HyperTask https://issues.hyperbola.info/ packages 2020-05-08T10:10:54Z FS#1515: [keybase] Complete removal of tool https://issues.hyperbola.info/index.php?do=details&task_id=1515 2020-05-08T10:10:54Z Tobias Dausend There is only the source code of the client available and since years nothing more happened. With keybase joining “Zoom” nothing more seems to happen. Look also here in the forum: https://forums.hyperbola.info/viewtopic.php?id=368 There is only the source code of the client available and since years nothing more happened. With keybase joining “Zoom” nothing more seems to happen. Look also here in the forum: https://forums.hyperbola.info/viewtopic.php?id=368

]]> FS#1514: [gtk-2] Severe problems with GTK2-applications https://issues.hyperbola.info/index.php?do=details&task_id=1514 2020-04-21T23:53:33Z Tobias Dausend Description: Since the migration to xenocara there seems to be a bug with applications using GTK-2. From time to time there are crashes with assertion `!xcb_xlib_threads_sequence_lost’. Looking into this a little bit more deep there are also other distributions affected and this is an upstream-bug. But the concrete situation is not that easy, while it could be also part of the library libX11 itself. Looking therefore here: https://bugs.launchpad.net/ubuntu/+source/pcmanfm/+bug/1782984 Affected are for example LXDE in general, icedove, iceweasel and many more! Description: Since the migration to xenocara there seems to be a bug with applications using GTK-2. From time to time there are crashes with assertion `!xcb_xlib_threads_sequence_lost’.

Looking into this a little bit more deep there are also other distributions affected and this is an upstream-bug. But the concrete situation is not that easy, while it could be also part of the library libX11 itself. Looking therefore here: https://bugs.launchpad.net/ubuntu/+source/pcmanfm/+bug/1782984

Affected are for example LXDE in general, icedove, iceweasel and many more!

]]> FS#1513: [git] Multiple CVEs https://issues.hyperbola.info/index.php?do=details&task_id=1513 2020-04-16T07:07:23Z Arnaud Fontaine CVE-2020-5260 has been fixed very recently in Debian, so I thought I would apply this patch. However, I found out that security patches have not been applied for quite a while (I could account for at least 6 CVEs). Considering that the version in Debian stretch (2.11.0) is the nearest version with security patches released by Debian and that git project oldest supported version is 2.17, I have used patches from Debian stretch to apply on 2.12.2 currently in Milky Way. But I have the following error on check(): | *** prove *** | | Test Summary Report | ------------------- | t5570-git-daemon.sh (Wstat: 256 Tests: 20 Failed: 10) | Failed tests: 3-7, 15-19 | Non-zero exit status: 1 | t5811-proto-disable-git.sh (Wstat: 256 Tests: 26 Failed: 16) | Failed tests: 2-6, 9-11, 15-19, 21-23 | Non-zero exit status: 1 | Files=769, Tests=14137, 1101 wallclock secs ( 8.08 usr 1.12 sys + 144.48 cusr 63.42 csys = 217.10 CPU) | Result: FAIL | make[1]: *** [Makefile:45: prove] Error 1 | make[1]: Leaving directory '/build/git/src/git-2.12.2/t' | make: *** [Makefile:2291: test] Error 2 | ==> ERROR: A failure occurred in check(). | Aborting... This does not seem to be related to my change as the current version in Milky Way produces the same error (IOW the package currently in Milky Way is not rebuidable). CVE-2020-5260 has been fixed very recently in Debian, so I thought I would apply this patch. However, I found out that security patches have not been applied for quite a while (I could account for at least 6 CVEs).

Considering that the version in Debian stretch (2.11.0) is the nearest version with security patches released by Debian and that git project oldest supported version is 2.17, I have used patches from Debian stretch to apply on 2.12.2 currently in Milky Way.

But I have the following error on check():

 |  *** prove ***
 |
 |  Test Summary Report
 |  -------------------
 |  t5570-git-daemon.sh                              (Wstat: 256 Tests: 20 Failed: 10)
 |    Failed tests:  3-7, 15-19
 |    Non-zero exit status: 1
 |  t5811-proto-disable-git.sh                       (Wstat: 256 Tests: 26 Failed: 16)
 |    Failed tests:  2-6, 9-11, 15-19, 21-23
 |    Non-zero exit status: 1
 |  Files=769, Tests=14137, 1101 wallclock secs ( 8.08 usr  1.12 sys + 144.48 cusr 63.42 csys = 217.10 CPU)
 |  Result: FAIL
 |  make[1]: *** [Makefile:45: prove] Error 1
 |  make[1]: Leaving directory '/build/git/src/git-2.12.2/t'
 |  make: *** [Makefile:2291: test] Error 2
 |  ==> ERROR: A failure occurred in check().
 |      Aborting...

This does not seem to be related to my change as the current version in Milky Way produces the same error (IOW the package currently in Milky Way is not rebuidable).

]]> FS#1512: [ispell] require FHS https://issues.hyperbola.info/index.php?do=details&task_id=1512 2020-03-19T20:38:34Z Irene Yacila Description: cant open /usr/local/lib/english.hash Additional info: Repository : extra Name : ispell Version : 3.3.02-7 Description : An interactive spell-checking program for Unix Architecture : x86_64 URL : http://ficus-www.cs.ucla.edu/geoff/ispell.html Licenses : BSD Groups : None Provides : None Depends On : ncurses Optional Deps : None Conflicts With : None Replaces : None Download Size : 321.26 KiB Installed Size : 1336.00 KiB Packager : Evangelos Foutras <evangelos@foutrelis.com> Build Date : Sun Sep 6 12:07:06 2015 Validated By : MD5 Sum SHA-256 Sum Signature Steps to reproduce: - Install package Description: 

cant open /usr/local/lib/english.hash

Additional info:

Repository      : extra
Name            : ispell
Version         : 3.3.02-7
Description     : An interactive spell-checking program for Unix
Architecture    : x86_64
URL             : http://ficus-www.cs.ucla.edu/geoff/ispell.html
Licenses        : BSD
Groups          : None
Provides        : None
Depends On      : ncurses
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 321.26 KiB
Installed Size  : 1336.00 KiB
Packager        : Evangelos Foutras <evangelos@foutrelis.com>
Build Date      : Sun Sep 6 12:07:06 2015
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Steps to reproduce:

- Install package

]]> FS#1511: [chdkptp] please add package to repos https://issues.hyperbola.info/index.php?do=details&task_id=1511 2020-03-16T14:27:32Z Alon Ivtsan CHDKPTP is part of CHDK project - a free software firmware add-on for Canon cameras. It enables controlling Canon cameras via the computer. Attached is a modified iup PKGBUILD (Lua 5.3 build was removed as it failed to compile) and configuration files for chdkptp. Code is available via svn: $ svn co http://subversion.assembla.com/svn/chdkptp/trunk chdkptp Copy chdkptp.sh and config.mk files to source tree then compile via make. Requires root privileges to connect to a camera. CHDKPTP is part of CHDK project - a free software firmware add-on for Canon cameras. It enables controlling Canon cameras via the computer.

Attached is a modified iup PKGBUILD (Lua 5.3 build was removed as it failed to compile) and configuration files for chdkptp.

Code is available via svn:

$ svn co http://subversion.assembla.com/svn/chdkptp/trunk chdkptp

Copy chdkptp.sh and config.mk files to source tree then compile via make. Requires root privileges to connect to a camera.

]]> FS#1510: [chdkptp] please add package to control Canon cameras https://issues.hyperbola.info/index.php?do=details&task_id=1510 2020-03-16T14:25:55Z Alon Ivtsan CHDKPTP is part of CHDK project - a free software firmware add-on for Canon cameras. It enables controlling Canon cameras via the computer. Attached is a modified iup PKGBUILD (Lua 5.3 build was removed as it failed to compile) and configuration files for chdkptp. Code is available via svn: $ svn co http://subversion.assembla.com/svn/chdkptp/trunk chdkptp Copy chdkptp.sh and config.mk files to source tree then compile via make. chdkptp requires root privileges to connect to a camera. CHDKPTP is part of CHDK project - a free software firmware add-on for Canon cameras. It enables controlling Canon cameras via the computer.

Attached is a modified iup PKGBUILD (Lua 5.3 build was removed as it failed to compile) and configuration files for chdkptp.

Code is available via svn:

$ svn co http://subversion.assembla.com/svn/chdkptp/trunk chdkptp

Copy chdkptp.sh and config.mk files to source tree then compile via make. chdkptp requires root privileges to connect to a camera.

]]> FS#1508: [opensmtpd] CVE-2020-8794 https://issues.hyperbola.info/index.php?do=details&task_id=1508 2020-02-25T13:58:18Z bugmen0t Description: https://www.openwall.com/lists/oss-security/2020/02/24/5 https://www.bleepingcomputer.com/news/security/new-critical-rce-bug-in-openbsd-smtp-server-threatens-linux-distros/ Qualys Security Advisory LPE and RCE in OpenSMTPD&#8217;s default install (CVE-2020-8794) Contents SummaryAnalysis...Acknowledgments Summary We discovered a vulnerability in OpenSMTPD, OpenBSD&#8217;s mail server. Thisvulnerability, an out-of-bounds read introduced in December 2015 (commit80c6a60c, &#8220;when peer outputs a multi-line response ...&#8221;), is exploitableremotely and leads to the execution of arbitrary shell commands: eitheras root, after May 2018 (commit a8e22235, &#8220;switch smtpd to newgrammar&#8221;); or as any non-root user, before May 2018. Because this vulnerability resides in OpenSMTPD&#8217;s client-side code(which delivers mail to remote SMTP servers), we must consider twodifferent scenarios: - Client-side exploitation: This vulnerability is remotely exploitable in OpenSMTPD's (and hence OpenBSD's) default configuration. Although OpenSMTPD listens on localhost only, by default, it does accept mail from local users and delivers it to remote servers. If such a remote server is controlled by an attacker (either because it is malicious or compromised, or because of a man-in-the-middle, DNS, or BGP attack -- SMTP is not TLS-encrypted by default), then the attacker can execute arbitrary shell commands on the vulnerable OpenSMTPD installation. - Server-side exploitation: First, the attacker must connect to the OpenSMTPD server (which accepts external mail) and send a mail that creates a bounce. Next, when OpenSMTPD connects back to their mail server to deliver this bounce, the attacker can exploit OpenSMTPD's client-side vulnerability. Last, for their shell commands to be executed, the attacker must (to the best of our knowledge) crash OpenSMTPD and wait until it is restarted (either manually by an administrator, or automatically by a system update or reboot). We developed a simple exploit for this vulnerability and successfullytested it against OpenBSD 6.6 (the current release), OpenBSD 5.9 (thefirst vulnerable release), Debian 10 (stable), Debian 11 (testing), andFedora 31. The fix is delivered in OpenSMTPD 6.6.4p1, available here, which the developer recommends installing &#8220;AS SOON AS POSSIBLE.&#8221; Description: https://www.openwall.com/lists/oss-security/2020/02/24/5 https://www.bleepingcomputer.com/news/security/new-critical-rce-bug-in-openbsd-smtp-server-threatens-linux-distros/

Qualys Security Advisory

LPE and RCE in OpenSMTPD’s default install (CVE-2020-8794)

Contents

Summary
Analysis
...
Acknowledgments

Summary

We discovered a vulnerability in OpenSMTPD, OpenBSD’s mail server. This
vulnerability, an out-of-bounds read introduced in December 2015 (commit
80c6a60c, “when peer outputs a multi-line response ...”), is exploitable
remotely and leads to the execution of arbitrary shell commands: either
as root, after May 2018 (commit a8e22235, “switch smtpd to new
grammar”); or as any non-root user, before May 2018.

Because this vulnerability resides in OpenSMTPD’s client-side code
(which delivers mail to remote SMTP servers), we must consider two
different scenarios:

- Client-side exploitation: This vulnerability is remotely exploitable 

in OpenSMTPD's (and hence OpenBSD's) default configuration. Although
OpenSMTPD listens on localhost only, by default, it does accept mail
from local users and delivers it to remote servers. If such a remote
server is controlled by an attacker (either because it is malicious or
compromised, or because of a man-in-the-middle, DNS, or BGP attack --
SMTP is not TLS-encrypted by default), then the attacker can execute
arbitrary shell commands on the vulnerable OpenSMTPD installation.

- Server-side exploitation: First, the attacker must connect to the 

OpenSMTPD server (which accepts external mail) and send a mail that
creates a bounce. Next, when OpenSMTPD connects back to their mail
server to deliver this bounce, the attacker can exploit OpenSMTPD's
client-side vulnerability. Last, for their shell commands to be
executed, the attacker must (to the best of our knowledge) crash
OpenSMTPD and wait until it is restarted (either manually by an
administrator, or automatically by a system update or reboot).

We developed a simple exploit for this vulnerability and successfully
tested it against OpenBSD 6.6 (the current release), OpenBSD 5.9 (the
first vulnerable release), Debian 10 (stable), Debian 11 (testing), and
Fedora 31.

The fix is delivered in OpenSMTPD 6.6.4p1, available here, which the developer recommends installing “AS SOON AS POSSIBLE.”

]]> FS#1507: [gstreamer] needed rebuild https://issues.hyperbola.info/index.php?do=details&task_id=1507 2020-02-28T02:48:39Z Irene Yacila (gst-plugin-scanner:17336): GStreamer-WARNING : Failed to load plugin &#8216;/usr/lib/gstreamer-1.0/libgstzbar.so&#8217;: libzbar.so.0: cannot open shared object file: No such file or directory(gst-plugin-scanner:17336): GStreamer-WARNING : Failed to load plugin &#8216;/usr/lib/gstreamer-1.0/libgstfluidsynthmidi.so&#8217;: libfluidsynth.so.1: cannot open shared object file: No such file or directory Repositorio : extraNombre : gstreamerVersión : 1.12.0-1Descripción : GStreamer open-source multimedia framework core libraryArquitectura : x86_64URL : https://gstreamer.freedesktop.org/ Licencias : LGPL Grupos : NadaProvee : NadaDepende de : libxml2 glib2 libunwind libcap libelfDependencias opcionales : NadaEn conflicto con : NadaRemplaza a : NadaTamaño de la descarga : 1897,45 KiBTamaño de la instalación : 17241,00 KiBEncargado : Jan Alexander Steffens (heftig) jan.steffens@gmail.com Fecha de creación : jue 04 may 2017 14:13:05 -05Validado por : Suma MD5 Suma SHA-256 Firma (gst-plugin-scanner:17336): GStreamer-WARNING : Failed to load plugin ‘/usr/lib/gstreamer-1.0/libgstzbar.so’: libzbar.so.0: cannot open shared object file: No such file or directory
(gst-plugin-scanner:17336): GStreamer-WARNING : Failed to load plugin ‘/usr/lib/gstreamer-1.0/libgstfluidsynthmidi.so’: libfluidsynth.so.1: cannot open shared object file: No such file or directory

Repositorio : extra
Nombre : gstreamer
Versión : 1.12.0-1
Descripción : GStreamer open-source multimedia framework core library
Arquitectura : x86_64
URL : https://gstreamer.freedesktop.org/ Licencias : LGPL Grupos : Nada
Provee : Nada
Depende de : libxml2 glib2 libunwind libcap libelf
Dependencias opcionales : Nada
En conflicto con : Nada
Remplaza a : Nada
Tamaño de la descarga : 1897,45 KiB
Tamaño de la instalación : 17241,00 KiB
Encargado : Jan Alexander Steffens (heftig) jan.steffens@gmail.com Fecha de creación : jue 04 may 2017 14:13:05 -05
Validado por : Suma MD5 Suma SHA-256 Firma

]]> FS#1505: [hypervideo] "HTTP Error 403: Forbidden" error on some videos https://issues.hyperbola.info/index.php?do=details&task_id=1505 2020-02-04T00:14:40Z Alon Ivtsan Is there any way to force it to try from yt as it did in the final attempt? $ hypervideo -f 22 https://www.youtube.com/watch?v=X7v2aHUPp14 [youtube] X7v2aHUPp14: Downloading webpage[youtube] X7v2aHUPp14: Downloading video info webpage[youtube] X7v2aHUPp14: Checking URL Invidious API [youtube] X7v2aHUPp14: Downloading JSON metadata[youtube] X7v2aHUPp14: Downloading from Invidious API ERROR: unable to download video data: HTTP Error 403: Forbidden $ hypervideo -f 22 https://www.youtube.com/watch?v=X7v2aHUPp14 [youtube] X7v2aHUPp14: Downloading webpage[youtube] X7v2aHUPp14: Downloading video info webpage[youtube] X7v2aHUPp14: Checking URL Invidious API [youtube] X7v2aHUPp14: Trying from YT[download] Destination: Caroline&#8217;s First Day _ Green Wing _ Series 1 Episode 1 _ Dead Parrot-X7v2aHUPp14.mp4[download] 100% of 418.57MiB in 03:31 Is there any way to force it to try from yt as it did in the final attempt?

$ hypervideo -f 22 https://www.youtube.com/watch?v=X7v2aHUPp14 [youtube] X7v2aHUPp14: Downloading webpage
[youtube] X7v2aHUPp14: Downloading video info webpage
[youtube] X7v2aHUPp14: Checking URL Invidious API [youtube] X7v2aHUPp14: Downloading JSON metadata
[youtube] X7v2aHUPp14: Downloading from Invidious API ERROR: unable to download video data: HTTP Error 403: Forbidden

$ hypervideo -f 22 https://www.youtube.com/watch?v=X7v2aHUPp14 [youtube] X7v2aHUPp14: Downloading webpage
[youtube] X7v2aHUPp14: Downloading video info webpage
[youtube] X7v2aHUPp14: Checking URL Invidious API [youtube] X7v2aHUPp14: Trying from YT
[download] Destination: Caroline’s First Day _ Green Wing _ Series 1 Episode 1 _ Dead Parrot-X7v2aHUPp14.mp4
[download] 100% of 418.57MiB in 03:31

]]> FS#1504: [tigervnc] Multiple CVE https://issues.hyperbola.info/index.php?do=details&task_id=1504 2020-01-08T00:44:40Z bugmen0t https://www.openwall.com/lists/oss-security/2019/12/20/2 &#8220;This is a security release to fix a number of issues that were found by Kaspersky Lab. These issues affect both the client and server and could theoretically allow an malicious peer to take control over the software on the other side.&#8221; https://www.openwall.com/lists/oss-security/2019/12/20/2

“This is a security release to fix a number of issues that were found by Kaspersky Lab. These issues affect both the client and server and could theoretically allow an malicious peer to take control over the software on the other side.”

]]>