All Projects

Project Category Task Type Priority Severity  desc Summary Status Progress
PackagesAnySecurity IssueVery HighCritical [xen] multiple security issues: CVE-2018-10472, CVE-201 ...Closed
100%
Task Description

http://openwall.com/lists/oss-security/2018/04/30/1 http://openwall.com/lists/oss-security/2018/04/30/1 An attacker supplying a crafted CDROM image can read any file (or
device node) on the dom0 filesystem with the permissions of the qemu
devicemodel process. (The virtual CDROM device is read-only, so
no data can be written.)

http://openwall.com/lists/oss-security/2018/04/30/2 A malicious or buggy guest may cause a hypervisor crash, resulting in
a Denial of Service (DoS) affecting the entire host.

http://openwall.com/lists/oss-security/2018/05/11/1 A malicious unprivileged device model can cause a Denial of Service
(DoS) affecting the entire host. Specifically, it may prevent use of a
physical CPU for an indeterminate period of time.

http://openwall.com/lists/oss-security/2018/05/11/2

[critical]
A malicious or buggy HVM guest may cause a hypervisor crash, resulting
in a Denial of Service (DoS) affecting the entire host. Privilege
escalation, or information leaks, cannot be excluded.

Patches provided by upstream.

PackagesAnySecurity IssueVery HighCritical [wget] - GNU Wget Cookie Injection CVE-2018-0494 Closed
100%
Task Description

An external attacker is able to inject arbitrary cookie values cookie jar file,
adding new or replacing existing cookie values.
http://openwall.com/lists/oss-security/2018/05/06/1

Fixed in GNU Wget 1.19.5 or later.

PackagesAnyFreedom IssueVery HighCritical [rust][cargo] trademark agreement affects user freedom Closed
100%
Task Description
Uses that require explicit approval
Distributing a modified version of the Rust programming language or the Cargo package manager and calling it Rust or Cargo requires explicit, written permission from the Rust core team. We will usually allow these uses as long as the modifications are (1) relatively small and (2) very clearly communicated to end-users.
Selling t-shirts, hats, and other artwork or merchandise requires explicit, written permission from the Rust core team. We will usually allow these uses as long as (1) it is clearly communicated that the merchandise is not in any way an official part of the Rust project and (2) it is clearly communicated whether profits benefit the Rust project.
Using the Rust trademarks within another trademark requires written permission from the Rust core team except as described above.

Since it violates the freedom to redistribute without “explicit” approval, this is a freedom issue.

PackagesAnySecurity IssueHighCritical [python2] heap-overflow vulnerability CVE-2018-1000030 Closed
100%
Task Description

Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3→Malloc→Thread1→Free’s→Thread2-Re-uses-Free’d Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.

https://security-tracker.debian.org/tracker/CVE-2018-1000030

PackagesAnySecurity IssueVery HighCritical [mutt] CVE-2018-14354 Closed
100%
Task Description

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. They allow remote IMAP servers to execute arbitrary commands via backquote characters, related to the mailboxes command associated with a manual subscription or unsubscription.

https://security-tracker.debian.org/tracker/CVE-2018-14354

PackagesAnySecurity IssueVery HighCritical [linux-libre-lts*] Meltdown & Spectre Vulnerability Closed
100%
Task Description

Multiple CVEs. Unprivileged programs can gain access to a hardware bug in the CPU, and thereby initiate memory dumps and other low-level attacks.

PackagesAnySecurity IssueMediumCritical [glusterfs] CVE-2018-1088: Privilege escalation via gl ...Closed
100%
Task Description

https://security-tracker.debian.org/tracker/CVE-2018-1088

http://openwall.com/lists/oss-security/2018/04/18/1

https://bugs.debian.org/896128

A privilege escalation flaw was found in gluster 3.x snapshot scheduler. Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volume and escalate privileges by scheduling malicious cronjob via symlink.

Upstream patches: https://review.gluster.org/#/c/19899/1..2

Fixed in: https://github.com/gluster/glusterfs/releases/tag/v4.0.2

PackagesAnySecurity IssueVery HighCritical [dropbear] CVE-2018-15599 Closed
100%
Task Description

User enumeration in Dropbear 2018.76 and earlier
http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2018q3/002108.html

Patch: https://secure.ucc.asn.au/hg/dropbear/rev/5d2d1021ca00

PackagesAnyPrivacy IssueHighCritical [deepin-desktop-base] Check for CNZZ Spyware Closed
100%
Task Description

As per a recent discovery, we should check if our deepin is affected by the CNZZ spyware in the AppStore.
https://www.youtube.com/watch?v=v25Dy66AtNI

We also shouldn’t use the AppStore if it exists, due to non-free apps.

Known files:
> usr/share/dbus-1/system-services/com.deepin.daemon.Apps.service
> etc/appstore.json

PackagesAnySecurity IssueMediumHigh [toxcore] vulnerability affecting versions < 0.2.3 Closed
100%
Task Description

Per toxcore official blog, there is a security issue that affects all versions prior to 0.2.3. Users IP will leak if they have public ToxID.
https://blog.tox.chat/2018/04/security-vulnerability-and-new-toxcore-release/

PackagesTestingImplementation RequestMediumMedium linux-libre-lts-hypersec: New package with extra securi ...Closed
100%
Task Description

Description: Per a user request and to better secure the kernel, we can embed the cryptsetup and ciphers in the kernel. This would mean rather than exposed modules, they are built-in to the kernel and ready to use even without an intramfs.

To be embedded: ciphers aes, twofish, serpent; sha256, sha512 - and the necessary modules (don’t forget the block modes xts, lvm and cryptsetup …)

Additionally, we could include USB Guard and any other features that meet our social contract and security outlook.

PackagesTestingBug ReportMediumMedium [qtcreator] requires libsystemd.so Closed
100%
Task Description

Description: The currently packaged version of QtCreator is built with SystemD support, and on v0.3 no longer works.

Steps to reproduce:

  • pacman -S qtcreator
  • qtcreator
  • All plugins fail to load
  • Receive following error message:

Cannot load plugin because dependency failed to load: ProjectExplorer(4.2.2)
Reason: /usr/lib/qtcreator/plugins/libProjectExplorer.so: Cannot load library /usr/lib/qtcreator/plugins/libProjectExplorer.so:
(libsystemd.so.0: cannot open shared object file: No such file or directory)

We need to see if it is possible to build binary without libsystemd.so or remove the package.

PackagesAnyFeature RequestMediumMedium [pybitmessage] Package Request Closed
100%
Task Description

PyBitmessage is a secure p2p e-mail alternative. It could be useful to package it.

https://github.com/Bitmessage/PyBitmessage/releases https://aur.archlinux.org/packages/pybitmessage/ https://aur.archlinux.org/packages/pybitmessage-git/ (contains a firejail profile)

PackagesAnySecurity IssueMediumMedium [openssh] CVE-2018-15919 Closed
100%
Task Description

Remotely observable behavior in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states ‘We understand that the OpenSSH developers do not want to treat such a username enumeration (or “oracle”) as a vulnerability.’ https://security-tracker.debian.org/tracker/CVE-2018-15919

PackagesAnyPrivacy IssueMediumMedium [meta] Investigate DuckDuckGo links for privacy Closed
100%
Task Description

As per a user report (https://forums.hyperbola.info/viewtopic.php?id=92), DDG is USA based search engine and is blocking Tor users (https://trac.torproject.org/projects/tor/ticket/23648).
They are also using non-free JS on the default search.

It seems the best way to solve this is to use their “html” hidden service since it conceals the user IP, doesn’t block Tor users by default, and doesn’t need JS. https://3g2upl4pq6kufc4m.onion/html/

This will affect multiple applications that are currently using DuckDuckGo. The alternative is to remove it completely, but it still is a better option than Google et. all for privacy...

PackagesAnyBug ReportMediumMedium [linux-libre-lts] enable CONFIG_USER_NS Closed
100%
Task Description

Currently it’s not possible to enable “noroot” in firejail due to missing CONFIG_USER_NS in the kernel. This is a bug also in Arch.
https://github.com/netblue30/firejail/issues/1069

PackagesAnyBug ReportMediumLow firejail: mpv.profile fails to work  Closed
100%
Task Description

Users trying to use firejail against mpv experience errors such as:

[ytdl_hook] AVideo failed, trying to play URL directly ...
[ffmpeg] tls: The TLS connection was non-properly terminated.
Failed to recognize file format.

The error is caused by not having avideo whitelisted in firejail.

PackagesAnyBug ReportLowLow [xdg-utils] doesn't work with -uxp applications and has ...Closed
100%
Task Description

As per the source code, xdg-utils is meant to work with firefox, google-chrome, and other browsers. It is missing support for -uxp applications.

PackagesAnyBug ReportLowLow [usbutils] lsusb does not list device names Closed
100%
Task Description

Description:

lsusb does not resolve device names from /var/lib/usbutils/usb.ids

The same thing as described here: https://unix.stackexchange.com/questions/220759/lsusb-doesnt-list-device-names

PackagesAnyImplementation RequestLowLow [opmsg] add new package Closed
100%
Task Description

Description: opmsg is a replacement for gpg which can encrypt/sign/verify your mails or create/verify detached signatures of local files. Even though the opmsg output looks similar, the concept is entirely different.

Additional info:
https://aur.archlinux.org/packages/opmsg/

PackagesAnyFeature RequestLowLow [npapi-vlc] package from git source Closed
100%
Task Description

Description: As mentioned in Bug #18, our VLC plugin was not maintained in some time and the deprecated addon was removed. However, upstream is actively working on the plugin as per: https://code.videolan.org/videolan/npapi-vlc/tree/master

We should build this from source and re-package.

PackagesAnyImplementation RequestLowLow [codecrypt] add new package Closed
100%
Task Description

This is a GnuPG-like unix program for encryption and signing that uses only quantum-computer-resistant algorithms:

  McEliece cryptosystem (compact QC-MDPC variant) for encryption
  Hash-based Merkle tree algorithm (FMTSeq variant) for digital signatures

Codecrypt is free software. The code is licensed under terms of LGPL3 in a good hope that it will make combinations with other tools easier.

PackagesAnyFeature RequestMediumLow [cinnamon] add elogind support Closed
100%
Task Description

Cinnamon currently does not support elogind, and depends on systemd. A patch is needed to fix this issue.

ServicesPunBB IssueSecurity IssueMediumLow Forum Spammers on PunBB Closed
100%
Task Description

We’ve received a large number of bots registering lately, and once they find you they tend to multiply. We should block the bad ones quickly to avoid spam flooding.

There are several options available, but most seem outdated.

- Stop Forum Spam works very well, but may also block legitimate users, and the PunBB plugin seems to be corrupt for the latest version

- JS/Captchas, work OK, annoying for users, no updated plugins.

- Basic Question Captchas, not too invasive, blocks majority of bots for a season. Possibly outdated.
http://punbb.informer.com/wiki/punbb13/extensions/pun_stop_bots

Showing tasks 1 - 24 of 24 Page 1 of 1

Available keyboard shortcuts

Tasklist

Task Details

Task Editing