|
Packages | Any | Backport Request | Very Low | Medium | Greasemonkey For Iceape | Unconfirmed | |
Task Description
greasemonkey-3.31.4 version desired. I would love to see it implemented for Iceape
|
|
Packages | Any | Implementation Request | Very Low | Medium | Privacy Settings for Iceape | Unconfirmed | |
Task Description
This addon works for any firefox based browser but not seamonkey based or this.
I wondered if you could implement the iceweasel one for Iceape.
|
|
Packages | Any | Freedom Issue | Very Low | Low | Ssleuth for Iceape | Unconfirmed | |
Task Description
5.4 version desired, it would be nice to still see the ciphers in Iceape.
|
|
Packages | Any | Backport Request | Very Low | Low | Self Destructing Cookies for Iceape | Unconfirmed | |
Task Description
I would like this to be available for Iceape as well V4.13
|
|
Packages | Any | Backport Request | Very Low | Medium | No Resource Url Leak for Iceape | Unconfirmed | |
Task Description
1.2.4 version would be nice for Iceape.
|
|
Packages | Any | Backport Request | Very Low | Very Low | Icetray for Iceape-uxp | Assigned | |
Task Description
This already works for it, but I just thought I would request it to be put in.
|
|
Packages | Any | Freedom Issue | Very Low | Low | Enigmail for Iceape | Unconfirmed | |
Task Description
this would be appreciated greatly, although I am in no hurry.
|
|
Packages | Any | Freedom Issue | Very Low | Medium | [mongodb] needs OpenRC init script | Unconfirmed | |
Task Description
Description: needs OpenRC init script
Additional info: * mongodb-3.4.3-1
|
|
Packages | Any | Bug Report | Low | High | [kaccounts-integration] option to add NextCloud/OwnClou... | Unconfirmed | |
Task Description
Description:
Additional info: * package version(s)
* config and/or log files etc.
Steps to reproduce:
|
|
Packages | Any | Bug Report | Low | High | [kdenetwork-kopete] clicking to add an Jabber Account o... | Unconfirmed | |
Task Description
Description:
Additional info: * package version(s)
* config and/or log files etc.
Steps to reproduce:
|
|
Packages | Any | Implementation Request | Very Low | Medium | [midori] please re-add new releases | Unconfirmed | |
Task Description
The security issues regarding the package which led to the package’s removal from Hyperbola (old WebKit and Vala dependency) have apparently been resolved in recent releases, see the new comment in this bug report and the latest PKGBUILD in Arch’s repo.
https://launchpad.net/bugs/1698483
https://www.archlinux.org/packages/community/x86_64/midori/
|
|
Packages | Any | Privacy Issue | Very Low | Low | [github] check github-related packages | Researching | |
Task Description
We should check if the following packages run any non-free JS (like youtube-dl) or access a proprietary API:
- hub - python-pygithub - python2-pygithub
I haven’t check them, but they look fishy. Take it as a reminder, this is far from being urgent IMO.
|
|
Packages | Any | Bug Report | Very Low | Low | marble-qt: doesn't look like a valid Marble plugin: "/... | Unconfirmed | |
Task Description
Description:
$ marble-qt –latlone=0.5,6.5 Ignoring to load the following file since it doesn’t look like a valid Marble plugin: “/usr/lib/marble/plugins/libWlocatePositionProviderPlugin.so” Reason: “Cannot load library /usr/lib/marble/plugins/libWlocatePositionProviderPlugin.so: (libwlocate.so: cannot open shared object file: No such file or directory)”
When package libwlocate is installed, it is not showing this error.
Shall that package be dependency?
|
|
Packages | Any | Freedom Issue | Very Low | High | [gitlab] systemd reference & command not found during i... | Unconfirmed | |
Task Description
(14/14) installing gitlab [##############################] 100% /tmp/alpm_bCqhHf/.INSTALL: line 2: systemd-tmpfiles: command not found
|
|
Packages | Any | Implementation Request | Very Low | Low | [qarte] add package | Unconfirmed | |
Task Description
Request for :
qarte
“Allow you to browse into the archive of arte+7 & arteLiveWeb sites and to record your prefered videos.”
https://aur.archlinux.org/packages/qarte
License : GPL3
|
|
Packages | Any | Freedom Issue | Very Low | Low | Add Lumina Desktop | Unconfirmed | |
Task Description
A Desktop Enivronment mostly focused on BSD, but also one that is very lightweight and easily customized. Would love to see this desktop on Hyperbola and later whenever Emulatorman makes it, Hyperbola/GNU/HyperBK
https://github.com/lumina-desktop/lumina/releases
Version is the latest one in above link of stable.
|
|
Packages | Any | Feature Request | Very Low | Low | add package powerkit | Unconfirmed | |
Task Description
https://github.com/rodlie/powerkit/releases
Version 1.0 requested
When you add Lumina desktop, add this package for sure. Although it is compatible with other desktops too. So it would be good to add it regardless.
|
|
Packages | Any | Feature Request | Very Low | Medium | Add Draco Desktop | Unconfirmed | |
Task Description
https://github.com/rodlie/draco
its like Lumina Desktop, but its more lightweight and better for Gnu/Linux
:)
Matter of fact, I hope its okay, but the latest stable build, of Draco is vastly better than Lumina. And for this reason I wanted to know if you could put higher priority on this than the Lumina Desktop request.
|
|
Packages | Any | Bug Report | Very Low | Medium | [ rtkit ] contains systemd unit files | Unconfirmed | |
Task Description
Description:
The Arch version of tinc from the snapshot used by Hyperbola comes with systemd support. Since Hyperbola follows the Init Freedom Campaign , systemd unit files removal is required or add OpenRC init scripts to replace it.
Additional info:
pacman -Ql rtkit rtkit /etc/ rtkit /etc/dbus-1/ rtkit /etc/dbus-1/system.d/ rtkit /etc/dbus-1/system.d/org.freedesktop.RealtimeKit1.conf rtkit /usr/ rtkit /usr/bin/ rtkit /usr/bin/rtkitctl rtkit /usr/lib/ rtkit /usr/lib/rtkit/ rtkit /usr/lib/rtkit/rtkit-daemon rtkit /usr/share/ rtkit /usr/share/dbus-1/ rtkit /usr/share/dbus-1/interfaces/ rtkit /usr/share/dbus-1/interfaces/org.freedesktop.RealtimeKit1.xml rtkit /usr/share/dbus-1/system-services/ rtkit /usr/share/dbus-1/system-services/org.freedesktop.RealtimeKit1.service rtkit /usr/share/licenses/ rtkit /usr/share/licenses/rtkit/ rtkit /usr/share/licenses/rtkit/COPYING rtkit /usr/share/licenses/rtkit/LICENSE rtkit /usr/share/man/ rtkit /usr/share/man/man8/ rtkit /usr/share/man/man8/rtkitctl.8.gz rtkit /usr/share/polkit-1/ rtkit /usr/share/polkit-1/actions/ rtkit /usr/share/polkit-1/actions/org.freedesktop.RealtimeKit1.policy
* package version(s) rtkit 0.11-1.hyperbola1
* config and/or log files etc.
Jun 26 10:41:50 gnu mtp-probe: checking bus 1, device 8: “/sys/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.4” Jun 26 10:41:50 gnu mtp-probe: bus: 1, device: 8 was not an MTP device Jun 26 10:44:44 gnu rtkit-daemon[3059]: Failed to look up client: No such file or directory Jun 26 10:44:44 gnu rtkit-daemon[3059]: Failed to look up client: No such file or directory Jun 26 10:44:44 gnu rtkit-daemon[3059]: Failed to look up client: No such file or directory Jun 26 10:44:44 gnu rtkit-daemon[3059]: Failed to look up client: No such file or directory Jun 26 10:44:44 gnu rtkit-daemon[3059]: Failed to look up client: No such file or directory Jun 26 10:44:44 gnu rtkit-daemon[3059]: Failed to look up client: No such file or directory Jun 26 10:44:44 gnu rtkit-daemon[3059]: Failed to look up client: No such file or directory Jun 26 10:44:44 gnu rtkit-daemon[3059]: Failed to look up client: No such file or directory Jun 26 10:44:44 gnu rtkit-daemon[3059]: Failed to look up client: No such file or directory Jun 26 10:44:44 gnu rtkit-daemon[3059]: Failed to look up client: No such file or directory Jun 26 10:44:44 gnu rtkit-daemon[3059]: Failed to look up client: No such file or directory Jun 26 10:44:44 gnu pulseaudio[4401]: [pulseaudio] bluez5-util.c: GetManagedObjects() failed: org.freedesktop.DBus.Error.ServiceUnknown: The name org.bluez was not provided by any .service files
Steps to reproduce:
|
|
Packages | Any | Bug Report | Medium | High | [notmuch-mutt] missing requirement | Researching | |
Task Description
Description: notmuch-mutt fails to compile without perl-mail-message which is missing in Hyperbola
Steps to reproduce: Install notmuch-mutt and try `notmuch-mutt` at the command line. Then install `perl-mail-message` from Arch and try again.
|
|
Packages | Any | Feature Request | Very Low | Medium | [minidlna] remove systemd file and add openrc support | Unconfirmed | |
Task Description
Description:
minidlna lacks openrc support and includes a systemd file
Additional info: none
Steps to reproduce:
$ sudo pacman -S minidlna $ cat /usr/lib/systemd/system/minidlna.service
|
|
Packages | Any | Bug Report | Very Low | Medium | [clamtk] Gtk-WARNING **: Impossible to find the theme e... | Assigned | |
Task Description
Additional info: * package version
Repositorio : community
Nombre : clamtk
Versión : 5.24-1
Descripción : Easy to use, light-weight, on-demand virus scanner for Linux
systems
Arquitectura : any
URL : https://dave-theunsub.github.io/clamtk/
Licencias : GPL
Grupos : Nada
Provee : Nada
Depende de : clamav perl gtk2-perl perl-locale-gettext perl-libwww
perl-http-message perl-lwp-protocol-https perl-text-csv
perl-json python zenity desktop-file-utils gnome-icon-theme
cron
Dependencias opcionales : Nada
En conflicto con : Nada
Remplaza a : Nada
Tamaño de la descarga : 179,90 KiB
Tamaño de la instalación : 1378,00 KiB
Encargado : Levente Polyak <anthraxx@archlinux.org>
Fecha de creación : sáb 19 nov 2016 20:25:20 -05
Validado por : Suma MD5 Suma SHA-256 Firma
* config and/or log files etc.
$ clamtk Gtk-WARNING **: Imposible encontrar el motor de temas en la ruta al _modulo: «clearlooks», at /usr/lib/perl5/vendor_perl/ClamTk/GUI.pm line 35.
Steps to reproduce:
* Install clamtk in all version
|
|
Packages | Any | Bug Report | Very Low | High | groff: package not built with URW fonts properly or suc... | Unconfirmed | |
Task Description
Description:
groff is typesetting system similar to TeX/LaTeX however, it is very small and very usable. It is not built properly with URW fonts, or such are missing, I cannot know all details. Overall groff package is basically somehow broken.
It shall depend on proper fonts, and such fonts should already be built, including their Unicode versions.
Package is only partially built.
|
|
Packages | Any | Implementation Request | Very Low | Medium | [nnn] package request | Unconfirmed | |
Task Description
This is a request to package nnn - a full-featured terminal file manager for low-end devices and the regular desktop.
nnn is available on Debian, Ubuntu (and family), Fedora, OpenSUSE and Arch Linux.
Homepage: https://github.com/jarun/nnn License: BSD 2-Clause
I would highly appreciate if nnn can be added to the repository.
|
|
Packages | Any | Freedom Issue | Very Low | Low | [arm-unknown-linux-gnueabi-gcc] not working; needs prop... | Unconfirmed | |
Task Description
Description: I believe the arm-unknown-linux-gnueabi-gcc package to be broken as described here.
Additional info: * package version(s) - arm-unknown-linux-gnueabi-gcc - all versions
Steps to reproduce: I don’t think “steps to reproduce” to be relevant in this case. My forum topic linked above already contains all the necessary info on the subject :) However, one could try compiling glibc and busybox as described here. Yes, these are instructions for debian-like systems. They have to be adapted accordingly
|
|
Packages | Any | Implementation Request | Very Low | Medium | Support of MPTCP (Multipath TCP) on Hyperbola | Unconfirmed | |
Task Description
Patch for 4.9 : https://multipath-tcp.org/patches/mptcp-v4.9-c88d1d56809e.patch
AUR : https://aur.archlinux.org/packages/linux-mptcp/
|
|
Packages | Any | Implementation Request | Very Low | High | Add MPTCP (MultiPath TCP) to Hyperbola | Unconfirmed | |
Task Description
https://aur.archlinux.org/packages/linux-mptcp/
Kernel Patch for 4.9 : http://multipath-tcp.org/patches/mptcp-v4.9-c88d1d56809e.patch
Compile : https://multipath-tcp.org/pmwiki.php/Users/DoItYourself
|
|
Packages | Any | Implementation Request | Low | Low | [opmsg] add new package | Researching | |
Task Description
Description: opmsg is a replacement for gpg which can encrypt/sign/verify your mails or create/verify detached signatures of local files. Even though the opmsg output looks similar, the concept is entirely different.
Additional info: https://aur.archlinux.org/packages/opmsg/
|
|
Packages | Any | Implementation Request | Very Low | Low | [xfce4-alsa-plugin] add package | Unconfirmed | |
Task Description
Please add xfce4-alsa-plugin (to get rid of pulseaudio plugin on xfce)
License: GPL3
https://aur.archlinux.org/packages/xfce4-alsa-plugin/ https://github.com/equeim/xfce4-alsa-plugin
|
|
Packages | Any | Bug Report | Very Low | Medium | [slim] login screen not displaying correctly | Assigned | |
Task Description
It worked fine on the previous version of Hyperbola. The word user/username does not show up. A workaround is to wait 10 seconds and enter the username and click enter - then it will switch correctly to the password screen (otherwise you need to enter the username and password at least twice in order to successfully login).
|
|
Packages | Any | Bug Report | Very Low | Medium | [openrc] cannot load fuse at boot | Unconfirmed | |
Task Description
I added <quote>modules=”fs-fuse”</quote> to /etc/conf.d/modules (and also “fuse” instead).
I looked in /var/log/rc.log and I see this line
<quote>modprobe: FATAL: Module fs-fusetun not found in directory /lib/modules/4.9.194-gnu-1-lts</quote>
It looks like modprobe added “tun” to the filename which prevents loading the module.
|
|
Packages | Any | Bug Report | Very Low | Medium | [exfat-utils] filesystem can only be mounted manually | Unconfirmed | |
Task Description
One can mount exfat by running commands such as “sudo modprobe fuse” and “sudo mount.exfat /dev/sdc1 /mnt/storage” but it is inconvenient.
Also, loading fuse at startup is problematic - see here:
https://issues.hyperbola.info/index.php?do=details&task_id=1433
|
|
Packages | Any | Feature Request | Medium | High | [supervisor] contains systemd unit file | In Progress | |
Task Description
The Arch version of “supervisor” from the snapshot used by Hyperbola comes with systemd support. Since Hyperbola follows the a global ruleset for INIT-freedom, systemd unit files removal is required and adding support for other init-systems (preferred OpenRC for now) to replace it.
|
|
Packages | Any | Bug Report | Very Low | Critical | [system-config-printer] Impossible to print some pdfs (... | Assigned | |
Task Description
Hello,
I’m unable to print some pdfs on my Hyperbola 3.0 system. Some background :
cups is installed, service enabled and working system-config-printer is installed and my printer has been correctly added.
I can print most pdfs and text files but recently with a pdf, it fails to print it.* And system-config-printer returned the following error (see capture) :
Printer "EPSON XP-620-Series" requires the '/usr/lib/cups/filters/epson-escpr-wrapper' but it is not currently installed.
Currently, “epson-escpr-wrapper” is installed but it is in :
/usr/libexec/cups/filters/epson-escpr-wrapper
Looking at source code of system-config-printer, it expects that wrapper to be installed in “/usr/lib/” so I tried to symlink that “epson-escpr-wrapper” to “/usr/lib/cups/filters” but it doesn’t work..
*With a Debian system and the exact same configuration, the “problematic” pdf prints just fine so it is not an issue with the pdf.
|
|
Packages | Any | Update Request | Very Low | Medium | [lmms] update package version to 1.2.0 | Unconfirmed | |
Task Description
In the latest version, it has many more changes with new and improvement features, and fixes function issues since released as preview stage in every eight times per three years ago[1]. And also it is possible to rebuild package with sndio.
[1]: https://github.com/LMMS/lmms/releases/ (see all sections below from 1.2.0-RC1 to 1.2.0 in the version history releases)
|
|
Packages | Any | Bug Report | Very Low | High | [rubyripper] GUI doesn't work | Unconfirmed | |
Task Description
rrip_gui does not work. The fix is to install cairo-gobject which is not in the repos. Attached is a working PKGBUILD adapted from the official one.
|
|
Packages | Any | Implementation Request | Very Low | Medium | [SPF][postfix] implement pypolicyd-spf and postfix-poli... | Unconfirmed | |
Task Description
Description: Hyperbola has the following SPF implementations: * libspf2 * perl-mail-spf * perl-mail-spf-query
However, none of them work out of the box with postfix. There’s postfix-policyd-spf-perl, which uses one the current perl implementations (perl-mail-spf), takes no time to build and all the dependencies are already satisfied with Hyperbola’s packages
Here I made a PKGBUILD that’s compliant with the packaging standards:
pkgname=postfix-policyd-spf-perl
pkgver=2.011
pkgrel=1
pkgdesc='Postfix SPF policy engine, written in Perl'
arch=(i686 x86_64)
url='https://launchpad.net/postfix-policyd-spf-perl/'
license=(GPL)
depends=(perl-mail-spf perl-netaddr-ip perl-sys-hostname-long)
source=("https://launchpad.net/postfix-policyd-spf-perl/trunk/${pkgver}/+download/${pkgname}-${pkgver}.tar.gz"{,.asc})
sha512sums=('22fc00bf74912056a67e937a460ac1fd878f1cb1a3bfa7b19bc5f1e6bc1c36d815dcf8c945e818d242ed5e72a6295bb0e1569446e06b09aefb2842993b8016ba'
'SKIP')
validpgpkeys=(E7729BFFBE85400FEEEE23B178D7DEFB9AD59AF1) # Scott Kitterman
package() {
cd "${pkgname}-${pkgver}"
install -Dm755 "${pkgname}" "${pkgdir}/usr/libexec/postfix/${pkgname}"
install -Dm644 CHANGES INSTALL README -t "${pkgdir}/usr/share/doc/${pkgname}"
install -Dm644 LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
}
in the other hand, to give users the possibility of having more options, we could add pypolicyd-spf (AUR), which depends in pyspf (AUR) and other packages that Hyperbola has. In fact, ArchWiki talks about this implementation, but this might not be relevant.
|
|
Packages | Any | Implementation Request | Very Low | Low | [emacs-exwm] add package | Assigned | |
Task Description
Some users use emacs as a tiling window manager. Please add EXWM[0]
[0]: https://github.com/ch11ng/exwm
|
|
Packages | Any | Implementation Request | Very Low | Low | [SafeEyes] add new package | Assigned | |
Task Description
Safe Eyes is a program to manage breaks in front of the computer. It has many features that help us adapt it to our needs.
|
|
Packages | Any | Security Issue | Medium | Critical | [libjpeg-turbo] CVE-2019-2201 | Researching | |
Task Description
In generate_jsimd_ycc_rgb_convert_neon of jsimd_arm64_neon.S, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution in an unprivileged process with no additional execution privileges needed. User interaction is needed for exploitation
https://security-tracker.debian.org/tracker/CVE-2019-2201
Patch: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/388
|
|
Packages | Any | Update Request | Very Low | High | [mpv] request for package bump | Unconfirmed | |
Task Description
Hello,
Would it be possible to get a package bump for mpv ?
Currently, Debian Buster (stable) uses 0.29.1-1. This would be great as it introduces many fixes and support for lua scripts I heavily use. 0.29.* requires a ffmpeg to 4.x series as well.
Thanks.
|
|
Packages | Any | Freedom Issue | Very Low | Low | [gnome] Complete remval of desktop-environment | Unconfirmed | |
Task Description
Description: As Gnome has decided against following libre, free principles the desktop-environment has becoming a risk for the privacy and freedom for users. Meaning that the desktop-environment with all basic packages should be removed. Of course the final decision is up to the community and the development-team. Followed up are more reasons for the insights:
* Bloated with questionable dependencies (including mandatory systemd) * Using proprietary services as high risk for freedom and privacy for users (https://i.stack.imgur.com/yZcyV.png) * Coming up with questionable and vague principles, against software-freedom in a whole (inclusion of flatpak and flathub as so-called standardization for distributions, discussions about proprietary software included within the software-center)
Additional info for packages:
gnome-backgrounds gnome-calculator gnome-contacts gnome-control-center gnome-dictionary gnome-disk-utility gnome-font-viewer gnome-keyring gnome-screenshot gnome-session gnome-settings-daemon gnome-shell gnome-shell-extensions gnome-system-monitor gnome-terminal gnome-themes-standard gnome-user-docs gnome-user-share grilo-plugins
|
|
Packages | Any | Security Issue | Very Low | Medium | Download debian-fixes instead of relying on external so... | Unconfirmed | |
Task Description
It happened already with minetest and again with prosody: When trying to build own packages with makepkg there are patches downloaded from the Debian-project. But the given HTTP(S)-sources are no longer available, concrete example within prosody to be found: https://deb.debian.org/debian/pool/main/p/prosody/prosody_0.10.2-1~bpo9+1.debian.tar.xz (not available)
Please don’t rely on those external sources when creating PKGBUILD-files or just give users the possibility for a secure and granted download. Therefore I cannot build prosody on my own now!
|
|
Packages | Any | Privacy Issue | Very Low | Critical | [bleachbit] needs to be adapted to UXP applications | Assigned | |
Task Description
The current version of BleachBit needs to be adapted so it can clean the new .cache/hyperbola/ directory.
|
|
Packages | Any | Security Issue | Very Low | Critical | [unbound] Multiple CVEs | Assigned | |
Task Description
https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/
[Critical] https://security-tracker.debian.org/tracker/CVE-2019-18934
|
|
Packages | Any | Bug Report | Very Low | Low | Xenocara xbacklight bug | Unconfirmed | |
Task Description
When i try to set the brightness on my screen, with xbacklight -set 100,
it does this:
No outputs have backlight property
and it doesn’t really matter if I set it lower than 100 or what it currently is at.
Fix when you can please!
|
|
Packages | Any | Bug Report | Very Low | Low | lightdm/lxdm bug | Unconfirmed | |
Task Description
It appears when I plug in my libreboot laptop x200 in, it appears to dim the screen and when its unplugged, the screen is bright again. Something peculiar is at work, I wondered if this could be fixed.
My assumption is it is related to lxdm or lightdm. Any thoughts?
I am currently using 0.4, so I don’t expect this to be a fast process, just when you get a chance okay?
|
|
Packages | Any | Freedom Issue | Very Low | Low | [hedgewars] Crash when starting a new singleplayer-camp... | Unconfirmed | |
Task Description
When trying to start a new campaign the complete game-engine is crashing with the following message:
Object::disconnect: Unexpected null parameter QCoreApplication::postEvent: Unexpected null receiver
As ghc and fpc should be removed in the near future it would be good to validate this or otherwise remove the game-package itself also.
|
|
Packages | Any | Security Issue | Very Low | High | [tigervnc] Multiple CVE | Researching | |
Task Description
https://www.openwall.com/lists/oss-security/2019/12/20/2
“This is a security release to fix a number of issues that were found by Kaspersky Lab. These issues affect both the client and server and could theoretically allow an malicious peer to take control over the software on the other side.”
|
|
Packages | Any | Security Issue | Very Low | Critical | [opensmtpd] CVE-2020-8794 | Unconfirmed | |
Task Description
Description: https://www.openwall.com/lists/oss-security/2020/02/24/5 https://www.bleepingcomputer.com/news/security/new-critical-rce-bug-in-openbsd-smtp-server-threatens-linux-distros/
Qualys Security Advisory
LPE and RCE in OpenSMTPD’s default install (CVE-2020-8794)
Summary Analysis ... Acknowledgments
We discovered a vulnerability in OpenSMTPD, OpenBSD’s mail server. This vulnerability, an out-of-bounds read introduced in December 2015 (commit 80c6a60c, “when peer outputs a multi-line response ...”), is exploitable remotely and leads to the execution of arbitrary shell commands: either as root, after May 2018 (commit a8e22235, “switch smtpd to new grammar”); or as any non-root user, before May 2018.
Because this vulnerability resides in OpenSMTPD’s client-side code (which delivers mail to remote SMTP servers), we must consider two different scenarios:
- Client-side exploitation: This vulnerability is remotely exploitable
in OpenSMTPD's (and hence OpenBSD's) default configuration. Although
OpenSMTPD listens on localhost only, by default, it does accept mail
from local users and delivers it to remote servers. If such a remote
server is controlled by an attacker (either because it is malicious or
compromised, or because of a man-in-the-middle, DNS, or BGP attack --
SMTP is not TLS-encrypted by default), then the attacker can execute
arbitrary shell commands on the vulnerable OpenSMTPD installation.
- Server-side exploitation: First, the attacker must connect to the
OpenSMTPD server (which accepts external mail) and send a mail that
creates a bounce. Next, when OpenSMTPD connects back to their mail
server to deliver this bounce, the attacker can exploit OpenSMTPD's
client-side vulnerability. Last, for their shell commands to be
executed, the attacker must (to the best of our knowledge) crash
OpenSMTPD and wait until it is restarted (either manually by an
administrator, or automatically by a system update or reboot).
We developed a simple exploit for this vulnerability and successfully tested it against OpenBSD 6.6 (the current release), OpenBSD 5.9 (the first vulnerable release), Debian 10 (stable), Debian 11 (testing), and Fedora 31.
The fix is delivered in OpenSMTPD 6.6.4p1, available here, which the developer recommends installing “AS SOON AS POSSIBLE.”
|