Adélie Package Tree issueshttps://git.adelielinux.org/adelie/packages/-/issues2021-05-12T03:19:45Zhttps://git.adelielinux.org/adelie/packages/-/issues/261user/firefox-esr seccomp is blocking membarrier2021-05-12T03:19:45ZEmilyuser/firefox-esr seccomp is blocking membarrier| | |
| --- | --- |
| Bugzilla ID | 261 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-15 19:19:48 -0500 |
| Modified | 2020-05-19 22:33:41 -0500 |
| Status | RESOLVED FIXED |
| Version | 1...| | |
| --- | --- |
| Bugzilla ID | 261 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-15 19:19:48 -0500 |
| Modified | 2020-05-19 22:33:41 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / Intel x86 (64-bit) |
| Importance | --- / normal |
| See also | https://bts.adelielinux.org/show_bug.cgi?id=262 |
## Description
When loading any WebGL content in Firefox on x86_64, the tab instantly crashes. This is a regression between 18.3.6-r0 (BETA4) and 19.3.4-r0 (RC1) - downgrading all mesa subpackages to 18.3.6-r0 (and xf86-video-intel to its respective BETA4 version) causes the issue to go away.
I don't know how to debug a low level problem like this in Firefox. Since the tab immediately crashes and we don't ship Firefox with any of the crashpad/breakpad things, I'm not sure if there even is a way to debug it.
Based on the demo at [1], I think the crash happens as soon as the WebGL context is created:
> var gl = canvas.getContext("webgl")
> || canvas.getContext("experimental-webgl");
This means that even trying to *detect* WebGL will crash the tab.
"Workaround" is to set webgl.disabled = true in about:config.
[1] https://developer.mozilla.org/en-US/docs/Web/API/WebGL_API/By_example/Detect_WebGL1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/259system/git: CVE-2020-5260: malicious URLs may cause Git to present stored cre...2022-02-02T02:04:00ZEmilysystem/git: CVE-2020-5260: malicious URLs may cause Git to present stored credentials to the wrong server| | |
| --- | --- |
| Bugzilla ID | 259 |
| Alias(es) | CVE-2020-5260 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-15 18:00:06 -0500 |
| Modified | 2020-04-19 00:53:57 -0500 |
| Status | ...| | |
| --- | --- |
| Bugzilla ID | 259 |
| Alias(es) | CVE-2020-5260 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-15 18:00:06 -0500 |
| Modified | 2020-04-19 00:53:57 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2020-5260 |
## Description
CVE-2020-5260: https://nvd.nist.gov/vuln/detail/CVE-2020-5260
> Affected versions of Git have a vulnerability whereby Git can be
> tricked into sending private credentials to a host controlled by an
> attacker. Git uses external "credential helper" programs to store and
> retrieve passwords or other credentials from secure storage provided
> by the operating system. Specially-crafted URLs that contain an
> encoded newline can inject unintended values into the credential
> helper protocol stream, causing the credential helper to retrieve the
> password for one server (e.g., good.example.com) for an HTTP request
> being made to another server (e.g., evil.example.com), resulting in
> credentials for the former being sent to the latter. There are no
> restrictions on the relationship between the two, meaning that an
> attacker can craft a URL that will present stored credentials for any
> host to a host of their choosing. The vulnerability can be triggered
> by feeding a malicious URL to git clone. However, the affected URLs
> look rather suspicious; the likely vector would be through systems
> which automatically clone URLs not visible to the user, such as Git
> submodules, or package systems built around Git. The problem has been
> patched in the versions published on April 14th, 2020, going back to
> v2.17.x. Anyone wishing to backport the change further can do so by
> applying commit 9a6bbee (the full release includes extra checks for
> git fsck, but that commit is sufficient to protect clients against the
> vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4,
> 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1.
See also https://www.openwall.com/lists/oss-security/2020/04/15/5
Resolution will be bumping to 2.25.3.1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/258user/thunderbird: multiple vulnerabilities2020-04-19T05:52:45ZEmilyuser/thunderbird: multiple vulnerabilities| | |
| --- | --- |
| Bugzilla ID | 258 |
| Alias(es) | CVE-2020-6819, CVE-2020-6820, CVE-2020-6821, CVE-2020-6822, CVE-2020-6825 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-14 15:08:55 ...| | |
| --- | --- |
| Bugzilla ID | 258 |
| Alias(es) | CVE-2020-6819, CVE-2020-6820, CVE-2020-6821, CVE-2020-6822, CVE-2020-6825 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-14 15:08:55 -0500 |
| Modified | 2020-04-19 00:52:45 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://www.mozilla.org/en-US/security/advisories/mfsa2020-14/ |
## Description
CVE-2020-6819:
> Under certain conditions, when running the nsDocShell destructor, a
> race condition can cause a use-after-free.
CVE-2020-6820:
> Under certain conditions, when handling a ReadableStream, a race
> condition can cause a use-after-free.
CVE-2020-6821:
> When reading from areas partially or fully outside the source resource
> with WebGL's copyTexSubImage method, the specification requires the
> returned values be zero. Previously, this memory was uninitialized,
> leading to potentially sensitive data disclosure.
CVE-2020-6822:
> On 32-bit builds, an out of bounds write could have occurred when
> processing an image larger than 4 GB in GMPDecodeData. It is possible
> that with enough effort this could have been exploited to run
> arbitrary code.
CVE-2020-6825:
> Mozilla developers Tyson Smith and Christian Holler reported memory
> safety bugs present in Firefox 74 and Firefox ESR 68.6. Some of these
> bugs showed evidence of memory corruption and we presume that with
> enough effort some of these could have been exploited to run arbitrary
> code.1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/257user/cyrus-sasl: CVE-2019-19906: OpenLDAP crash via malformed packet2022-02-02T02:04:06ZEmilyuser/cyrus-sasl: CVE-2019-19906: OpenLDAP crash via malformed packet| | |
| --- | --- |
| Bugzilla ID | 257 |
| Alias(es) | CVE-2019-19906 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-06 18:10:15 -0500 |
| Modified | 2020-04-19 00:52:10 -0500 |
| Status |...| | |
| --- | --- |
| Bugzilla ID | 257 |
| Alias(es) | CVE-2019-19906 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-06 18:10:15 -0500 |
| Modified | 2020-04-19 00:52:10 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2019-19906 |
## Description
> cyrus-sasl (aka Cyrus SASL) 2.1.27 has an out-of-bounds write leading
> to unauthenticated remote denial-of-service in OpenLDAP via a
> malformed LDAP packet. The OpenLDAP crash is ultimately caused by an
> off-by-one error in _sasl_add_string in common.c in cyrus-sasl.
https://github.com/cyrusimap/cyrus-sasl/commit/dcc9f51cbd4ed622cfb0f9b1c141eb2ffe3b12f11.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/254user/gnutls: multiple vulnerabilities2020-06-15T21:38:59ZEmilyuser/gnutls: multiple vulnerabilities| | |
| --- | --- |
| Bugzilla ID | 254 |
| Alias(es) | CVE-2020-11501, CVE-2020-13777 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-03 14:29:36 -0500 |
| Modified | 2020-06-15 16:38:59 -0...| | |
| --- | --- |
| Bugzilla ID | 254 |
| Alias(es) | CVE-2020-11501, CVE-2020-13777 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-03 14:29:36 -0500 |
| Modified | 2020-06-15 16:38:59 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
## Description
> GnuTLS 3.6.x before 3.6.13 uses incorrect cryptography for DTLS. The
> earliest affected version is 3.6.3 (2018-07-16) because of an error in
> a 2017-10-06 commit. The DTLS client always uses 32 '\0' bytes instead
> of a random value, and thus contributes no randomness to a DTLS
> negotiation. This breaks the security guarantees of the DTLS protocol.1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/253user/jasper: multiple vulnerabilities2022-11-13T06:54:43ZEmilyuser/jasper: multiple vulnerabilities| | |
| --- | --- |
| Bugzilla ID | 253 |
| Alias(es) | CVE-2016-9398, CVE-2016-9399, CVE-2017-13746, CVE-2017-13748, CVE-2017-13750, CVE-2017-13751, CVE-2017-14132, CVE-2017-14232, CVE-2017-5499, CVE-2017-5503, CVE-2017-5504, CVE-2017...| | |
| --- | --- |
| Bugzilla ID | 253 |
| Alias(es) | CVE-2016-9398, CVE-2016-9399, CVE-2017-13746, CVE-2017-13748, CVE-2017-13750, CVE-2017-13751, CVE-2017-14132, CVE-2017-14232, CVE-2017-5499, CVE-2017-5503, CVE-2017-5504, CVE-2017-5505, CVE-2017-6851, CVE-2017-9782, CVE-2018-18873, CVE-2018-19139, CVE-2018-19540, CVE-2018-19541, CVE-2018-19543, CVE-2018-20570, CVE-2018-20622, CVE-2018-9055, CVE-2018-9154, CVE-2018-9252 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-03 14:18:15 -0500 |
| Modified | 2020-10-30 22:37:34 -0500 |
| Status | IN_PROGRESS |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| Package(s) | user/jasper |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2017-14232 |
## Description
> The read_chunk function in flif-dec.cpp in Free Lossless Image Format
> (FLIF) 0.3 allows remote attackers to cause a denial of service
> (invalid memory read and application crash) via a crafted flif file.1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/252user/net-snmp: CVE-2015-8100: weak permissions on /etc/snmp/snmpd.conf2022-02-02T02:04:13ZEmilyuser/net-snmp: CVE-2015-8100: weak permissions on /etc/snmp/snmpd.conf| | |
| --- | --- |
| Bugzilla ID | 252 |
| Alias(es) | CVE-2015-8100 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-03 14:15:53 -0500 |
| Modified | 2020-06-10 15:36:29 -0500 |
| Status | ...| | |
| --- | --- |
| Bugzilla ID | 252 |
| Alias(es) | CVE-2015-8100 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-03 14:15:53 -0500 |
| Modified | 2020-06-10 15:36:29 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2015-8100 |
## Description
> The net-snmp package in OpenBSD through 5.8 uses 0644 permissions for
> snmpd.conf, which allows local users to obtain sensitive community
> information by reading this file.1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/251user/py3-pyyaml: CVE-2020-1747: full_load/FullLoader ACE2022-02-02T02:04:20ZEmilyuser/py3-pyyaml: CVE-2020-1747: full_load/FullLoader ACE| | |
| --- | --- |
| Bugzilla ID | 251 |
| Alias(es) | CVE-2020-1747 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-03 14:13:06 -0500 |
| Modified | 2020-06-15 16:39:00 -0500 |
| Status | ...| | |
| --- | --- |
| Bugzilla ID | 251 |
| Alias(es) | CVE-2020-1747 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-03 14:13:06 -0500 |
| Modified | 2020-06-15 16:39:00 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2020-1747 |
## Description
> A vulnerability was discovered in the PyYAML library in versions
> before 5.3.1, where it is susceptible to arbitrary code execution when
> it processes untrusted YAML files through the full_load method or with
> the FullLoader loader. Applications that use the library to process
> untrusted input may be vulnerable to this flaw. An attacker could use
> this flaw to execute arbitrary code on the system by abusing the
> python/object/new constructor.1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/246user/bluez: CVE-2020-0556: HID and HOGP profiles don't require bonding2022-02-02T02:04:36ZEmilyuser/bluez: CVE-2020-0556: HID and HOGP profiles don't require bonding| | |
| --- | --- |
| Bugzilla ID | 246 |
| Alias(es) | CVE-2020-0556 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-03-18 14:44:50 -0500 |
| Modified | 2020-06-17 17:14:19 -0500 |
| Status | ...| | |
| --- | --- |
| Bugzilla ID | 246 |
| Alias(es) | CVE-2020-0556 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-03-18 14:44:50 -0500 |
| Modified | 2020-06-17 17:14:19 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2020-0556 |
## Description
> Improper access control in subsystem for BlueZ before version 5.54 may
> allow an unauthenticated user to potentially enable escalation of
> privilege and denial of service via adjacent access1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/245system/sqlite: multiple vulnerabilities2022-11-12T03:17:50ZEmilysystem/sqlite: multiple vulnerabilities| | |
| --- | --- |
| Bugzilla ID | 245 |
| Alias(es) | CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-13871, CVE-2020-15358, CVE-2020-9327 |
| Reporter | Max Re...| | |
| --- | --- |
| Bugzilla ID | 245 |
| Alias(es) | CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-13871, CVE-2020-15358, CVE-2020-9327 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-03-16 19:54:09 -0500 |
| Modified | 2020-07-01 14:18:58 -0500 |
| Status | CONFIRMED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| Package(s) | system/sqlite |
## Description
CVE-2020-9327: https://nvd.nist.gov/vuln/detail/CVE-2020-9327
> In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger
> a NULL pointer dereference and segmentation fault because of generated
> column optimizations.
Unreleased fix
https://github.com/sqlite/sqlite/commit/bf48ce49f7c25e5d4524de9fdc5c0d505218d06d
https://github.com/sqlite/sqlite/commit/78d1d225d87af40f5bdca57fa72f00b6ffaffa21
Since we currently build from the amalgamation distribution, this will need to wait on either an overhaul of the entire aport or a new release.1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/242system/pcre2: CVE-2019-20454: out-of-bounds read in do_extuni_no_utf2022-02-02T16:51:19ZEmilysystem/pcre2: CVE-2019-20454: out-of-bounds read in do_extuni_no_utf| | |
| --- | --- |
| Bugzilla ID | 242 |
| Alias(es) | CVE-2019-20454 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-03-03 17:35:40 -0600 |
| Modified | 2020-03-29 02:26:44 -0500 |
| Status |...| | |
| --- | --- |
| Bugzilla ID | 242 |
| Alias(es) | CVE-2019-20454 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-03-03 17:35:40 -0600 |
| Modified | 2020-03-29 02:26:44 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2019-20454 |
## Description
> An out-of-bounds read was discovered in PCRE before 10.34 when the
> pattern \X is JIT compiled and used to match specially crafted
> subjects in non-UTF mode. Applications that use PCRE to parse
> untrusted input may be vulnerable to this flaw, which would allow an
> attacker to crash the application. The flaw occurs in do_extuni_no_utf
> in pcre2_jit_compile.c.1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/240user/libgd: CVE-2018-14553: NULL pointer dereference2022-02-02T16:51:27ZEmilyuser/libgd: CVE-2018-14553: NULL pointer dereference| | |
| --- | --- |
| Bugzilla ID | 240 |
| Alias(es) | CVE-2018-14553 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 23:22:11 -0600 |
| Modified | 2020-03-09 21:56:49 -0500 |
| Status |...| | |
| --- | --- |
| Bugzilla ID | 240 |
| Alias(es) | CVE-2018-14553 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 23:22:11 -0600 |
| Modified | 2020-03-09 21:56:49 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2018-14553 |
## Description
> gdImageClone in gd.c in libgd 2.1.0-rc2 through 2.2.5 has a NULL
> pointer dereference allowing attackers to crash an application via a
> specific function call sequence. Only affects PHP when linked with an
> external libgd (not bundled).1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/239user/weechat: CVE-2020-8955: buffer overflow2022-02-02T16:51:33ZEmilyuser/weechat: CVE-2020-8955: buffer overflow| | |
| --- | --- |
| Bugzilla ID | 239 |
| Alias(es) | CVE-2020-8955 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 23:14:45 -0600 |
| Modified | 2020-03-09 21:56:27 -0500 |
| Status | ...| | |
| --- | --- |
| Bugzilla ID | 239 |
| Alias(es) | CVE-2020-8955 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 23:14:45 -0600 |
| Modified | 2020-03-09 21:56:27 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2020-8955 |
## Description
> irc_mode_channel_update in plugins/irc/irc-mode.c in WeeChat through
> 2.7 allows remote attackers to cause a denial of service (buffer
> overflow and application crash) or possibly have unspecified other
> impact via a malformed IRC message 324 (channel mode).1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/238user/mariadb: CVE-2020-7221: symlink attack2022-02-02T16:51:41ZEmilyuser/mariadb: CVE-2020-7221: symlink attack| | |
| --- | --- |
| Bugzilla ID | 238 |
| Alias(es) | CVE-2020-7221 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 23:13:31 -0600 |
| Modified | 2020-03-03 08:09:11 -0600 |
| Status | ...| | |
| --- | --- |
| Bugzilla ID | 238 |
| Alias(es) | CVE-2020-7221 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 23:13:31 -0600 |
| Modified | 2020-03-03 08:09:11 -0600 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2020-7221 |
## Description
> mysql_install_db in MariaDB 10.4.7 through 10.4.11 allows privilege
> escalation from the mysql user account to root because chown and chmod
> are performed unsafely, as demonstrated by a symlink attack on a chmod
> 04755 of auth_pam_tool_dir/auth_pam_tool. NOTE: this does not affect
> the Oracle MySQL product, which implements mysql_install_db
> differently.1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/237user/djvulibre: CVE-2019-18804: NULL pointer dereference2022-02-02T16:51:50ZEmilyuser/djvulibre: CVE-2019-18804: NULL pointer dereference| | |
| --- | --- |
| Bugzilla ID | 237 |
| Alias(es) | CVE-2019-18804 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 23:09:26 -0600 |
| Modified | 2020-03-09 21:56:17 -0500 |
| Status |...| | |
| --- | --- |
| Bugzilla ID | 237 |
| Alias(es) | CVE-2019-18804 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 23:09:26 -0600 |
| Modified | 2020-03-09 21:56:17 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2019-18804 |
## Description
> DjVuLibre 3.5.27 has a NULL pointer dereference in the function
> DJVU::filter_fv at IW44EncodeCodec.cpp.1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/236user/librsvg: CVE-2019-20446: exponential SVG expansion2022-02-02T16:51:58ZEmilyuser/librsvg: CVE-2019-20446: exponential SVG expansion| | |
| --- | --- |
| Bugzilla ID | 236 |
| Alias(es) | CVE-2019-20446 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 23:08:45 -0600 |
| Modified | 2020-03-09 21:58:28 -0500 |
| Status |...| | |
| --- | --- |
| Bugzilla ID | 236 |
| Alias(es) | CVE-2019-20446 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 23:08:45 -0600 |
| Modified | 2020-03-09 21:58:28 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2019-20446 |
## Description
CVE-2019-20446: https://nvd.nist.gov/vuln/detail/CVE-2019-20446
> In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with
> nested patterns can cause denial of service when passed to the library
> for processing. The attacker constructs pattern elements so that the
> number of final rendered objects grows exponentially.1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/235user/openjpeg: multiple vulnerabilities2020-03-10T02:57:06ZEmilyuser/openjpeg: multiple vulnerabilities| | |
| --- | --- |
| Bugzilla ID | 235 |
| Alias(es) | CVE-2020-6851, CVE-2020-8112 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 23:02:41 -0600 |
| Modified | 2020-03-09 21:57:06 -050...| | |
| --- | --- |
| Bugzilla ID | 235 |
| Alias(es) | CVE-2020-6851, CVE-2020-8112 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 23:02:41 -0600 |
| Modified | 2020-03-09 21:57:06 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
## Description
CVE-2020-6851: https://nvd.nist.gov/vuln/detail/CVE-2020-6851
> OpenJPEG through 2.3.1 has a heap-based buffer overflow in
> opj_t1_clbl_decode_processor in openjp2/t1.c because of lack of
> opj_j2k_update_image_dimensions validation.
CVE-2020-8112: https://nvd.nist.gov/vuln/detail/CVE-2020-8112
> opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1 through
> 2020-01-28 has a heap-based buffer overflow in the qmfbid==1 case, a
> different issue than CVE-2020-6851.1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/234system/libxml2: multiple vulnerabilities2020-03-10T02:56:00ZEmilysystem/libxml2: multiple vulnerabilities| | |
| --- | --- |
| Bugzilla ID | 234 |
| Alias(es) | CVE-2019-20388, CVE-2020-7595 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 23:01:52 -0600 |
| Modified | 2020-03-09 21:56:00 -05...| | |
| --- | --- |
| Bugzilla ID | 234 |
| Alias(es) | CVE-2019-20388, CVE-2020-7595 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 23:01:52 -0600 |
| Modified | 2020-03-09 21:56:00 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
## Description
CVE-2019-20388: https://nvd.nist.gov/vuln/detail/CVE-2019-20388
> xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an
> xmlSchemaValidateStream memory leak.
CVE-2020-7595: https://nvd.nist.gov/vuln/detail/CVE-2020-7595
> xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an
> infinite loop in a certain end-of-file situation.1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/233user/exiv2: CVE-2019-20421: infinite loop2022-02-02T16:52:05ZEmilyuser/exiv2: CVE-2019-20421: infinite loop| | |
| --- | --- |
| Bugzilla ID | 233 |
| Alias(es) | CVE-2019-20421 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 22:56:53 -0600 |
| Modified | 2020-03-09 21:55:19 -0500 |
| Status |...| | |
| --- | --- |
| Bugzilla ID | 233 |
| Alias(es) | CVE-2019-20421 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 22:56:53 -0600 |
| Modified | 2020-03-09 21:55:19 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2019-20421 |
## Description
> In Jp2Image::readMetadata() in jp2image.cpp in Exiv2 0.27.2, an input
> file can result in an infinite loop and hang, with high CPU
> consumption. Remote attackers could leverage this vulnerability to
> cause a denial of service via a crafted file.1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/232system/python3: multiple vulnerabilities2022-05-02T03:29:22ZEmilysystem/python3: multiple vulnerabilities| | |
| --- | --- |
| Bugzilla ID | 232 |
| Alias(es) | CVE-2019-18348, CVE-2019-20907, CVE-2019-20916, CVE-2019-9674, CVE-2020-14422, CVE-2020-26116, CVE-2020-27619, CVE-2020-8315, CVE-2020-8492 |
| Reporter | Max Rees (sroracle) |
| ...| | |
| --- | --- |
| Bugzilla ID | 232 |
| Alias(es) | CVE-2019-18348, CVE-2019-20907, CVE-2019-20916, CVE-2019-9674, CVE-2020-14422, CVE-2020-26116, CVE-2020-27619, CVE-2020-8315, CVE-2020-8492 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-02-24 22:56:38 -0600 |
| Modified | 2020-12-03 23:22:57 -0600 |
| Status | CONFIRMED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| Package(s) | system/python3 |
## Description
CVE-2019-18348: https://nvd.nist.gov/vuln/detail/CVE-2019-18348
> An issue was discovered in urllib2 in Python 2.x through 2.7.17 and
> urllib in Python 3.x through 3.8.0. CRLF injection is possible if the
> attacker controls a url parameter, as demonstrated by the first
> argument to urllib.request.urlopen with \r\n (specifically in the host
> component of a URL) followed by an HTTP header. This is similar to the
> CVE-2019-9740 query string issue and the CVE-2019-9947 path string
> issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.)
CVE-2020-8315: https://nvd.nist.gov/vuln/detail/CVE-2020-8315
> In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8
> through 3.8.1, an insecure dependency load upon launch on Windows 7
> may result in an attacker's copy of api-ms-win-core-path-l1-1-0.dll
> being loaded and used instead of the system's copy. Windows 8 and
> later are unaffected.
CVE-2020-8492: https://nvd.nist.gov/vuln/detail/CVE-2020-8492
> Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7
> through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct
> Regular Expression Denial of Service (ReDoS) attacks against a client
> because of urllib.request.AbstractBasicAuthHandler catastrophic
> backtracking.1.0-BETA3