Adélie Linux issueshttps://git.adelielinux.org/groups/adelie/-/issues2022-10-22T00:00:58Zhttps://git.adelielinux.org/adelie/packages/-/issues/814system/expat: CVE-2022-40674: libexpat before 2.4.9 has a use-after-free in t...2022-10-22T00:00:58ZZach van Rijnsystem/expat: CVE-2022-40674: libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.Found on new x86_64 dev builder VM when upstream source tarball URL 404'd:
```
>>> expat: Building system/expat 2.4.8-r0 (using abuild 3.4.2-r0) started Tue, 27 Sep 2022 23:48:11 +0000
>>> expat: Checking sanity of /root/packages/system...Found on new x86_64 dev builder VM when upstream source tarball URL 404'd:
```
>>> expat: Building system/expat 2.4.8-r0 (using abuild 3.4.2-r0) started Tue, 27 Sep 2022 23:48:11 +0000
>>> expat: Checking sanity of /root/packages/system/expat/APKBUILD...
>>> expat: Analyzing dependencies...
>>> expat: Entering /root/packages/system/bash
(1/1) Installing .makedepends-expat (20220927.234812)
OK: 434 MiB in 94 packages
>>> expat: Cleaning temporary build dirs...
>>> expat: Fetching https://downloads.sourceforge.net/project/expat/expat/2.4.8/expat-2.4.8.tar.bz2
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
^M 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0^M 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (22) The requested URL returned error: 404 Not Found
>>> ERROR: expat: fetch failed
```
![Screenshot_from_2022-09-28_07-50-27](/uploads/546c3d4b7be5fb128485f1e51d1c22df/Screenshot_from_2022-09-28_07-50-27.png)
> Rhodri James discovered a heap use-after-free vulnerability in the doContent function in Expat, an XML parsing C library, which could result in denial of service or potentially the execution of arbitrary code, if a malformed XML file is processed.
```
It is possible to concoct a situation in which parsing is
suspended while substituting in an internal entity, so that
XML_ResumeParser directly uses internalEntityProcessor as
its processor. If the subsequent parse includes some unclosed
tags, this will return without calling storeRawNames to ensure
that the raw versions of the tag names are stored in memory other
than the parse buffer itself. If the parse buffer is then changed
or reallocated (for example if processing a file line by line),
badness will ensue.
This patch ensures storeRawNames is always called when needed
after calling doContent. The earlier call do doContent does
not need the same protection; it only deals with entity
substitution, which cannot leave unbalanced tags, and in any
case the raw names will be pointing into the stored entity
value not the parse buffer.
```
| Hyperlink | Resource |
|---------------------------------------------------------------------|----------------------------------------------|
| https://github.com/libexpat/libexpat/pull/629 | Issue Tracking Patch Third Party Advisory |
| https://github.com/libexpat/libexpat/pull/640 | Issue Tracking Patch Third Party Advisory |
| https://lists.debian.org/debian-lts-announce/2022/09/msg00029.html | |
| https://www.debian.org/security/2022/dsa-5236 | |https://git.adelielinux.org/adelie/packages/-/issues/821system/expat: CVE-2022-43680: In libexpat through 2.4.9, there is a use-after...2022-11-02T20:44:13ZZach van Rijnsystem/expat: CVE-2022-43680: In libexpat through 2.4.9, there is a use-after free in out-of-memory situations.| Hyperlink | Resource |
|---------------------------------------------------------------------|--------------------------------------...| Hyperlink | Resource |
|---------------------------------------------------------------------|-------------------------------------------------------|
| https://github.com/libexpat/libexpat/issues/649 | Exploit Issue Tracking Patch Third Party Advisory |
| https://github.com/libexpat/libexpat/pull/616 | Exploit Issue Tracking Patch Third Party Advisory |
| https://github.com/libexpat/libexpat/pull/650 | Exploit Issue Tracking Patch Third Party Advisory |
| https://lists.debian.org/debian-lts-announce/2022/10/msg00033.html | |
| https://security.gentoo.org/glsa/202210-38 | |
| https://www.debian.org/security/2022/dsa-5266 | |
This was found on x86_64, as the tarball has been renamed:
```
>>> expat: Fetching https://downloads.sourceforge.net/project/expat/expat/2.4.9/expat-2.4.9.tar.bz2
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
^M 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0^M 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (22) The requested URL returned error: 404 Not Found
```https://git.adelielinux.org/adelie/packages/-/issues/438system/fakeroot: test failure: FAIL t.xattr (exit status: 1)2022-05-02T01:04:55ZZach van Rijnsystem/fakeroot: test failure: FAIL t.xattr (exit status: 1)Found on both x86_64 and ppc64.
```
FAIL: t.xattr
PASS: t.cp-a
PASS: t.tar
========================================
fakeroot 1.24: test/test-suite.log
========================================
# TOTAL: 12
# PASS: 11
# SKIP: 0
# XFA...Found on both x86_64 and ppc64.
```
FAIL: t.xattr
PASS: t.cp-a
PASS: t.tar
========================================
fakeroot 1.24: test/test-suite.log
========================================
# TOTAL: 12
# PASS: 11
# SKIP: 0
# XFAIL: 0
# FAIL: 1
# XPASS: 0
# ERROR: 0
.. contents:: :depth: 2
FAIL: t.xattr
=============
+ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/sbin:/usr/sbin:/sbin
+ getcap
+ res=1
+ test 1 -le 1
+ mkdir t.xattr.dir
+ touch t.xattr.dir/foo
+ echo setcap cap_net_raw+ep t.xattr.dir/foo; getcap t.xattr.dir/foo
+ run_fakeroot -- /bin/sh t.xattr.dir/sh
+ tmp=t.xattr.dir /root/packages/system/fakeroot/src/fakeroot-1.24/test/../scripts/fakeroot -f /root/packages/system/fakeroot/src/fakeroot-1.24/test/../faked -l /root/packages/system/fakeroot/src/fakeroot-1.24/test/../.libs/libfakeroot-0.so -- /bin/sh t.xattr.dir/sh
+ cat t.xattr.dir/out
t.xattr.dir/foo cap_net_raw=ep
+ grep ^t.xattr.dir/foo = cap_net_raw+ep t.xattr.dir/out
+ rm -rf t.xattr.dir
FAIL t.xattr (exit status: 1)
============================================================================
Testsuite summary for fakeroot 1.24
============================================================================
# TOTAL: 12
# PASS: 11
# SKIP: 0
# XFAIL: 0
# FAIL: 1
# XPASS: 0
# ERROR: 0
============================================================================
See test/test-suite.log
Please report to clint@debian.org
============================================================================
make[3]: *** [Makefile:548: test-suite.log] Error 1
make[3]: Leaving directory '/root/packages/system/fakeroot/src/fakeroot-1.24/test'
make[2]: *** [Makefile:656: check-TESTS] Error 2
make[2]: Leaving directory '/root/packages/system/fakeroot/src/fakeroot-1.24/test'
make[1]: *** [Makefile:804: check-am] Error 2
make[1]: Leaving directory '/root/packages/system/fakeroot/src/fakeroot-1.24/test'
make: *** [Makefile:677: check-recursive] Error 1
```https://git.adelielinux.org/adelie/packages/-/issues/219system/file: CVE-2019-18218: heap-based buffer overflow2022-02-02T16:53:24ZEmilysystem/file: CVE-2019-18218: heap-based buffer overflow| | |
| --- | --- |
| Bugzilla ID | 219 |
| Alias(es) | CVE-2019-18218 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2019-10-24 16:29:38 -0500 |
| Modified | 2020-02-25 17:43:55 -0600 |
| Status |...| | |
| --- | --- |
| Bugzilla ID | 219 |
| Alias(es) | CVE-2019-18218 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2019-10-24 16:29:38 -0500 |
| Modified | 2020-02-25 17:43:55 -0600 |
| Status | RESOLVED FIXED |
| Version | 1.0-BETA3 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2019-18218 |
## Description
> cdf_read_property_info in cdf.c in file through 5.37 does not restrict
> the number of CDF_VECTOR elements, which allows a heap-based buffer
> overflow (4-byte out-of-bounds write).1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/418system/findutils: test failure: FAIL: tests/xargs/verbose-quote2022-05-02T03:38:36ZZach van Rijnsystem/findutils: test failure: FAIL: tests/xargs/verbose-quoteSee #412 for a similar looking failure.
```
...
============================================================================
Testsuite summary for GNU findutils 4.8.0
=====================================================================...See #412 for a similar looking failure.
```
...
============================================================================
Testsuite summary for GNU findutils 4.8.0
============================================================================
# TOTAL: 15
# PASS: 13
# SKIP: 1
# XFAIL: 0
# FAIL: 1
# XPASS: 0
# ERROR: 0
============================================================================
See ./tests/test-suite.log
Please report to bug-findutils@gnu.org
============================================================================
make[3]: *** [Makefile:2472: tests/test-suite.log] Error 1
make[3]: Leaving directory '/root/packages/system/findutils/src/findutils-4.8.0'
make[2]: *** [Makefile:2580: check-TESTS] Error 2
make[2]: Leaving directory '/root/packages/system/findutils/src/findutils-4.8.0'
make[1]: *** [Makefile:2812: check-am] Error 2
make[1]: Leaving directory '/root/packages/system/findutils/src/findutils-4.8.0'
make: *** [Makefile:2357: check-recursive] Error 1
```
The full output is:
```
=================================================
GNU findutils 4.8.0: ./tests/test-suite.log
=================================================
# TOTAL: 15
# PASS: 13
# SKIP: 1
# XFAIL: 0
# FAIL: 1
# XPASS: 0
# ERROR: 0
.. contents:: :depth: 2
SKIP: tests/find/many-dir-entries-vs-OOM
========================================
many-dir-entries-vs-OOM.sh: skipped test: expensive: disabled by default
This test is relatively expensive, so it is disabled by default.
To run it anyway, rerun make check with the RUN_EXPENSIVE_TESTS
environment variable set to yes. E.g.,
env RUN_EXPENSIVE_TESTS=yes make check
or use the shortcut target of the toplevel Makefile,
make check-expensive
SKIP tests/find/many-dir-entries-vs-OOM.sh (exit status: 77)
FAIL: tests/xargs/verbose-quote
===============================
--- experr 2022-01-04 09:11:12.470000000 +0000
+++ err 2022-01-04 09:11:12.470000000 +0000
@@ -2,4 +2,4 @@
'./my command' 'hel lo' '10 0' world
'./my command' 'hel lo' '20"0' world
'./my command' 'hel lo' "30'0" world
-'./my command' 'hel lo' '40'$'\n''0' world
+'./my command' 'hel lo' '40$\n0' world
--- expout 2022-01-04 09:11:12.470000000 +0000
+++ out 2022-01-04 09:11:12.470000000 +0000
@@ -2,5 +2,5 @@
hel lo 10 0 world
hel lo 20"0 world
hel lo 30'0 world
-hel lo 40
+hel lo 40$
0 world
FAIL tests/xargs/verbose-quote.sh (exit status: 1)
```https://git.adelielinux.org/adelie/packages/-/issues/147system/flex: CVE-2019-6293: recursive call stack exhaustion2022-02-02T17:01:23ZEmilysystem/flex: CVE-2019-6293: recursive call stack exhaustion| | |
| --- | --- |
| Bugzilla ID | 147 |
| Alias(es) | CVE-2019-6293 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2019-07-31 07:09:24 -0500 |
| Modified | 2020-06-22 06:08:30 -0500 |
| Status | ...| | |
| --- | --- |
| Bugzilla ID | 147 |
| Alias(es) | CVE-2019-6293 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2019-07-31 07:09:24 -0500 |
| Modified | 2020-06-22 06:08:30 -0500 |
| Status | CONFIRMED |
| Version | 1.0-BETA3 |
| Hardware | Adélie Linux / All |
| Importance | --- / minor |
| Package(s) | system/flex |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2019-6293 |
## Description
> An issue was discovered in the function mark_beginning_as_normal in
> nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the
> mark_beginning_as_normal function making recursive calls to itself in
> certain scenarios involving lots of '*' characters. Remote attackers
> could leverage this vulnerability to cause a denial-of-service.1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/445system/gcc: (aarch64) cc1: error: unknown value ‘armv8-a’ for -mcpu2022-01-08T23:35:51ZZach van Rijnsystem/gcc: (aarch64) cc1: error: unknown value ‘armv8-a’ for -mcpuFound on aarch64:
```
$ gcc -o hello hello.c -mcpu=armv8-a
cc1: error: unknown value ‘armv8-a’ for -mcpu
cc1: note: valid arguments are: cortex-a35 cortex-a53 cortex-a57 cortex-a72 cortex-a73 thunderx thunderxt88p1 thunderxt88 thunderxt...Found on aarch64:
```
$ gcc -o hello hello.c -mcpu=armv8-a
cc1: error: unknown value ‘armv8-a’ for -mcpu
cc1: note: valid arguments are: cortex-a35 cortex-a53 cortex-a57 cortex-a72 cortex-a73 thunderx thunderxt88p1 thunderxt88 thunderxt81 thunderxt83 xgene1 falkor qdf24xx exynos-m1 thunderx2t99p1 vulcan thunderx2t99 cortex-a55 cortex-a75 saphira cortex-a57.cortex-a53 cortex-a72.cortex-a53 cortex-a73.cortex-a35 cortex-a73.cortex-a53 cortex-a75.cortex-a55 generic
```
GCC may have been built wrong? We use [this config](https://git.adelielinux.org/adelie-infra/autobuilder/-/blob/master/config/abuild.aarch64.conf).https://git.adelielinux.org/adelie/packages/-/issues/453system/gcc: (ppc) ERROR: gcc*: Found textrels:2022-05-02T03:41:58ZZach van Rijnsystem/gcc: (ppc) ERROR: gcc*: Found textrels:Found on 32-bit ppc.
```
>>> gcc*: Running postcheck for gcc ...Found on 32-bit ppc.
```
>>> gcc*: Running postcheck for gcc
>>> ERROR: gcc*: Found textrels:
TEXTREL /root/packages/system/gcc/pkg/gcc/usr/lib/libcc1.so.0.0.0
TEXTREL /root/packages/system/gcc/pkg/gcc/usr/lib/gcc/powerpc-foxkit-linux-musl/8.5.0/plugin/libcp1plugin.so.0.0.0
TEXTREL /root/packages/system/gcc/pkg/gcc/usr/lib/gcc/powerpc-foxkit-linux-musl/8.5.0/plugin/libcc1plugin.so.0.0.0
>>> ERROR: gcc*: prepare_subpackages failed
>>> ERROR: gcc: rootpkg failed
```https://git.adelielinux.org/adelie/packages/-/issues/92system/gcc: [GCC 8 Regression] user/gsl fails test suite in eigen on ppc642022-05-02T04:28:43ZEmilysystem/gcc: [GCC 8 Regression] user/gsl fails test suite in eigen on ppc64| | |
| --- | --- |
| Bugzilla ID | 92 |
| Reporter | A. Wilcox (awilfox) |
| Assignee | A. Wilcox (awilfox) |
| Reported | 2019-03-16 17:46:14 -0500 |
| Modified | 2020-06-22 06:27:34 -0500 |
| Status | CONFIRMED |
| Version | 1.0-BE...| | |
| --- | --- |
| Bugzilla ID | 92 |
| Reporter | A. Wilcox (awilfox) |
| Assignee | A. Wilcox (awilfox) |
| Reported | 2019-03-16 17:46:14 -0500 |
| Modified | 2020-06-22 06:27:34 -0500 |
| Status | CONFIRMED |
| Version | 1.0-BETA3 |
| Hardware | Adélie Linux / PowerPC (64-bit) |
| Importance | --- / major |
| Package(s) | user/gsl |
## Description
gsl fails its test suite in the 'eigen' section on ppc64 after GCC 8 bump:
FAIL: herm random, normalized(1), unsorted (0.999999999999999112 observed vs 1 expected) [117761]
FAIL: herm random, normalized(2), val/asc (0.999999999999999112 observed vs 1 expected) [117789]
FAIL: herm random, normalized(0), val/desc (0.999999999999999112 observed vs 1 expected) [117811]
FAIL: herm random, normalized(1), abs/asc (0.999999999999999112 observed vs 1 expected) [117836]
FAIL: herm random, normalized(1), abs/desc (0.999999999999999112 observed vs 1 expected) [117860]1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/190system/gcc: CVE-2019-15847: POWER9 "DARN" RNG intrinsic produces repeated output2022-05-02T04:32:37ZEmilysystem/gcc: CVE-2019-15847: POWER9 "DARN" RNG intrinsic produces repeated output| | |
| --- | --- |
| Bugzilla ID | 190 |
| Alias(es) | CVE-2019-15847 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2019-09-05 01:01:51 -0500 |
| Modified | 2020-06-22 06:13:06 -0500 |
| Status |...| | |
| --- | --- |
| Bugzilla ID | 190 |
| Alias(es) | CVE-2019-15847 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2019-09-05 01:01:51 -0500 |
| Modified | 2020-06-22 06:13:06 -0500 |
| Status | CONFIRMED |
| Version | 1.0-BETA3 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| Package(s) | system/gcc |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2019-15847 |
| See also | https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481 |
## Description
> The POWER9 backend in GNU Compiler Collection (GCC) before version 10
> could optimize multiple calls of the __builtin_darn intrinsic into a
> single call, thus reducing the entropy of the random number generator.
> This occurred because a volatile operation was not specified. For
> example, within a single execution of a program, the output of every
> __builtin_darn() call may be the same.
Backported to 8 branch:
https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=275181
8 branch test case:
https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=275182
https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=2752441.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/539system/gcc: FTBFS after musl bump to 1.2.32022-05-02T01:04:56ZZach van Rijnsystem/gcc: FTBFS after musl bump to 1.2.3Commit 329b64d8d7eaad2f87d1bca6031964a651312fce bumped musl to `1.2.3`.
```
...
libtool: compile: /root/packages/system/gcc/src/build/./gcc/gccgo -B/root/packages/system/gcc/src/build/./gcc/ -B/usr/x86_64-foxkit-linux-musl/bin/ -B/usr/...Commit 329b64d8d7eaad2f87d1bca6031964a651312fce bumped musl to `1.2.3`.
```
...
libtool: compile: /root/packages/system/gcc/src/build/./gcc/gccgo -B/root/packages/system/gcc/src/build/./gcc/ -B/usr/x86_64-foxkit-linux-musl/bin/ -B/usr/x86_64-foxkit-linux-musl/lib/ -i>
sysinfo.go:6523:7: error: redefinition of ‘SYS_SECCOMP’
const SYS_SECCOMP = _SYS_SECCOMP
^
sysinfo.go:6517:7: note: previous definition of ‘SYS_SECCOMP’ was here
const SYS_SECCOMP = _SYS_seccomp
^
libtool: compile: /root/packages/system/gcc/src/build/./gcc/gccgo -B/root/packages/system/gcc/src/build/./gcc/ -B/usr/x86_64-foxkit-linux-musl/bin/ -B/usr/x86_64-foxkit-linux-musl/lib/ -i>
make[4]: *** [Makefile:3324: syscall.lo] Error 1
make[4]: *** Waiting for unfinished jobs....
```
We need this patch: [libgo-musl-1.2.3.patch](/uploads/d45243de987161c1a194929cd0629737/libgo-musl-1.2.3.patch)https://git.adelielinux.org/adelie/packages/-/issues/179system/gcc: ICE building Firefox on pmmx due to bad google code2023-01-05T17:08:12ZEmilysystem/gcc: ICE building Firefox on pmmx due to bad google code| | |
| --- | --- |
| Bugzilla ID | 179 |
| Reporter | A. Wilcox (awilfox) |
| Assignee | A. Wilcox (awilfox) |
| Reported | 2019-08-14 07:18:30 -0500 |
| Modified | 2019-08-14 07:18:30 -0500 |
| Status | CONFIRMED |
| Version | 1.0-B...| | |
| --- | --- |
| Bugzilla ID | 179 |
| Reporter | A. Wilcox (awilfox) |
| Assignee | A. Wilcox (awilfox) |
| Reported | 2019-08-14 07:18:30 -0500 |
| Modified | 2019-08-14 07:18:30 -0500 |
| Status | CONFIRMED |
| Version | 1.0-BETA3 |
| Hardware | Adélie Linux / Intel x86 (32-bit) |
| Importance | --- / major |
## Description
The patches from:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90756
and:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90139
need to be applied for pmmx to be able to build Firefox without patching, due to awful google code: https://bugs.chromium.org/p/skia/issues/detail?id=92021.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/27system/gcc: problems getting GCC to work2022-02-02T17:30:38ZEmilysystem/gcc: problems getting GCC to work| | |
| --- | --- |
| Bugzilla ID | 27 |
| Reporter | Samuel Holland |
| Assignee | A. Wilcox (awilfox) |
| Reported | 2017-02-01 13:59:11 -0600 |
| Modified | 2017-11-24 22:44:59 -0600 |
| Status | RESOLVED FIXED |
| Version | 1.0-ALP...| | |
| --- | --- |
| Bugzilla ID | 27 |
| Reporter | Samuel Holland |
| Assignee | A. Wilcox (awilfox) |
| Reported | 2017-02-01 13:59:11 -0600 |
| Modified | 2017-11-24 22:44:59 -0600 |
| Status | RESOLVED FIXED |
| Version | 1.0-ALPHA1 |
| Hardware | Adélie Linux / All |
| Importance | Normal / normal |
## Description
I installed gcc5.4.0, hoping to get a working compiler. Here are the issues I faced:
* No GCC profile is set by default, meaning there was no cc or gcc symlink. This can be set with gcc-config.
* gcc-config refused to run because it could not determine the CHOST. I got around this by exporting CHOST on the command line based on the output of `gcc-5.4.0 -v`
* After that, I noticed that gcc failed when it tried to run `as` because binutils also has no default version set.
* binutils-config cannot list possible profiles because CHOST is not set (and portageq is not found when it tries to auto-detect CHOST).
* Once that is fixed, gcc cannot find libgcc. This is because libgcc.a is in the gcc5.4.0-devel package, which gcc5.4.0 does not depend on.
* Also, musl-devel is not pulled in by any of these packages; I'm not sure if that is intended.---https://git.adelielinux.org/adelie/packages/-/issues/214system/gdb: multiple vulnerabilities2022-05-02T04:41:15ZEmilysystem/gdb: multiple vulnerabilities| | |
| --- | --- |
| Bugzilla ID | 214 |
| Alias(es) | CVE-2018-12934, CVE-2019-1010180 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2019-10-16 17:04:30 -0500 |
| Modified | 2020-06-22 05:58:30 ...| | |
| --- | --- |
| Bugzilla ID | 214 |
| Alias(es) | CVE-2018-12934, CVE-2019-1010180 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2019-10-16 17:04:30 -0500 |
| Modified | 2020-06-22 05:58:30 -0500 |
| Status | CONFIRMED |
| Version | 1.0-BETA4 |
| Hardware | Adélie Linux / All |
| Importance | --- / minor |
| Package(s) | system/binutils |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2019-1010180 |
| See also | https://sourceware.org/bugzilla/show_bug.cgi?id=23657 |
## Description
CVE-2019-1010180: https://nvd.nist.gov/vuln/detail/CVE-2019-1010180
> GNU gdb All versions is affected by: Buffer Overflow - Out of bound
> memory access. The impact is: Deny of Service, Memory Disclosure, and
> Possible Code Execution. The component is: The main gdb module. The
> attack vector is: Open an ELF for debugging. The fixed version is: Not
> fixed yet.
Note: NVD states it affects GDB, but upstream appears to be fixing it in BFD.1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/259system/git: CVE-2020-5260: malicious URLs may cause Git to present stored cre...2022-02-02T02:04:00ZEmilysystem/git: CVE-2020-5260: malicious URLs may cause Git to present stored credentials to the wrong server| | |
| --- | --- |
| Bugzilla ID | 259 |
| Alias(es) | CVE-2020-5260 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-15 18:00:06 -0500 |
| Modified | 2020-04-19 00:53:57 -0500 |
| Status | ...| | |
| --- | --- |
| Bugzilla ID | 259 |
| Alias(es) | CVE-2020-5260 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-15 18:00:06 -0500 |
| Modified | 2020-04-19 00:53:57 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2020-5260 |
## Description
CVE-2020-5260: https://nvd.nist.gov/vuln/detail/CVE-2020-5260
> Affected versions of Git have a vulnerability whereby Git can be
> tricked into sending private credentials to a host controlled by an
> attacker. Git uses external "credential helper" programs to store and
> retrieve passwords or other credentials from secure storage provided
> by the operating system. Specially-crafted URLs that contain an
> encoded newline can inject unintended values into the credential
> helper protocol stream, causing the credential helper to retrieve the
> password for one server (e.g., good.example.com) for an HTTP request
> being made to another server (e.g., evil.example.com), resulting in
> credentials for the former being sent to the latter. There are no
> restrictions on the relationship between the two, meaning that an
> attacker can craft a URL that will present stored credentials for any
> host to a host of their choosing. The vulnerability can be triggered
> by feeding a malicious URL to git clone. However, the affected URLs
> look rather suspicious; the likely vector would be through systems
> which automatically clone URLs not visible to the user, such as Git
> submodules, or package systems built around Git. The problem has been
> patched in the versions published on April 14th, 2020, going back to
> v2.17.x. Anyone wishing to backport the change further can do so by
> applying commit 9a6bbee (the full release includes extra checks for
> git fsck, but that commit is sufficient to protect clients against the
> vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4,
> 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1.
See also https://www.openwall.com/lists/oss-security/2020/04/15/5
Resolution will be bumping to 2.25.3.1.0-BETA3https://git.adelielinux.org/adelie/packages/-/issues/466system/git: test failure: not ok 2 - parallel-checkout with re-encoding2022-05-02T03:32:29ZZach van Rijnsystem/git: test failure: not ok 2 - parallel-checkout with re-encodingFound on ppc64 and x86_64:
```
*** t2082-parallel-checkout-attributes.sh ***
ok 1 - parallel-checkout with ident
not ok 2 - parallel-checkout with re-encoding ...Found on ppc64 and x86_64:
```
*** t2082-parallel-checkout-attributes.sh ***
ok 1 - parallel-checkout with ident
not ok 2 - parallel-checkout with re-encoding
#
# set_checkout_config 2 0 &&
# git init encoding &&
# (
# cd encoding &&
# echo text >utf8-text &&
# write_utf16 <utf8-text >utf16-text &&
#
# echo "A working-tree-encoding=UTF-16" >.gitattributes &&
# cp utf16-text A &&
# cp utf8-text B &&
# git add A B .gitattributes &&
# git commit -m encoding &&
#
# # Check that A is stored in UTF-8
# git cat-file -p :A >A.internal &&
# test_cmp_bin utf8-text A.internal &&
#
# rm A B &&
# test_checkout_workers 2 git checkout A B &&
#
# # Check that A (and only A) is re-encoded during checkout
# test_cmp_bin utf16-text A &&
# test_cmp_bin utf8-text B
# )
#
ok 3 - parallel-checkout with eol conversions
ok 4 - parallel-checkout and external filter
ok 5 - parallel-checkout and delayed checkout
# failed 1 among 5 test(s)
1..5
make[2]: *** [Makefile:57: t2082-parallel-checkout-attributes.sh] Error 1
```https://git.adelielinux.org/adelie/packages/-/issues/58system/glib-dev (2.54.2-r0): gdbus-codegen has incorrect python shebang2022-02-02T17:18:18ZEmilysystem/glib-dev (2.54.2-r0): gdbus-codegen has incorrect python shebang| | |
| --- | --- |
| Bugzilla ID | 58 |
| Reporter | Max Rees (sroracle) |
| Assignee | A. Wilcox (awilfox) |
| Reported | 2018-04-01 21:07:02 -0500 |
| Modified | 2018-04-02 20:17:19 -0500 |
| Status | RESOLVED FIXED |
| Version | 1....| | |
| --- | --- |
| Bugzilla ID | 58 |
| Reporter | Max Rees (sroracle) |
| Assignee | A. Wilcox (awilfox) |
| Reported | 2018-04-01 21:07:02 -0500 |
| Modified | 2018-04-02 20:17:19 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-ALPHA5 |
| Hardware | Adélie Linux / Intel x86 (64-bit) |
| Importance | Normal / normal |
## Description
$ head -n1 /usr/bin/gdbus-codegen
#!/usr/bin/env /usr/bin/python
I tried rebuilding locally and it builds fine, with a correct shebang:
$ head -n1 ./src/glib-2.54.2/gio/gdbus-2.0/codegen/gdbus-codegen
#!/usr/bin/env /usr/bin/python3
Probably just needs a rebuild; might've been built when a /usr/bin/python symlink was installed to work on a package related to bug 41[1].
[1] https://bts.adelielinux.org/show_bug.cgi?id=411.0-ALPHA6https://git.adelielinux.org/adelie/packages/-/issues/37system/grep (3.1): test failure due to PCRE JIT disability on ppc642022-02-02T17:25:46ZEmilysystem/grep (3.1): test failure due to PCRE JIT disability on ppc64| | |
| --- | --- |
| Bugzilla ID | 37 |
| Reporter | A. Wilcox (awilfox) |
| Assignee | A. Wilcox (awilfox) |
| Reported | 2017-11-25 15:39:59 -0600 |
| Modified | 2018-09-14 11:12:57 -0500 |
| Status | RESOLVED FIXED |
| Version | 1....| | |
| --- | --- |
| Bugzilla ID | 37 |
| Reporter | A. Wilcox (awilfox) |
| Assignee | A. Wilcox (awilfox) |
| Reported | 2017-11-25 15:39:59 -0600 |
| Modified | 2018-09-14 11:12:57 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-ALPHA3 |
| Hardware | Adélie Linux / PowerPC (64-bit) |
| Importance | Normal / normal |
| URL | https://debbugs.gnu.org/cgi/bugreport.cgi?bug=29446 |
## Description
See URL for bug report. This will be closed when we solve this together with upstream.1.0-ALPHA4https://git.adelielinux.org/adelie/packages/-/issues/1033system/grep: (3.10): multiple regressions are fixed in the 3.11 release2023-09-22T11:16:33ZZach van Rijnsystem/grep: (3.10): multiple regressions are fixed in the 3.11 releaseWe bumped to `3.10` in 5d9ffc28fc6a0d99338cac0b020e3eac486bccfc and it has been nothing short of problematic.
```
NEWS
* Noteworthy changes in release 3.11 (2023-05-13) [stable]
** Bug fixes
With -P, patterns like [\d] now work aga...We bumped to `3.10` in 5d9ffc28fc6a0d99338cac0b020e3eac486bccfc and it has been nothing short of problematic.
```
NEWS
* Noteworthy changes in release 3.11 (2023-05-13) [stable]
** Bug fixes
With -P, patterns like [\d] now work again. Fixing this has caused
grep to revert to the behavior of grep 3.8, in that patterns like \w
and \b go back to using ASCII rather than Unicode interpretations.
However, future versions of GNU grep and/or PCRE2 are likely to fix
this and change the behavior of \w and \b back to Unicode again,
without breaking [\d] as 3.10 did.
[bug introduced in grep 3.10]
grep no longer fails on files dated after the year 2038,
when running on 32-bit x86 and ARM hosts using glibc 2.34+.
[bug introduced in grep 3.9]
grep -P no longer fails to match patterns using negated classes
like \D or \W when linked with PCRE2 10.34 or newer.
[bug introduced in grep 3.8]
```
See also:
* https://lists.gnu.org/archive/html/info-gnu/2023-05/msg00004.htmlhttps://git.adelielinux.org/adelie/packages/-/issues/671system/grep: (ppc) error: 'mcontext_t' {aka 'struct <anonymous>'} has no memb...2022-12-13T15:29:11ZZach van Rijnsystem/grep: (ppc) error: 'mcontext_t' {aka 'struct <anonymous>'} has no member named 'uc_regs'```
...
CC pipe-safer.o
sigsegv.c: In function 'sigsegv_handler':
sigsegv.c:225:75: error: 'mcontext_t' {aka 'struct <anonymous>'} has no member named 'uc_regs'; did you mean 'gregs'?
# define SIGSEGV_FAULT_STACKPOINTER ((uc...```
...
CC pipe-safer.o
sigsegv.c: In function 'sigsegv_handler':
sigsegv.c:225:75: error: 'mcontext_t' {aka 'struct <anonymous>'} has no member named 'uc_regs'; did you mean 'gregs'?
# define SIGSEGV_FAULT_STACKPOINTER ((ucontext_t *) ucp)->uc_mcontext.uc_regs->gregs[1]
^~~~~~~
sigsegv.c:940:43: note: in expansion of macro 'SIGSEGV_FAULT_STACKPOINTER'
uintptr_t old_sp = (uintptr_t) (SIGSEGV_FAULT_STACKPOINTER);
^~~~~~~~~~~~~~~~~~~~~~~~~~
make[3]: *** [Makefile:2328: sigsegv.o] Error 1
make[3]: *** Waiting for unfinished jobs....
```
[20220507-06_41_53.151973677_grep.log](/uploads/bf3cc1de00a7e677d00c8aa0d34b1b16/20220507-06_41_53.151973677_grep.log)