Packages

The package is not compiled from source

The Battle for Wesnoth Project version 1.7.0 through 1.14.3 contains a Code Injection vulnerability in the Lua scripting engine that can result in code execution outside the sandbox. This attack appear to be exploitable via Loading specially-crafted saved games, networked games, replays, and player content.

https://security-tracker.debian.org/tracker/CVE-2018-1999023

Upstream patch: https://github.com/wesnoth/wesnoth/commit/d911268a783467842d38eae7ac1630f1fea41318

Description:

• The Arch version of Wesnoth from the snapshot used by Hyperbola comes with systemd support. Since Hyperbola follows the Init Freedom Campaign , systemd unit files removal is required or add OpenRC init scripts to replace it.

Additional info:
* package version(s)
* config and/or log files etc.

Repository      : community
Name            : wesnoth
Version         : 1.12.6-4
Description     : A turn-based strategy game on a fantasy world
Architecture    : x86_64
URL             : http://www.wesnoth.org/
Licenses        : GPL
Groups          : None
Provides        : None
Depends On      : sdl_ttf  sdl_net  sdl_mixer  sdl_image  fribidi  boost-libs  pango  lua52  wesnoth-data  dbus  python2
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 4.97 MiB
Installed Size  : 22.86 MiB
Packager        : Bartłomiej Piotrowski <bpiotrowski@archlinux.org>
Build Date      : Mon 02 Jan 2017 07:52:21 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

/usr/lib/systemd/system/wesnothd.service is owned by wesnoth 1.12.6-4
/usr/lib/tmpfiles.d/wesnothd.conf is owned by wesnoth 1.12.6-4

Steps to reproduce:

• Install package.

An external attacker is able to inject arbitrary cookie values cookie jar file,
adding new or replacing existing cookie values.
http://openwall.com/lists/oss-security/2018/05/06/1

Fixed in GNU Wget 1.19.5 or later.

https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/

https://w1.fi/security/2017-1/

Arch just patched: https://www.archlinux.org/packages/core/i686/wpa_supplicant/

http://openwall.com/lists/oss-security/2018/04/30/1 http://openwall.com/lists/oss-security/2018/04/30/1 An attacker supplying a crafted CDROM image can read any file (or
device node) on the dom0 filesystem with the permissions of the qemu
devicemodel process. (The virtual CDROM device is read-only, so
no data can be written.)

http://openwall.com/lists/oss-security/2018/04/30/2 A malicious or buggy guest may cause a hypervisor crash, resulting in
a Denial of Service (DoS) affecting the entire host.

http://openwall.com/lists/oss-security/2018/05/11/1 A malicious unprivileged device model can cause a Denial of Service
(DoS) affecting the entire host. Specifically, it may prevent use of a
physical CPU for an indeterminate period of time.

http://openwall.com/lists/oss-security/2018/05/11/2

[critical]
A malicious or buggy HVM guest may cause a hypervisor crash, resulting
in a Denial of Service (DoS) affecting the entire host. Privilege
escalation, or information leaks, cannot be excluded.

Patches provided by upstream.

xmind when installed is showing that “this version is not licensed”, so that cannot be right. Even though there is GPL license on Github, that vague information in the software can and is wrongly understood:

Further it is asking for license key to get the “Pro” version.

Thus xmind is pointing to proprietary software.

That means xmind shall be removed from Hyperbola immediately as such as it is now cannot be in the fully free GNU distribution.

A Syriac typeface family series of Beth Mardutho’s Meltho is considered as non-libre/free because a licence forbids to modify[1], and should be removed immediately.

[1]: https://github.com/freedesktop/xorg-misc-meltho/raw/master/license.txt

Remove “xulrunner”[0][1] is unsecure/abandonware package

$ pacman -Si xulrunner
Repository : community
Name : xulrunner
Version : 41.0.2-10
Description : Mozilla Runtime Environment
Architecture : x86_64
URL : http://wiki.mozilla.org/XUL:Xul_Runner Licenses : MPL GPL LGPL Groups : None
Provides : None
Depends On : gtk2 mozilla-common nss>3.18 libxt hunspell startup-notification mime-types dbus-glib libpulse libevent libvpx icu python2
Optional Deps : None
Conflicts With : None
Replaces : xulrunner-oss
Download Size : 47.38 MiB
Installed Size : 171.99 MiB
Packager : Evangelos Foutras evangelos@foutrelis.com Build Date : Wed 26 Apr 2017 03:10:07 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://hearsum.ca/blog/mozilla-will-stop-producing-automated-builds-of-xulrunner-after-the-410-cycle.html [1]:https://tracker.debian.org/pkg/xulrunner

Severity: high

Versions affected:
1.6.0 through 1.7.0
Potentially, all earlier versions too, but there is no known way to
trigger this before 1.6.0

Mitigation:
upgrade to 1.7.1

Description:
ZNC before 1.7.1-rc1 does not properly validate untrusted lines coming
from the network, allowing a non-admin user to escalate privilege,
inject rogue values into znc.conf, and gain shell access.

Upstream patches:
https://github.com/znc/znc/commit/a7bfbd93812950b7444841431e8e297e62cb524e https://github.com/znc/znc/commit/d22fef8620cdd87490754f607e7153979731c69d

—

Severity: medium

Versions affected:
0.045 through 1.7.0

Mitigation:
upgrade to 1.7.1, or disable HTTP via `/msg *status AddPort`, `/msg
*status DelPort` commands.

Description:
ZNC before 1.7.1-rc1 is prone to a path traversal flaw. A non-admin user
can set web skin name to ../ to access files outside of the intended
skins directories and to cause DoS.

Upstream patch:
https://github.com/znc/znc/commit/a4a5aeeb17d32937d8c7d743dae9a4cc755ce773

gufw 17.04.1-3

Impossible to start application, error message :

FileNotFoundError: [Errno 2] Aucun fichier ou dossier de ce type: '/usr/sbin/ufw': '/usr/sbin/ufw'

/sbin/openrc-run: bad interpreter: No such file or directory

I get this error whenever I try to start dhcpcd with sv /etc/runit/

And for sndiod I get this doing the same guide,

warning: sndiod: unable to open supervise/ok: file does not exist

Although rather ironically, If I type sndiod or dhcpcd into root, it works just fine.

Maybe its an FHS issue or possibly, I am screwing up? I am not sure. Feedback is welcome.

This is what I did:

=⇒ Add a service:

ln -s /etc/sv/<service> /var/service
==> Start/stop/restart a service:
sv <start/stop/restart> <service>

more or less, I used this guide.

Adapt package in accordance with the Hyperbola Packaging Guidelines to follow the Hyperbola Social Contract .

Adapt package in accordance with the Hyperbola Packaging Guidelines to follow the Hyperbola Social Contract .

Description: Configuration file “syslinux.cfg” under /boot/syslinux/ has to be adjusted. Problem with kernel-images loaded and the concurrent booting device is per default configured to /dev/sda3. Kernel-images are named as “linux-libre” not “linux-libre-lts”.

There are issues with the current sndio-package as it seems not possible to get this to work with ALSA.

Adapt package in accordance with the Hyperbola Packaging Guidelines to follow the Hyperbola Social Contract .

Adapt package in accordance with the Hyperbola Packaging Guidelines to follow the Hyperbola Social Contract .

Adapt package in accordance with the Hyperbola Packaging Guidelines to follow the Hyperbola Social Contract .

Adapt package in accordance with the Hyperbola Packaging Guidelines to follow the Hyperbola Social Contract .

Rebuild package against libressl, since it depends on openssl.

$ pacman -Si aircrack-ng
Repository      : community
Name            : aircrack-ng
Version         : 1.2rc4-4
Description     : Key cracker for the 802.11 WEP and WPA-PSK protocols
Architecture    : x86_64
URL             : https://www.aircrack-ng.org
Licenses        : GPL2
Groups          : None
Provides        : aircrack-ng-scripts
Depends On      : openssl  sqlite  iw  net-tools  wireless_tools  ethtool
Optional Deps   : None
Conflicts With  : aircrack-ng-scripts
Replaces        : aircrack-ng-scripts
Download Size   : 375.88 KiB
Installed Size  : 1627.00 KiB
Packager        : Jonathan Steel <jsteel@archlinux.org>
Build Date      : Mon 27 Mar 2017 04:13:22 PM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

### Some context ###

I use hdajackretask on my G41M-ES2L motherboard (Libreboot)

Alsamixer doesn’t offer automute feature so every time I plug my headphones, the sound is playing by my speakers.
So to work around this, I use hdajackretask from alsa-tools package.

It allows to install a boot override to solve the issue.

Yesterday, I reinstalled Hyperbola on my system and the boot override because of missing /lib/firmware directory. (Although it was present before, something changed ?)

The error message was (I translate)

/mv: can't move '/tmp/hda-jack-retask-VH3KIZ/hda-jack-retask.fw' to /lib/firmware/hda-jack-retask.fw' No file or folder of this type

So I created a folder “firmware” in /lib/
and copied hda-jack-retask.fw in it.

Then I rebooted, 100% working.

I don’t know if the fix should apply to the PKGBUILD of alsa-tools (to create a /lib/firmware directory) or something else ?

Rebuild package against libressl, since it depends on openssl.

$ pacman -Si android-tools
Repository      : community
Name            : android-tools
Version         : 7.1.2_r6-1
Description     : Android platform tools
Architecture    : x86_64
URL             : http://tools.android.com/
Licenses        : Apache  MIT
Groups          : None
Provides        : None
Depends On      : openssl  pcre
Optional Deps   : python: for mkbootimg script
Conflicts With  : None
Replaces        : None
Download Size   : 202.90 KiB
Installed Size  : 611.00 KiB
Packager        : Anatol Pomozov <anatol.pomozov@gmail.com>
Build Date      : Mon 24 Apr 2017 11:39:51 PM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Rebuild package against libressl, since it depends on openssl.

$ pacman -Si apache
Repository      : extra
Name            : apache
Version         : 2.4.25-2.hyperbola2
Description     : A high performance Unix-based HTTP server, with OpenRC support
Architecture    : x86_64
URL             : https://www.apache.org/dist/httpd
Licenses        : APACHE
Groups          : None
Provides        : None
Depends On      : zlib  apr-util  pcre  libnghttp2  openssl
Optional Deps   : lua: for mod_lua module
                  libxml2: for mod_proxy_html, mod_xml2enc modules
                  lynx: apachectl status
Conflicts With  : None
Replaces        : None
Download Size   : 1436.89 KiB
Installed Size  : 5678.00 KiB
Packager        : André Silva <emulatorman@hyperbola.info>
Build Date      : Mon 25 Sep 2017 09:13:27 PM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Rebuild package against libressl, since it optdepends and makedepends on openssl.

$ pacman -Si apr-util
Repository      : extra
Name            : apr-util
Version         : 1.5.4-3
Description     : The Apache Portable Runtime
Architecture    : x86_64
URL             : http://apr.apache.org/
Licenses        : APACHE
Groups          : None
Provides        : None
Depends On      : apr  expat
Optional Deps   : gdbm: enable gdbm support
                  libldap: enable ldap support
                  unixodbc: enable odbc support
                  libmariadbclient: enable mysql/mariadb support
                  postgresql-libs: enable postgres support
                  db: enable berkley db support
                  sqlite: enable sqlite support
                  nss: enable nss crypto support
                  openssl: enable openssl crypto support
Conflicts With  : None
Replaces        : None
Download Size   : 153.32 KiB
Installed Size  : 609.00 KiB
Packager        : Jan de Groot <jgc@archlinux.org>
Build Date      : Thu 02 Mar 2017 07:29:09 PM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature