Adélie Linux issueshttps://git.adelielinux.org/groups/adelie/-/issues2024-01-20T16:01:35Zhttps://git.adelielinux.org/adelie/bootstrap/-/issues/3New admistrator-user is not added to the 'sudoers' list (KDE)2024-01-20T16:01:35ZRoland RenierNew admistrator-user is not added to the 'sudoers' list (KDE)If a new user account is created from KDE preferences and the 'administrator' option is selected, the user is not automatically added to the sudoers list (trying to use sudo gives an error message about that). In other distros with the '...If a new user account is created from KDE preferences and the 'administrator' option is selected, the user is not automatically added to the sudoers list (trying to use sudo gives an error message about that). In other distros with the 'administrator' option a new user can normally use sudo automatically.
Test environment: Adelie 1.0-Beta5 and AmigaOne X5040. 'Sudo' command has been installed.https://git.adelielinux.org/adelie/bootstrap/-/issues/2Netsurf 3.10 exits if preferences are opened (KDE only)2024-01-20T16:01:16ZRoland RenierNetsurf 3.10 exits if preferences are opened (KDE only)Netsurf 3.10 exits if the program's preferences are opened. This happens only if KDE is used. With MATE desktop this issue is not shown, and the prefs can be edited normally.
```
% netsurf-gtk3
(netsurf-gtk3:4253): GLib-ERROR **: 20:17...Netsurf 3.10 exits if the program's preferences are opened. This happens only if KDE is used. With MATE desktop this issue is not shown, and the prefs can be edited normally.
```
% netsurf-gtk3
(netsurf-gtk3:4253): GLib-ERROR **: 20:17:12.774: ../glib/gmem.c:205: failed to allocate 2147483648 bytes
zsh: trace trap netsurf-gtk3
```
Test environment: Adelie 1.0-Beta5 PPC (32-bit) and AmigaOne X5040.https://git.adelielinux.org/adelie/packages/-/issues/1161user/minizip: CVE-2023-45853: MiniZip in zlib through 1.3 has an integer over...2024-03-19T22:02:05ZZach van Rijnuser/minizip: CVE-2023-45853: MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64As of writing, we are at `1.2.13` in `1.0-BETA5`. Latest is `1.3` but still has a vulnerability:
| Name | Description ...As of writing, we are at `1.2.13` in `1.0-BETA5`. Latest is `1.3` but still has a vulnerability:
| Name | Description |
|----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| CVE-2023-45853 | MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API. |
Upstream patch:
* https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c.patchhttps://git.adelielinux.org/adelie/packages/-/issues/1160user/aspell: multiple vulnerabilities2024-01-09T13:37:37ZZach van Rijnuser/aspell: multiple vulnerabilitiesWe are at `0.60.8` as of the `1.0-BETA5` tag. Latest available is `0.60.8.1`:
| Name | Description ...We are at `0.60.8` as of the `1.0-BETA5` tag. Latest available is `0.60.8.1`:
| Name | Description |
|----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| CVE-2019-25051 | objstack in GNU Aspell 0.60.8 has a heap-based buffer overflow in acommon::ObjStack::dup_top (called from acommon::StringMap::add and acommon::Config::lookup_list). |
| CVE-2019-20433 | libaspell.a in GNU Aspell before 0.60.8 has a buffer over-read for a string ending with a single '\0' byte, if the encoding is set to ucs-2 or ucs-4 outside of the application, as demonstrated by the ASPELL_CONF environment variable. |
| CVE-2019-17544 | libaspell.a in GNU Aspell before 0.60.8 has a stack-based buffer over-read in acommon::unescape in common/getdata.cpp via an isolated \ character. |
The release notes look like there's a typo (`0.68.8` vs. `0.60.8`):
```
From: Kevin Atkinson
Date: Tue, 19 Dec 2023
Subject: Aspell 0.60.8.1 Now Available
GNU Aspell 0.60.8.1 is now available at:
ftp://ftp.gnu.org/gnu/aspell/aspell-0.60.8.1.tar.gz
Changes from 0.68.8 to 0.68.8.1:
* Fix memory leak in suggestion code introduced in 0.60.8.
* Various documentation fixes.
* Fix various warnings when compiling with -Wall.
* Fix two buffer overflows found by Google’s OSS-Fuzz.
* Other minor updates.
```https://git.adelielinux.org/adelie/packages/-/issues/1159user/apr-util: CVE-2022-25147: Integer Overflow or Wraparound vulnerability i...2024-01-09T13:37:37ZZach van Rijnuser/apr-util: CVE-2022-25147: Integer Overflow or Wraparound vulnerability in apr_base64 functionsWe are at `1.6.1` as of the `1.0-BETA5` tag, latest is `1.6.3`:
| Name | Description |
|----------------|------------------------------------------------------------------...We are at `1.6.1` as of the `1.0-BETA5` tag, latest is `1.6.3`:
| Name | Description |
|----------------|--------------------------------------------------------------------|
| CVE-2022-25147 | Integer Overflow or Wraparound vulnerability in apr_base64 functions of Apache Portable Runtime Utility (APR-util) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime Utility (APR-util) 1.6.1 and prior versions. |
Reference: https://downloads.apache.org/apr/CHANGES-APR-UTIL-1.6
```
Changes with APR-util 1.6.2
*) SECURITY: CVE-2022-25147 (cve.mitre.org)
Integer Overflow or Wraparound vulnerability in apr_base64 functions
of Apache Portable Runtime Utility (APR-util) allows an attacker to
write beyond bounds of a buffer.
```https://git.adelielinux.org/adelie/packages/-/issues/1158user/apr: multiple vulnerabilities2024-01-09T13:37:37ZZach van Rijnuser/apr: multiple vulnerabilitiesWe are at `1.7.0` as of `1.0-BETA5` tag. Latest available is `1.7.4`.
| Name | Description ...We are at `1.7.0` as of `1.0-BETA5` tag. Latest available is `1.7.4`.
| Name | Description |
|----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| CVE-2022-24963 | Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime (APR) version 1.7.0. |
| CVE-2021-35940 | An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue. |
The third CVE is Windows-specific.
Reference: https://downloads.apache.org/apr/CHANGES-APR-1.7
```
Changes for APR 1.7.1
*) SECURITY: CVE-2022-24963 (cve.mitre.org)
Integer Overflow or Wraparound vulnerability in apr_encode functions of
Apache Portable Runtime (APR) allows an attacker to write beyond bounds
of a buffer.
*) SECURITY: CVE-2022-28331 (cve.mitre.org)
On Windows, Apache Portable Runtime 1.7.0 and earlier may write beyond
the end of a stack based buffer in apr_socket_sendv(). This is a result
of integer overflow.
*) SECURITY: CVE-2021-35940 (cve.mitre.org)
Restore fix for out-of-bounds array dereference in apr_time_exp*() functions.
(This issue was addressed as CVE-2017-12613 in APR 1.6.3 and
later 1.6.x releases, but was missing in 1.7.0.) [Stefan Sperling]
```https://git.adelielinux.org/adelie/packages/-/issues/1157user/apache-httpd: multiple vulnerabilities2024-01-09T13:37:37ZZach van Rijnuser/apache-httpd: multiple vulnerabilitiesReference: https://downloads.apache.org/httpd/CHANGES_2.4.58
```
Changes with Apache 2.4.58
*) SECURITY: CVE-2023-45802: Apache HTTP Server: HTTP/2 stream
memory not reclaimed right away on RST (cve.mitre.org)
When a HTTP/2...Reference: https://downloads.apache.org/httpd/CHANGES_2.4.58
```
Changes with Apache 2.4.58
*) SECURITY: CVE-2023-45802: Apache HTTP Server: HTTP/2 stream
memory not reclaimed right away on RST (cve.mitre.org)
When a HTTP/2 stream was reset (RST frame) by a client, there
was a time window were the request's memory resources were not
reclaimed immediately. Instead, de-allocation was deferred to
connection close. A client could send new requests and resets,
keeping the connection busy and open and causing the memory
footprint to keep on growing. On connection close, all resources
were reclaimed, but the process might run out of memory before
that.
This was found by the reporter during testing of CVE-2023-44487
(HTTP/2 Rapid Reset Exploit) with their own test client. During
"normal" HTTP/2 use, the probability to hit this bug is very
low. The kept memory would not become noticeable before the
connection closes or times out.
Users are recommended to upgrade to version 2.4.58, which fixes
the issue.
Credits: Will Dormann of Vul Labs
*) SECURITY: CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with
initial windows size 0 (cve.mitre.org)
An attacker, opening a HTTP/2 connection with an initial window
size of 0, was able to block handling of that connection
indefinitely in Apache HTTP Server. This could be used to
exhaust worker resources in the server, similar to the well
known "slow loris" attack pattern.
This has been fixed in version 2.4.58, so that such connection
are terminated properly after the configured connection timeout.
This issue affects Apache HTTP Server: from 2.4.55 through
2.4.57.
Users are recommended to upgrade to version 2.4.58, which fixes
the issue.
Credits: Prof. Sven Dietrich (City University of New York)
*) SECURITY: CVE-2023-31122: mod_macro buffer over-read
(cve.mitre.org)
Out-of-bounds Read vulnerability in mod_macro of Apache HTTP
Server.This issue affects Apache HTTP Server: through 2.4.57.
Credits: David Shoon (github/davidshoon)
```https://git.adelielinux.org/adelie/packages/-/issues/1155user/hyfetch: add package2023-12-05T04:53:38ZZach van Rijnuser/hyfetch: add package@mc680x0 added support for Adélie to Hyfetch, a fork of Neofetch:
* https://github.com/hykilpikonna/hyfetch/pull/218
This was merged and released with `1.4.11`
So let's package it.@mc680x0 added support for Adélie to Hyfetch, a fork of Neofetch:
* https://github.com/hykilpikonna/hyfetch/pull/218
This was merged and released with `1.4.11`
So let's package it.https://git.adelielinux.org/adelie/packages/-/issues/1154user/adelie-wallpapers: new default images need more crop margin for KDE (pos...2023-12-04T04:45:49ZZach van Rijnuser/adelie-wallpapers: new default images need more crop margin for KDE (possibly others)![Screenshot_vm1_2023-12-03_21_32_17](/uploads/2d5f9c788023cbced13addffe95ade66/Screenshot_vm1_2023-12-03_21_32_17.png)![Screenshot_vm1_2023-12-03_21_32_17](/uploads/2d5f9c788023cbced13addffe95ade66/Screenshot_vm1_2023-12-03_21_32_17.png)https://git.adelielinux.org/adelie/packages/-/issues/1153user/adelie-wallpapers: metadata not showing up in KDE2023-12-04T04:46:29ZZach van Rijnuser/adelie-wallpapers: metadata not showing up in KDESeeing these weird repeating entries, and no name/author information.
![Screenshot_vm1_2023-12-03_20_49_28](/uploads/e6048a644c8a1345c11465cc503354d7/Screenshot_vm1_2023-12-03_20_49_28.png)Seeing these weird repeating entries, and no name/author information.
![Screenshot_vm1_2023-12-03_20_49_28](/uploads/e6048a644c8a1345c11465cc503354d7/Screenshot_vm1_2023-12-03_20_49_28.png)https://git.adelielinux.org/adelie/packages/-/issues/1152user/gtkmm+3.0: FTBFS: ERROR: unable to select packages: cmd:xsltproc (virtual):2023-12-05T15:45:56ZZach van Rijnuser/gtkmm+3.0: FTBFS: ERROR: unable to select packages: cmd:xsltproc (virtual):```
ERROR: unable to select packages:
.makedepends-gtkmm+3.0-20231202.215518:
masked in: cache
satisfies: world[.makedepends-gtkmm+3.0=20231202.215518]
cmd:xsltproc (virtual):
note: please select one of the 'provided by'
...```
ERROR: unable to select packages:
.makedepends-gtkmm+3.0-20231202.215518:
masked in: cache
satisfies: world[.makedepends-gtkmm+3.0=20231202.215518]
cmd:xsltproc (virtual):
note: please select one of the 'provided by'
packages explicitly
provided by: libxslt
required by: .makedepends-gtkmm+3.0-20231202.215518[cmd:xsltproc]
>>> ERROR: gtkmm+3.0: builddeps failed
```https://git.adelielinux.org/adelie/packages/-/issues/1151user/pangomm: FTBFS: ERROR: unable to select packages: cmd:xsltproc (virtual):2023-12-05T15:45:56ZZach van Rijnuser/pangomm: FTBFS: ERROR: unable to select packages: cmd:xsltproc (virtual):```
ERROR: unable to select packages:
.makedepends-pangomm-20231202.203009:
masked in: cache
satisfies: world[.makedepends-pangomm=20231202.203009]
cmd:xsltproc (virtual):
note: please select one of the 'provided by'
...```
ERROR: unable to select packages:
.makedepends-pangomm-20231202.203009:
masked in: cache
satisfies: world[.makedepends-pangomm=20231202.203009]
cmd:xsltproc (virtual):
note: please select one of the 'provided by'
packages explicitly
provided by: libxslt
required by: .makedepends-pangomm-20231202.203009[cmd:xsltproc]
>>> ERROR: pangomm: builddeps failed
```https://git.adelielinux.org/adelie/packages/-/issues/1150user/cairomm: FTBFS: ERROR: unable to select packages: cmd:xsltproc (virtual):2023-12-05T15:45:56ZZach van Rijnuser/cairomm: FTBFS: ERROR: unable to select packages: cmd:xsltproc (virtual):```
ERROR: unable to select packages:
.makedepends-cairomm-20231202.201622:
masked in: cache
satisfies: world[.makedepends-cairomm=20231202.201622]
cmd:xsltproc (virtual):
note: please select one of the 'provided by'
...```
ERROR: unable to select packages:
.makedepends-cairomm-20231202.201622:
masked in: cache
satisfies: world[.makedepends-cairomm=20231202.201622]
cmd:xsltproc (virtual):
note: please select one of the 'provided by'
packages explicitly
provided by: libxslt
required by: .makedepends-cairomm-20231202.201622[cmd:xsltproc]
>>> ERROR: cairomm: builddeps failed
```https://git.adelielinux.org/adelie/packages/-/issues/1149user/atkmm: FTBFS: ERROR: unable to select packages: cmd:xsltproc (virtual):2023-12-05T15:45:56ZZach van Rijnuser/atkmm: FTBFS: ERROR: unable to select packages: cmd:xsltproc (virtual):```
ERROR: unable to select packages:
.makedepends-atkmm-20231202.194208:
masked in: cache
satisfies: world[.makedepends-atkmm=20231202.194208]
cmd:xsltproc (virtual):
note: please select one of the 'provided by'
...```
ERROR: unable to select packages:
.makedepends-atkmm-20231202.194208:
masked in: cache
satisfies: world[.makedepends-atkmm=20231202.194208]
cmd:xsltproc (virtual):
note: please select one of the 'provided by'
packages explicitly
provided by: libxslt
required by: .makedepends-atkmm-20231202.194208[cmd:xsltproc]
>>> ERROR: atkmm: builddeps failed
```https://git.adelielinux.org/adelie/packages/-/issues/1148user/glibmm: ERROR: unable to select packages: cmd:xsltproc (virtual):2023-12-05T15:45:56ZZach van Rijnuser/glibmm: ERROR: unable to select packages: cmd:xsltproc (virtual):```
ERROR: unable to select packages:
.makedepends-glibmm-20231202.192712:
masked in: cache
satisfies: world[.makedepends-glibmm=20231202.192712]
cmd:xsltproc (virtual):
note: please select one of the 'provided by'
...```
ERROR: unable to select packages:
.makedepends-glibmm-20231202.192712:
masked in: cache
satisfies: world[.makedepends-glibmm=20231202.192712]
cmd:xsltproc (virtual):
note: please select one of the 'provided by'
packages explicitly
provided by: libxslt
required by: .makedepends-glibmm-20231202.192712[cmd:xsltproc]
>>> ERROR: glibmm: builddeps failed
```https://git.adelielinux.org/adelie/packages/-/issues/1147user/opengfx: FTBFS: ERROR: unable to select packages: cmd:unix2dos (virtual):2023-12-05T15:45:56ZZach van Rijnuser/opengfx: FTBFS: ERROR: unable to select packages: cmd:unix2dos (virtual):```
ERROR: unable to select packages:
.makedepends-opengfx-20231202.183859:
masked in: cache
satisfies: world[.makedepends-opengfx=20231202.183859]
cmd:unix2dos (virtual):
note: please select one of the 'provided by'
...```
ERROR: unable to select packages:
.makedepends-opengfx-20231202.183859:
masked in: cache
satisfies: world[.makedepends-opengfx=20231202.183859]
cmd:unix2dos (virtual):
note: please select one of the 'provided by'
packages explicitly
provided by: dos2unix
required by: .makedepends-opengfx-20231202.183859[cmd:unix2dos]
>>> ERROR: opengfx: builddeps failed
```https://git.adelielinux.org/adelie/packages/-/issues/1146user/perl-dbd-pg: FTBFS: ERROR: unable to select packages: cmd:locale (virtual):2023-12-05T15:45:56ZZach van Rijnuser/perl-dbd-pg: FTBFS: ERROR: unable to select packages: cmd:locale (virtual):```
ERROR: unable to select packages:
.makedepends-perl-dbd-pg-20231202.182938:
masked in: cache
satisfies: world[.makedepends-perl-dbd-pg=20231202.182938]
cmd:locale (virtual):
note: please select one of the 'provided by...```
ERROR: unable to select packages:
.makedepends-perl-dbd-pg-20231202.182938:
masked in: cache
satisfies: world[.makedepends-perl-dbd-pg=20231202.182938]
cmd:locale (virtual):
note: please select one of the 'provided by'
packages explicitly
provided by: musl-locales
required by: .makedepends-perl-dbd-pg-20231202.182938[cmd:locale]
>>> ERROR: perl-dbd-pg: builddeps failed
```https://git.adelielinux.org/adelie/packages/-/issues/1145[meta] find and fix packages that cannot resolve single virtual dependency2023-12-03T14:08:41ZZach van Rijn[meta] find and fix packages that cannot resolve single virtual dependencySome packages fail to build with:
```
ERROR: unable to select packages:
.makedepends-recode-20231201.134540:
masked in: cache
satisfies: world[.makedepends-recode=20231201.134540]
cmd:lex (virtual):
note: please select o...Some packages fail to build with:
```
ERROR: unable to select packages:
.makedepends-recode-20231201.134540:
masked in: cache
satisfies: world[.makedepends-recode=20231201.134540]
cmd:lex (virtual):
note: please select one of the 'provided by'
packages explicitly
provided by: flex
required by: .makedepends-recode-20231201.134540[cmd:lex]
>>> ERROR: recode: builddeps failed
```
See also:
* apk-tools@3b013f458225c2ad8a0d96ec3eb3dde2533e0312
* https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10810
* 64e35b236419b9b654122da04a616d76d6270f7fhttps://git.adelielinux.org/adelie/packages/-/issues/1144user/xgc: FTBFS: ERROR: unable to select packages: cmd:lex (virtual): provide...2023-12-05T15:45:56ZZach van Rijnuser/xgc: FTBFS: ERROR: unable to select packages: cmd:lex (virtual): provided by: flex```
ERROR: unable to select packages:
.makedepends-xgc-20231202.180142:
masked in: cache
satisfies: world[.makedepends-xgc=20231202.180142]
cmd:lex (virtual):
note: please select one of the 'provided by'
package...```
ERROR: unable to select packages:
.makedepends-xgc-20231202.180142:
masked in: cache
satisfies: world[.makedepends-xgc=20231202.180142]
cmd:lex (virtual):
note: please select one of the 'provided by'
packages explicitly
provided by: flex
required by: .makedepends-xgc-20231202.180142[cmd:lex]
>>> ERROR: xgc: builddeps failed
```https://git.adelielinux.org/adelie/packages/-/issues/1143user/apkvitrine: FTBFS: ERROR: unable to select packages: apk-tools version m...2023-12-05T15:45:56ZZach van Rijnuser/apkvitrine: FTBFS: ERROR: unable to select packages: apk-tools version mismatchFound on x86_64 (powerhouse) with tests enabled:
```
...
>>> apkvitrine: Entering /usr/src/packages/user/py3-flup
ERROR: unable to select packages:
apk-tools-2.14.0-r0:
breaks: .makedepends-apkvitrine-20231202.152804[apk-tools~2.1...Found on x86_64 (powerhouse) with tests enabled:
```
...
>>> apkvitrine: Entering /usr/src/packages/user/py3-flup
ERROR: unable to select packages:
apk-tools-2.14.0-r0:
breaks: .makedepends-apkvitrine-20231202.152804[apk-tools~2.12.0]
satisfies: adelie-core-0.9.7-r0[apk-tools]
abuild-3.4.2-r3[apk-tools>=2.0.7-r1]
.makedepends-apkvitrine-20231202.152804:
masked in: cache
satisfies: world[.makedepends-apkvitrine=20231202.152804]
>>> ERROR: apkvitrine: builddeps failed
```