Adélie Package Tree issues
https://git.adelielinux.org/adelie/packages/-/issues
2022-02-02T16:51:27Z
https://git.adelielinux.org/adelie/packages/-/issues/240
user/libgd: CVE-2018-14553: NULL pointer dereference
2022-02-02T16:51:27Z
Emily
user/libgd: CVE-2018-14553: NULL pointer dereference
| | |
| --- | --- |
| Bugzilla ID | 240 |
| Alias(es) | CVE-2018-14553 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 23:22:11 -0600 |
| Modified | 2020-03-09 21:56:49 -0500 |
| Status |...
| | |
| --- | --- |
| Bugzilla ID | 240 |
| Alias(es) | CVE-2018-14553 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 23:22:11 -0600 |
| Modified | 2020-03-09 21:56:49 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2018-14553 |
## Description
> gdImageClone in gd.c in libgd 2.1.0-rc2 through 2.2.5 has a NULL
> pointer dereference allowing attackers to crash an application via a
> specific function call sequence. Only affects PHP when linked with an
> external libgd (not bundled).
1.0-BETA3
https://git.adelielinux.org/adelie/packages/-/issues/239
user/weechat: CVE-2020-8955: buffer overflow
2022-02-02T16:51:33Z
Emily
user/weechat: CVE-2020-8955: buffer overflow
| | |
| --- | --- |
| Bugzilla ID | 239 |
| Alias(es) | CVE-2020-8955 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 23:14:45 -0600 |
| Modified | 2020-03-09 21:56:27 -0500 |
| Status | ...
| | |
| --- | --- |
| Bugzilla ID | 239 |
| Alias(es) | CVE-2020-8955 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 23:14:45 -0600 |
| Modified | 2020-03-09 21:56:27 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2020-8955 |
## Description
> irc_mode_channel_update in plugins/irc/irc-mode.c in WeeChat through
> 2.7 allows remote attackers to cause a denial of service (buffer
> overflow and application crash) or possibly have unspecified other
> impact via a malformed IRC message 324 (channel mode).
1.0-BETA3
https://git.adelielinux.org/adelie/packages/-/issues/238
user/mariadb: CVE-2020-7221: symlink attack
2022-02-02T16:51:41Z
Emily
user/mariadb: CVE-2020-7221: symlink attack
| | |
| --- | --- |
| Bugzilla ID | 238 |
| Alias(es) | CVE-2020-7221 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 23:13:31 -0600 |
| Modified | 2020-03-03 08:09:11 -0600 |
| Status | ...
| | |
| --- | --- |
| Bugzilla ID | 238 |
| Alias(es) | CVE-2020-7221 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 23:13:31 -0600 |
| Modified | 2020-03-03 08:09:11 -0600 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2020-7221 |
## Description
> mysql_install_db in MariaDB 10.4.7 through 10.4.11 allows privilege
> escalation from the mysql user account to root because chown and chmod
> are performed unsafely, as demonstrated by a symlink attack on a chmod
> 04755 of auth_pam_tool_dir/auth_pam_tool. NOTE: this does not affect
> the Oracle MySQL product, which implements mysql_install_db
> differently.
1.0-BETA3
https://git.adelielinux.org/adelie/packages/-/issues/237
user/djvulibre: CVE-2019-18804: NULL pointer dereference
2022-02-02T16:51:50Z
Emily
user/djvulibre: CVE-2019-18804: NULL pointer dereference
| | |
| --- | --- |
| Bugzilla ID | 237 |
| Alias(es) | CVE-2019-18804 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 23:09:26 -0600 |
| Modified | 2020-03-09 21:56:17 -0500 |
| Status |...
| | |
| --- | --- |
| Bugzilla ID | 237 |
| Alias(es) | CVE-2019-18804 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 23:09:26 -0600 |
| Modified | 2020-03-09 21:56:17 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2019-18804 |
## Description
> DjVuLibre 3.5.27 has a NULL pointer dereference in the function
> DJVU::filter_fv at IW44EncodeCodec.cpp.
1.0-BETA3
https://git.adelielinux.org/adelie/packages/-/issues/236
user/librsvg: CVE-2019-20446: exponential SVG expansion
2022-02-02T16:51:58Z
Emily
user/librsvg: CVE-2019-20446: exponential SVG expansion
| | |
| --- | --- |
| Bugzilla ID | 236 |
| Alias(es) | CVE-2019-20446 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 23:08:45 -0600 |
| Modified | 2020-03-09 21:58:28 -0500 |
| Status |...
| | |
| --- | --- |
| Bugzilla ID | 236 |
| Alias(es) | CVE-2019-20446 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 23:08:45 -0600 |
| Modified | 2020-03-09 21:58:28 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2019-20446 |
## Description
CVE-2019-20446: https://nvd.nist.gov/vuln/detail/CVE-2019-20446
> In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with
> nested patterns can cause denial of service when passed to the library
> for processing. The attacker constructs pattern elements so that the
> number of final rendered objects grows exponentially.
1.0-BETA3
https://git.adelielinux.org/adelie/packages/-/issues/235
user/openjpeg: multiple vulnerabilities
2020-03-10T02:57:06Z
Emily
user/openjpeg: multiple vulnerabilities
| | |
| --- | --- |
| Bugzilla ID | 235 |
| Alias(es) | CVE-2020-6851, CVE-2020-8112 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 23:02:41 -0600 |
| Modified | 2020-03-09 21:57:06 -050...
| | |
| --- | --- |
| Bugzilla ID | 235 |
| Alias(es) | CVE-2020-6851, CVE-2020-8112 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 23:02:41 -0600 |
| Modified | 2020-03-09 21:57:06 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
## Description
CVE-2020-6851: https://nvd.nist.gov/vuln/detail/CVE-2020-6851
> OpenJPEG through 2.3.1 has a heap-based buffer overflow in
> opj_t1_clbl_decode_processor in openjp2/t1.c because of lack of
> opj_j2k_update_image_dimensions validation.
CVE-2020-8112: https://nvd.nist.gov/vuln/detail/CVE-2020-8112
> opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1 through
> 2020-01-28 has a heap-based buffer overflow in the qmfbid==1 case, a
> different issue than CVE-2020-6851.
1.0-BETA3
https://git.adelielinux.org/adelie/packages/-/issues/234
system/libxml2: multiple vulnerabilities
2020-03-10T02:56:00Z
Emily
system/libxml2: multiple vulnerabilities
| | |
| --- | --- |
| Bugzilla ID | 234 |
| Alias(es) | CVE-2019-20388, CVE-2020-7595 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 23:01:52 -0600 |
| Modified | 2020-03-09 21:56:00 -05...
| | |
| --- | --- |
| Bugzilla ID | 234 |
| Alias(es) | CVE-2019-20388, CVE-2020-7595 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 23:01:52 -0600 |
| Modified | 2020-03-09 21:56:00 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
## Description
CVE-2019-20388: https://nvd.nist.gov/vuln/detail/CVE-2019-20388
> xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an
> xmlSchemaValidateStream memory leak.
CVE-2020-7595: https://nvd.nist.gov/vuln/detail/CVE-2020-7595
> xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an
> infinite loop in a certain end-of-file situation.
1.0-BETA3
https://git.adelielinux.org/adelie/packages/-/issues/233
user/exiv2: CVE-2019-20421: infinite loop
2022-02-02T16:52:05Z
Emily
user/exiv2: CVE-2019-20421: infinite loop
| | |
| --- | --- |
| Bugzilla ID | 233 |
| Alias(es) | CVE-2019-20421 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 22:56:53 -0600 |
| Modified | 2020-03-09 21:55:19 -0500 |
| Status |...
| | |
| --- | --- |
| Bugzilla ID | 233 |
| Alias(es) | CVE-2019-20421 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 22:56:53 -0600 |
| Modified | 2020-03-09 21:55:19 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2019-20421 |
## Description
> In Jp2Image::readMetadata() in jp2image.cpp in Exiv2 0.27.2, an input
> file can result in an infinite loop and hang, with high CPU
> consumption. Remote attackers could leverage this vulnerability to
> cause a denial of service via a crafted file.
1.0-BETA3
https://git.adelielinux.org/adelie/packages/-/issues/232
system/python3: multiple vulnerabilities
2022-05-02T03:29:22Z
Emily
system/python3: multiple vulnerabilities
| | |
| --- | --- |
| Bugzilla ID | 232 |
| Alias(es) | CVE-2019-18348, CVE-2019-20907, CVE-2019-20916, CVE-2019-9674, CVE-2020-14422, CVE-2020-26116, CVE-2020-27619, CVE-2020-8315, CVE-2020-8492 |
| Reporter | Max Rees (sroracle) |
| ...
| | |
| --- | --- |
| Bugzilla ID | 232 |
| Alias(es) | CVE-2019-18348, CVE-2019-20907, CVE-2019-20916, CVE-2019-9674, CVE-2020-14422, CVE-2020-26116, CVE-2020-27619, CVE-2020-8315, CVE-2020-8492 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 22:56:38 -0600 |
| Modified | 2020-12-03 23:22:57 -0600 |
| Status | CONFIRMED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| Package(s) | system/python3 |
## Description
CVE-2019-18348: https://nvd.nist.gov/vuln/detail/CVE-2019-18348
> An issue was discovered in urllib2 in Python 2.x through 2.7.17 and
> urllib in Python 3.x through 3.8.0. CRLF injection is possible if the
> attacker controls a url parameter, as demonstrated by the first
> argument to urllib.request.urlopen with \r\n (specifically in the host
> component of a URL) followed by an HTTP header. This is similar to the
> CVE-2019-9740 query string issue and the CVE-2019-9947 path string
> issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.)
CVE-2020-8315: https://nvd.nist.gov/vuln/detail/CVE-2020-8315
> In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8
> through 3.8.1, an insecure dependency load upon launch on Windows 7
> may result in an attacker's copy of api-ms-win-core-path-l1-1-0.dll
> being loaded and used instead of the system's copy. Windows 8 and
> later are unaffected.
CVE-2020-8492: https://nvd.nist.gov/vuln/detail/CVE-2020-8492
> Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7
> through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct
> Regular Expression Denial of Service (ReDoS) attacks against a client
> because of urllib.request.AbstractBasicAuthHandler catastrophic
> backtracking.
1.0-BETA3
https://git.adelielinux.org/adelie/packages/-/issues/230
system/man-db: Segmentation fault recreating database on 32-bit x86 (pmmx)
2020-06-05T23:02:05Z
Emily
system/man-db: Segmentation fault recreating database on 32-bit x86 (pmmx)
| | |
| --- | --- |
| Bugzilla ID | 230 |
| Reporter | A. Wilcox (awilfox) |
| Assignee | A. Wilcox (awilfox) |
| Reported | 2020-01-26 23:42:39 -0600 |
| Modified | 2020-06-05 18:02:05 -0500 |
| Status | RESOLVED FIXED |
| Version | 1...
| | |
| --- | --- |
| Bugzilla ID | 230 |
| Reporter | A. Wilcox (awilfox) |
| Assignee | A. Wilcox (awilfox) |
| Reported | 2020-01-26 23:42:39 -0600 |
| Modified | 2020-06-05 18:02:05 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / Intel x86 (32-bit) |
| Importance | --- / critical |
## Description
Symptom:
Executing man-db-2.8.6.1-r0.trigger
ERROR: man-db-2.8.6.1-r0.trigger: script exited with error 0
Cause:
Starting program: /usr/bin/mandb /usr/share/man
Purging old database entries in /usr/share/man...
Program received signal SIGSEGV, Segmentation fault.
__stack_chk_fail () at src/env/__stack_chk_fail.c:17
17 src/env/__stack_chk_fail.c: No such file or directory.
(gdb) bt
#0 __stack_chk_fail () at src/env/__stack_chk_fail.c:17
#1 0xb7ea5827 in __stack_chk_fail_local () at /usr/src/packages/system/gcc/src/gcc-8.3.0/libssp/ssp-local.c:48
#2 0xb7e904c5 in __os_unique_id (env=env@entry=0xb7fffe00, idp=idp@entry=0x4217f4) at ../src/os/os_uid.c:50
#3 0xb7e5a84a in __env_attach (env=env@entry=0xb7fffe00, init_flagsp=init_flagsp@entry=0xbfffee88, create_ok=create_ok@entry=1, retry_ok=retry_ok@entry=1) at ../src/env/env_region.c:442
#4 0xb7e53b02 in __env_attach_regions (dbenv=dbenv@entry=0xb7f43030, flags=66561, orig_flags=orig_flags@entry=0, retry_ok=retry_ok@entry=1) at ../src/env/env_open.c:1030
#5 0xb7e542a7 in __env_open (dbenv=0xb7f43030, db_home=db_home@entry=0x0, flags=<optimized out>, flags@entry=66561, mode=mode@entry=0) at ../src/env/env_open.c:209
#6 0xb7e1050d in __env_setup (dbp=dbp@entry=0xb7f434b0, txn=txn@entry=0x0, fname=fname@entry=0xb7fffde0 "/var/cache/man/index.bt", dname=dname@entry=0x0, id=0, flags=flags@entry=0) at ../src/db/db.c:486
#7 0xb7e317fb in __db_open (dbp=dbp@entry=0xb7f434b0, ip=0x0, txn=0x0, fname=fname@entry=0xb7fffde0 "/var/cache/man/index.bt", dname=dname@entry=0x0, type=type@entry=DB_BTREE, flags=flags@entry=0, mode=mode@entry=420, meta_pgno=meta_pgno@entry=0)
at ../src/db/db_open.c:211
#8 0xb7e2ae33 in __db_open_pp (dbp=0xb7f434b0, txn=<optimized out>, txn@entry=0x0, fname=fname@entry=0xb7fffde0 "/var/cache/man/index.bt", dname=dname@entry=0x0, type=type@entry=DB_BTREE, flags=0, mode=mode@entry=420) at ../src/db/db_iface.c:1193
#9 0xb7d36d08 in __db185_open (file=file@entry=0xb7fffde0 "/var/cache/man/index.bt", oflags=oflags@entry=2, mode=mode@entry=420, type=DB_BTREE, type@entry=0, openinfo=openinfo@entry=0xbffff12c) at ../lang/db185/db185.c:230
#10 0xb7f3e4e6 in btree_flopen (filename=0xb7fffde0 "/var/cache/man/index.bt", flags=flags@entry=2, mode=mode@entry=420) at db_btree.c:127
#11 0x00405538 in purge_missing (manpath=0xb7fffce0 "/usr/share/man", catpath=0xb7fffcb0 "/var/cache/man", will_run_mandb=1) at check_mandirs.c:965
#12 0x0040b77c in process_manpath (manpath=0xb7fffce0 "/usr/share/man", global_manpath=true, tried_catdirs=<optimized out>) at mandb.c:601
#13 0x00402e8f in main (argc=2, argv=0xbffff784) at mandb.c:876
1.0-BETA3
https://git.adelielinux.org/adelie/packages/-/issues/229
user/rust: 1.38.0 fails test suite on ARM64: assertion failure in ui/variadic...
2022-11-11T21:46:18Z
Emily
user/rust: 1.38.0 fails test suite on ARM64: assertion failure in ui/variadic-ffi.rs
| | |
| --- | --- |
| Bugzilla ID | 229 |
| Reporter | A. Wilcox (awilfox) |
| Assignee | Samuel Holland |
| Reported | 2020-01-23 14:52:54 -0600 |
| Modified | 2020-06-22 06:13:52 -0500 |
| Status | CONFIRMED |
| Version | 1.0-BETA4 ...
| | |
| --- | --- |
| Bugzilla ID | 229 |
| Reporter | A. Wilcox (awilfox) |
| Assignee | Samuel Holland |
| Reported | 2020-01-23 14:52:54 -0600 |
| Modified | 2020-06-22 06:13:52 -0500 |
| Status | CONFIRMED |
| Version | 1.0-BETA4 |
| Hardware | Adélie Linux / [Community] ARM (64-bit) |
| Importance | --- / critical |
| Package(s) | user/rust |
## Description
failures:
---- [ui] ui/variadic-ffi.rs stdout ----
error: test run failed!
status: exit code: 101
command: "/usr/src/packages/user/rust/src/rustc-1.38.0-src/build/aarch64-foxkit-linux-musl/test/ui/variadic-ffi/a"
stdout:
------------------------------------------
------------------------------------------
stderr:
------------------------------------------
thread 'main' panicked at 'assertion failed: `(left == right)`
left: `30`,
right: `50`', /usr/src/packages/user/rust/src/rustc-1.38.0-src/src/test/ui/variadic-ffi.rs:31:5
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace.
------------------------------------------
failures:
[ui] ui/variadic-ffi.rs
test result: FAILED. 8818 passed; 1 failed; 62 ignored; 0 measured; 0 filtered out
thread 'main' panicked at 'Some tests failed', src/tools/compiletest/src/main.rs:536:22
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace.
command did not execute successfully: "/usr/src/packages/user/rust/src/rustc-1.38.0-src/build/aarch64-foxkit-linux-musl/stage0-tools-bin/compiletest" "--compile-lib-path" "/usr/src/packages/user/rust/src/rustc-1.38.0-src/build/aarch64-foxkit-linux-musl/stage2/lib" "--run-lib-path" "/usr/src/packages/user/rust/src/rustc-1.38.0-src/build/aarch64-foxkit-linux-musl/stage2/lib/rustlib/aarch64-foxkit-linux-musl/lib" "--rustc-path" "/usr/src/packages/user/rust/src/rustc-1.38.0-src/build/aarch64-foxkit-linux-musl/stage2/bin/rustc" "--src-base" "/usr/src/packages/user/rust/src/rustc-1.38.0-src/src/test/ui" "--build-base" "/usr/src/packages/user/rust/src/rustc-1.38.0-src/build/aarch64-foxkit-linux-musl/test/ui" "--stage-id" "stage2-aarch64-foxkit-linux-musl" "--mode" "ui" "--target" "aarch64-foxkit-linux-musl" "--host" "aarch64-foxkit-linux-musl" "--llvm-filecheck" "/usr/lib/llvm8/bin/FileCheck" "--linker" "aarch64-foxkit-linux-musl-gcc" "--host-rustcflags" "-Crpath -O -Cdebuginfo=0 -Zunstable-options -Lnative=/usr/src/packages/user/rust/src/rustc-1.38.0-src/build/aarch64-foxkit-linux-musl/native/rust-test-helpers" "--target-rustcflags" "-Crpath -O -Cdebuginfo=0 -Zunstable-options -Lnative=/usr/src/packages/user/rust/src/rustc-1.38.0-src/build/aarch64-foxkit-linux-musl/native/rust-test-helpers" "--docck-python" "/usr/bin/python3" "--lldb-python" "/usr/bin/python3" "--llvm-version" "8.0.1\n" "--system-llvm" "--cc" "" "--cxx" "" "--cflags" "" "--llvm-components" "" "--llvm-cxxflags" "" "--adb-path" "adb" "--adb-test-dir" "/data/tmp/work" "--android-cross-path" ""
expected success, got: exit code: 101
finished in 211.445
1.0-BETA3
https://git.adelielinux.org/adelie/packages/-/issues/228
system/kmod: invalid printf format strings in depmod
2022-05-02T04:54:11Z
Emily
system/kmod: invalid printf format strings in depmod
| | |
| --- | --- |
| Bugzilla ID | 228 |
| Reporter | A. Wilcox (awilfox) |
| Assignee | A. Wilcox (awilfox) |
| Reported | 2019-12-22 22:07:55 -0600 |
| Modified | 2019-12-22 22:07:55 -0600 |
| Status | CONFIRMED |
| Version | 1.0-B...
| | |
| --- | --- |
| Bugzilla ID | 228 |
| Reporter | A. Wilcox (awilfox) |
| Assignee | A. Wilcox (awilfox) |
| Reported | 2019-12-22 22:07:55 -0600 |
| Modified | 2019-12-22 22:07:55 -0600 |
| Status | CONFIRMED |
| Version | 1.0-BETA4 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
## Description
tools/depmod.c: In function ‘depmod_output’:
tools/depmod.c:2449:40: warning: format ‘%li’ expects argument of type ‘long int’, but argument 6 has type ‘suseconds_t’ {aka ‘long long int’} [-Wformat=]
snprintf(tmp, sizeof(tmp), "%s.%i.%li.%li", itr->name, getpid(),
~~^
%lli
tv.tv_usec, tv.tv_sec);
~~~~~~~~~~
tools/depmod.c:2449:44: warning: format ‘%li’ expects argument of type ‘long int’, but argument 7 has type ‘time_t’ {aka ‘long long int’} [-Wformat=]
snprintf(tmp, sizeof(tmp), "%s.%i.%li.%li", itr->name, getpid(),
~~^
%lli
tv.tv_usec, tv.tv_sec);
~~~~~~~~~
1.0-BETA3
https://git.adelielinux.org/adelie/packages/-/issues/225
system/linux-pam: pam_tally and pam_tally2 have invalid printf formats
2023-01-05T17:21:23Z
Emily
system/linux-pam: pam_tally and pam_tally2 have invalid printf formats
| | |
| --- | --- |
| Bugzilla ID | 225 |
| Reporter | A. Wilcox (awilfox) |
| Assignee | A. Wilcox (awilfox) |
| Reported | 2019-12-22 20:10:43 -0600 |
| Modified | 2019-12-22 20:10:43 -0600 |
| Status | CONFIRMED |
| Version | 1.0-B...
| | |
| --- | --- |
| Bugzilla ID | 225 |
| Reporter | A. Wilcox (awilfox) |
| Assignee | A. Wilcox (awilfox) |
| Reported | 2019-12-22 20:10:43 -0600 |
| Modified | 2019-12-22 20:10:43 -0600 |
| Status | CONFIRMED |
| Version | 1.0-BETA4 |
| Hardware | Adélie Linux / All |
| Importance | --- / trivial |
## Description
In file included from pam_tally.c:47:
pam_tally.c: In function ‘tally_check’:
pam_tally.c:541:7: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 5 has type ‘time_t’ {aka ‘long long int’} [-Wformat=]
_("Account temporary locked (%ld seconds left)"),
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../libpam/include/security/pam_ext.h:74:70: note: in definition of macro ‘pam_info’
#define pam_info(pamh, fmt...) pam_prompt(pamh, PAM_TEXT_INFO, NULL, fmt)
^~~
pam_tally.c:541:5: note: in expansion of macro ‘_’
_("Account temporary locked (%ld seconds left)"),
^
pam_tally.c:546:40: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 6 has type ‘time_t’ {aka ‘long long int’} [-Wformat=]
"user %s (%lu) has time limit [%lds left]"
~~^
%lld
pam_tally.c:549:7:
oldtime+lock_time-time(NULL));
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
========
In file included from pam_tally2.c:93:
pam_tally2.c: In function ‘tally_check’:
pam_tally2.c:597:27: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 5 has type ‘time_t’ {aka ‘long long int’} [-Wformat=]
pam_info(pamh, _("Account temporary locked (%ld seconds left)"),
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../libpam/include/security/pam_ext.h:74:70: note: in definition of macro ‘pam_info’
#define pam_info(pamh, fmt...) pam_prompt(pamh, PAM_TEXT_INFO, NULL, fmt)
^~~
pam_tally2.c:597:25: note: in expansion of macro ‘_’
pam_info(pamh, _("Account temporary locked (%ld seconds left)"),
^
pam_tally2.c:602:50: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 6 has type ‘time_t’ {aka ‘long long int’} [-Wformat=]
"user %s (%lu) has time limit [%lds left]"
~~^
%lld
pam_tally2.c:605:17:
oldtime+opts->lock_time-time(NULL));
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1.0-BETA3
https://git.adelielinux.org/adelie/packages/-/issues/224
user/iptables: utils.c (and possibly others) have invalid printf formats
2022-02-02T16:52:24Z
Emily
user/iptables: utils.c (and possibly others) have invalid printf formats
| | |
| --- | --- |
| Bugzilla ID | 224 |
| Reporter | A. Wilcox (awilfox) |
| Assignee | A. Wilcox (awilfox) |
| Reported | 2019-12-22 20:07:35 -0600 |
| Modified | 2019-12-22 20:07:35 -0600 |
| Status | CONFIRMED |
| Version | 1.0-B...
| | |
| --- | --- |
| Bugzilla ID | 224 |
| Reporter | A. Wilcox (awilfox) |
| Assignee | A. Wilcox (awilfox) |
| Reported | 2019-12-22 20:07:35 -0600 |
| Modified | 2019-12-22 20:07:35 -0600 |
| Status | CONFIRMED |
| Version | 1.0-BETA4 |
| Hardware | Adélie Linux / All |
| Importance | --- / trivial |
## Description
utils.c:1243:24: warning: format '%ld' expects argument of type 'long int', but argument 4 has type 'suseconds_t' (aka 'long long int')
1.0-BETA3
https://git.adelielinux.org/adelie/packages/-/issues/223
system/xmlto: contains bashisms but has /bin/sh shebang
2022-02-02T16:52:58Z
Emily
system/xmlto: contains bashisms but has /bin/sh shebang
| | |
| --- | --- |
| Bugzilla ID | 223 |
| Reporter | Molly Miller |
| Assignee | A. Wilcox (awilfox) |
| Reported | 2019-12-09 16:13:16 -0600 |
| Modified | 2020-02-16 17:36:57 -0600 |
| Status | RESOLVED FIXED |
| Version | 1.0-BETA...
| | |
| --- | --- |
| Bugzilla ID | 223 |
| Reporter | Molly Miller |
| Assignee | A. Wilcox (awilfox) |
| Reported | 2019-12-09 16:13:16 -0600 |
| Modified | 2020-02-16 17:36:57 -0600 |
| Status | RESOLVED FIXED |
| Version | 1.0-BETA4 |
| Hardware | Adélie Linux / All |
| Importance | --- / minor |
## Description
Our xmlto package correctly depends on bash, however the script's shebang is #!/bin/sh. On systems with dash as /bin/sh, xmlto will not run, as the script contains bashisms which dash will fail to parse.
A possible fix for this is to patch the xmlto script so that it invokes /bin/bash directly instead of /bin/sh.
1.0-BETA3
https://git.adelielinux.org/adelie/packages/-/issues/220
system/libarchive: CVE-2018-1000879: NULL pointer dereference
2022-02-02T16:53:15Z
Emily
system/libarchive: CVE-2018-1000879: NULL pointer dereference
| | |
| --- | --- |
| Bugzilla ID | 220 |
| Alias(es) | CVE-2018-1000879 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2019-10-24 16:31:17 -0500 |
| Modified | 2019-10-24 16:32:27 -0500 |
| Status...
| | |
| --- | --- |
| Bugzilla ID | 220 |
| Alias(es) | CVE-2018-1000879 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2019-10-24 16:31:17 -0500 |
| Modified | 2019-10-24 16:32:27 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-BETA3 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2018-1000879 |
## Description
> libarchive version commit 379867ecb330b3a952fb7bfa7bffb7bbd5547205
> onwards (release v3.3.0 onwards) contains a CWE-476: NULL Pointer
> Dereference vulnerability in ACL parser - libarchive/archive_acl.c,
> archive_acl_from_text_l() that can result in Crash/DoS. This attack
> appear to be exploitable via the victim must open a specially crafted
> archive file.
1.0-BETA3
https://git.adelielinux.org/adelie/packages/-/issues/219
system/file: CVE-2019-18218: heap-based buffer overflow
2022-02-02T16:53:24Z
Emily
system/file: CVE-2019-18218: heap-based buffer overflow
| | |
| --- | --- |
| Bugzilla ID | 219 |
| Alias(es) | CVE-2019-18218 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2019-10-24 16:29:38 -0500 |
| Modified | 2020-02-25 17:43:55 -0600 |
| Status |...
| | |
| --- | --- |
| Bugzilla ID | 219 |
| Alias(es) | CVE-2019-18218 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2019-10-24 16:29:38 -0500 |
| Modified | 2020-02-25 17:43:55 -0600 |
| Status | RESOLVED FIXED |
| Version | 1.0-BETA3 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2019-18218 |
## Description
> cdf_read_property_info in cdf.c in file through 5.37 does not restrict
> the number of CDF_VECTOR elements, which allows a heap-based buffer
> overflow (4-byte out-of-bounds write).
1.0-BETA3
https://git.adelielinux.org/adelie/packages/-/issues/218
system/libxslt: CVE-2019-18197: lack of pointer reset may lead to memory writ...
2022-02-02T16:53:38Z
Emily
system/libxslt: CVE-2019-18197: lack of pointer reset may lead to memory write or disclosure of uninitialized data
| | |
| --- | --- |
| Bugzilla ID | 218 |
| Alias(es) | CVE-2019-18197 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2019-10-24 16:27:05 -0500 |
| Modified | 2020-02-25 17:43:06 -0600 |
| Status |...
| | |
| --- | --- |
| Bugzilla ID | 218 |
| Alias(es) | CVE-2019-18197 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2019-10-24 16:27:05 -0500 |
| Modified | 2020-02-25 17:43:06 -0600 |
| Status | RESOLVED FIXED |
| Version | 1.0-BETA4 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2019-18197 |
## Description
> In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable
> isn't reset under certain circumstances. If the relevant memory area
> happened to be freed and reused in a certain way, a bounds check could
> fail and memory outside a buffer could be written to, or uninitialized
> data could be disclosed.
1.0-BETA3
https://git.adelielinux.org/adelie/packages/-/issues/217
system/easy-kernel*: multiple vulnerabilities
2020-02-25T06:36:06Z
Emily
system/easy-kernel*: multiple vulnerabilities
| | |
| --- | --- |
| Bugzilla ID | 217 |
| Alias(es) | CVE-2017-18232, CVE-2018-20855, CVE-2018-20976, CVE-2018-21008, CVE-2019-12378, CVE-2019-12380, CVE-2019-12381, CVE-2019-12614, CVE-2019-15098, CVE-2019-15099, CVE-2019-15217, CVE...
| | |
| --- | --- |
| Bugzilla ID | 217 |
| Alias(es) | CVE-2017-18232, CVE-2018-20855, CVE-2018-20976, CVE-2018-21008, CVE-2019-12378, CVE-2019-12380, CVE-2019-12381, CVE-2019-12614, CVE-2019-15098, CVE-2019-15099, CVE-2019-15217, CVE-2019-15222, CVE-2019-15223, CVE-2019-15290, CVE-2019-15291, CVE-2019-15504, CVE-2019-15902, CVE-2019-15918, CVE-2019-16234, CVE-2019-17133, CVE-2019-17666, CVE-2019-18198, CVE-2019-2181, CVE-2019-5489 |
| Reporter | Max Rees (sroracle) |
| Assignee | A. Wilcox (awilfox) |
| Reported | 2019-10-16 20:34:30 -0500 |
| Modified | 2020-02-25 00:36:06 -0600 |
| Status | RESOLVED FIXED |
| Version | 1.0-BETA4 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| See also | https://bts.adelielinux.org/show_bug.cgi?id=180<br>https://bts.adelielinux.org/show_bug.cgi?id=241 |
## Description
CVE-2018-20855: No fix https://www.linuxkernelcves.com/cves/CVE-2018-20855
CVE-2018-20976: No fix https://www.linuxkernelcves.com/cves/CVE-2018-20976
CVE-2018-21008: No fix https://www.linuxkernelcves.com/cves/CVE-2018-21008
CVE-2019-5489: No fix https://www.linuxkernelcves.com/cves/CVE-2019-5489
CVE-2019-12378: No fix https://www.linuxkernelcves.com/cves/CVE-2019-12378
CVE-2019-12380: No 4.14 fix https://www.linuxkernelcves.com/cves/CVE-2019-12380
CVE-2019-12381: No fix https://www.linuxkernelcves.com/cves/CVE-2019-12381
CVE-2019-12456: No 4.14 fix https://www.linuxkernelcves.com/cves/CVE-2019-12456
CVE-2019-12614: No fix https://www.linuxkernelcves.com/cves/CVE-2019-12614
CVE-2019-15098: No fix https://www.linuxkernelcves.com/cves/CVE-2019-15098
CVE-2019-15099: No fix https://www.linuxkernelcves.com/cves/CVE-2019-15099
CVE-2019-15217: No fix https://www.linuxkernelcves.com/cves/CVE-2019-15217
CVE-2019-15222: No fix (doesn't apply?) https://www.linuxkernelcves.com/cves/CVE-2019-15222
CVE-2019-15223: No fix (doesn't apply?) https://www.linuxkernelcves.com/cves/CVE-2019-15223
CVE-2019-15290: Duplicate of CVE-2019-15098
CVE-2019-15291: No fix https://www.linuxkernelcves.com/cves/CVE-2019-15291
CVE-2019-15504: No fix (doesn't apply?) https://www.linuxkernelcves.com/cves/CVE-2019-15504
CVE-2019-15902: No fix https://www.linuxkernelcves.com/cves/CVE-2019-15902
1.0-BETA3
https://git.adelielinux.org/adelie/packages/-/issues/214
system/gdb: multiple vulnerabilities
2022-05-02T04:41:15Z
Emily
system/gdb: multiple vulnerabilities
| | |
| --- | --- |
| Bugzilla ID | 214 |
| Alias(es) | CVE-2018-12934, CVE-2019-1010180 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2019-10-16 17:04:30 -0500 |
| Modified | 2020-06-22 05:58:30 ...
| | |
| --- | --- |
| Bugzilla ID | 214 |
| Alias(es) | CVE-2018-12934, CVE-2019-1010180 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2019-10-16 17:04:30 -0500 |
| Modified | 2020-06-22 05:58:30 -0500 |
| Status | CONFIRMED |
| Version | 1.0-BETA4 |
| Hardware | Adélie Linux / All |
| Importance | --- / minor |
| Package(s) | system/binutils |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2019-1010180 |
| See also | https://sourceware.org/bugzilla/show_bug.cgi?id=23657 |
## Description
CVE-2019-1010180: https://nvd.nist.gov/vuln/detail/CVE-2019-1010180
> GNU gdb All versions is affected by: Buffer Overflow - Out of bound
> memory access. The impact is: Deny of Service, Memory Disclosure, and
> Possible Code Execution. The component is: The main gdb module. The
> attack vector is: Open an ELF for debugging. The fixed version is: Not
> fixed yet.
Note: NVD states it affects GDB, but upstream appears to be fixing it in BFD.
1.0-BETA3