2 0x00005555555794e2 in ?? ()
#3 0x000055555557af3c in ?? ()
#4 0x000055555557daba in ?? ()
#5 0x00007ffff7d9712f in ?? () from /usr/lib/libXt.so.6
#6 0x00007ffff7d974dc in ?? () from /usr/lib/libXt.so.6
#7 0x00007ffff7d97ff1 in _XtTranslateEvent () from /usr/lib/libXt.so.6
#8 0x00007ffff7d7971b in XtDispatchEventToWidget () from /usr/lib/libXt.so.6
#9 0x00007ffff7d79b3d in ?? () from /usr/lib/libXt.so.6
#10 0x00007ffff7d79cb1 in XtDispatchEvent () from /usr/lib/libXt.so.6
#11 0x00005555555a818d in ?? ()
#12 0x000055555558ba71 in ?? ()
#13 0x000055555558bcb1 in ?? ()
#14 0x0000555555577756 in ?? ()
#15 0x00007ffff7f83a03 in libc_start_main_stage2 (main=0x5555555767c0, argc=1,
argv=0x7fffffffea18) at src/env/__libc_start_main.c:94
#16 0x0000555555577a1c in ?? ()
#17 0x0000000000000001 in ?? ()
#18 0x00007fffffffecc9 in ?? ()
#19 0x0000000000000000 in ?? ()
(gdb)
```
.Xdefaults:
```
xterm*background: Black
xterm*foreground: DarkGrey
xterm*cursorColor: Red
xterm*reverseVideo: false
xterm*scrollBar: false
xterm*reverseWrap: true
xterm*font: fixed
xterm*fullCursor: true
xterm*scrollTtyOutput: off
xterm*scrollKey: on
xterm*fastScroll: on
xterm*titleBar: false
xterm*iconName: xterm
xterm*activeIcon: false
xterm*title: xterm
xterm*colorULMode: off
xterm*colorBDMode: off
xterm*trimSelection: on
xterm*highlightSelection: on
!xterm*on3Clicks: regex [^ ''""()<>$+]*
xterm*on3Clicks: line
xterm*on4Clicks: line
xterm*on5Clicks: group
xterm*eightBitInput: false
xterm*metaSendsEscape: true
xterm*pointerMode: 0
xterm*allowColorOps: false
xterm*allowFontOps: false
xterm*allowTcapOps: false
xterm*allowTitleOps: false
xterm*allowWindowOps: false
xterm*utf8: true
```Jakub JirutkaJakub Jirutkahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12573hexchat: fails to start with lua 5.4.32021-04-08T09:39:41ZFrancesco Colistahexchat: fails to start with lua 5.4.3hexchat fails to start with the following error:
``
PANIC: unprotected error in call to Lua API (attempt to call a nil value)
Aborted
``
Rebuilding hexchat doesn't fix the problem.
Simil (same?) issue happens with Arch Linux: https://...hexchat fails to start with the following error:
``
PANIC: unprotected error in call to Lua API (attempt to call a nil value)
Aborted
``
Rebuilding hexchat doesn't fix the problem.
Simil (same?) issue happens with Arch Linux: https://bugs.archlinux.org/task/70213
The guy reported the issue upstream: https://github.com/hexchat/hexchat/issues/2558
Temporary workaround is starting hexchat without plugins:
``
~$ hexchat -n
``
.: Francescohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12574gnome-desktop (v40): cursor/touch issues2021-04-11T18:49:48Znotthewavegnome-desktop (v40): cursor/touch issuesThe gnome-desktop (v40) package seems to have pointer/touch issues.
This is both apparent on a laptop/desktop device as well as on
devices with a touch interface. See demonstration Video here:
(pinephone)
https://www.youtube.com/watch...The gnome-desktop (v40) package seems to have pointer/touch issues.
This is both apparent on a laptop/desktop device as well as on
devices with a touch interface. See demonstration Video here:
(pinephone)
https://www.youtube.com/watch?v=w2owj4549_s
I suppose this is due to the recent gnome-deskop (v40) update, but might be caused by something else.Rasmus Thomsenoss@cogitri.devRasmus Thomsenoss@cogitri.devhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12575perl-digest-md5-doc conflicts with perl-doc2021-04-05T21:03:21ZDrew DeVaultperl-digest-md5-doc conflicts with perl-docERROR: perl-digest-md5-doc-2.58-r0: trying to overwrite usr/share/man/man3/Digest::MD5.3pm.gz owned by perl-doc-5.32.1-r0.ERROR: perl-digest-md5-doc-2.58-r0: trying to overwrite usr/share/man/man3/Digest::MD5.3pm.gz owned by perl-doc-5.32.1-r0.https://gitlab.alpinelinux.org/alpine/aports/-/issues/12576Missing: zutils in Alpine 3.132021-04-04T20:25:58ZGuillaume BoudreauMissing: zutils in Alpine 3.13Not sure if this is expected, but zutils package seems to be missing from Alpine 3.13 (and Edge).
Can't find any other package that provides zgrep either.Not sure if this is expected, but zutils package seems to be missing from Alpine 3.13 (and Edge).
Can't find any other package that provides zgrep either.https://gitlab.alpinelinux.org/alpine/aports/-/issues/12577https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub NOT ACCESSIBLE2021-04-05T23:45:13Zlchopra-equinixhttps://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub NOT ACCESSIBLEHi Team,
I am not sure if this is the correct forum but https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub is not accessible and our docker builds have dependency to download the public key and hence failing. We are getting 522 error. Any...Hi Team,
I am not sure if this is the correct forum but https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub is not accessible and our docker builds have dependency to download the public key and hence failing. We are getting 522 error. Any help would be appreciated.https://gitlab.alpinelinux.org/alpine/aports/-/issues/12578community/pix: missing dependencies2021-05-25T08:26:57ZAlexander Brzoskacommunity/pix: missing dependenciesPix has missing dependencies, that leads to problems (doesn't start / missing features).
*Reproducible on*
* Alpine edge x86_64 with XFCE
* postmarketOS edge x86_64 with Weston
* postmarketOS edge aarch64 with Phosh
Installing followin...Pix has missing dependencies, that leads to problems (doesn't start / missing features).
*Reproducible on*
* Alpine edge x86_64 with XFCE
* postmarketOS edge x86_64 with Weston
* postmarketOS edge aarch64 with Phosh
Installing following packages resolved the issues:
* <code>kquickimageeditor</code> *else Pix won't start*
* <code>qt5-qtbase-sqlite</code> *else Pix prints error messages à la* <code>QSqlError("", "Driver not loaded", "Driver not loaded")</code> *and some features won't work (e.g. giving tags to images)*
* ~~<code>breeze-icons</code> *else Pix won't have icons*~~
~~I'm very unsure about the last one since breeze is probably not the only icon pack that works well with Pix. And (at least) on Phosh, I first needed to install <code>qt5ct</code> and tweak it before Pix used the Breeze icon theme - setting <code>QT_STYLE_OVERRIDE=Breeze</code> did nothing, but maybe that's user error and I'm missing something here.~~
**Edit**: Maybe I should've searched the issue tracker in pmOS and Alpine first before bringing up the icon issue... Seems like this is a known problem: [pmaports#571](https://gitlab.com/postmarketOS/pmaports/-/issues/571) and !15847. I guess then only the abovementioned dependencies should be added. Since it's trivial, I could propose a MR regarding these myself (if desired).Bart RibbersBart Ribbershttps://gitlab.alpinelinux.org/alpine/infra/turbo-paste/-/issues/4Permanent XSS2021-04-06T15:50:44ZSören TempelPermanent XSSIn syntax highlightling mode HTML is not properly escaped, thereby allowing cross site scripting. To reproduce:
$ echo "<script>alert('XSS');</script>" | curl -s -F 'tpaste=<-' https://tpaste.us/
And append `?hl=true` to the result...In syntax highlightling mode HTML is not properly escaped, thereby allowing cross site scripting. To reproduce:
$ echo "<script>alert('XSS');</script>" | curl -s -F 'tpaste=<-' https://tpaste.us/
And append `?hl=true` to the resulting url.
Example paste: https://tpaste.us/jnKq?hl=truehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/12579Python packages do not actually install2021-04-17T12:16:22ZDavid HannaschPython packages do not actually installSometime in the last few hours, something really strange started happening: Python packages installed with apk add do not actually install.
You can run a Dockerfile like
```
FROM alpine:edge
RUN apk add --no-cache python3 py3-pip py3-w...Sometime in the last few hours, something really strange started happening: Python packages installed with apk add do not actually install.
You can run a Dockerfile like
```
FROM alpine:edge
RUN apk add --no-cache python3 py3-pip py3-wheel \
&& python3 -c "import pip"
```
And observe that it kicks back an error: `ModuleNotFoundError: No module named 'pip'`. (And attempting to use pip to install other packages similarly fails, and so forth.)
This isn't specific to pip; other py3-* packages do this too, such as py3-cryptography.
You can see this in action at https://hub.docker.com/repository/docker/dahanna/test-py3-cryptography.
https://github.com/dHannasch/test-py3-cryptography/blob/main/Dockerfile
I think everything was working normally as of 6:50pm EDT, not sure, don't have a clean log to check. I don't know what the time zone is for the build time given by https://pkgs.alpinelinux.org/package/edge/main/x86/python3 or whether it might ignore Daylight Savings Time. I don't know whether this might be related to https://gitlab.alpinelinux.org/alpine/aports/-/commit/d9457fc9f6a60c6721577b4021fcbbff5da489c3 (if it is, I cannot begin to guess how).
I'm guessing that something is going on with https://gitlab.alpinelinux.org/alpine/aports/-/tree/master/main/python3 rather than https://gitlab.alpinelinux.org/alpine/aports/-/tree/master/community/py3-pip, since the latter hasn't changed in weeks.https://gitlab.alpinelinux.org/alpine/aports/-/issues/12580spamassassin bayes: DB_File module not installed, cannot use bayes2021-08-09T08:18:09ZMartin Lantzspamassassin bayes: DB_File module not installed, cannot use bayesAs mentioned in 68e77a6a390559df03ddfea677b5bff22a1b44a8 the bdb support was removed due to licensing issues. But this breaks the default bayes database. The following demonstrate the issue:
```sh
sa-learn -D --dump magic
...
dbg: bayes...As mentioned in 68e77a6a390559df03ddfea677b5bff22a1b44a8 the bdb support was removed due to licensing issues. But this breaks the default bayes database. The following demonstrate the issue:
```sh
sa-learn -D --dump magic
...
dbg: bayes: DB_File module not installed, cannot use bayes
...
ERROR: Bayes dump returned an error, please re-run with -D for more information
```
Using amavis with spamassassin needs 2 databases; one for quarantine and one for bayes. By default both use bdb.
The default amavis quarantine database, which depend on bdb support, works in v3.13 since the package perl-db is available. Unfortunately since the package perl-db_file is not available the default spamassassin bayes database cannot be used.
The perl-db_file package was removed in 5a48ee640c1340bf3c54aef8f4c29811f82333cc with the comment that "No package should depend on it". Still, the functionality of spamassassin is limited without it.
Is there any chance we can reinstate the perl-db_file package? If not, does the maintainers have any alternative suggestion on how we can address this issue?Leonardo ArenaLeonardo Arena