1

Topic: [Hyperbola] Current security-threads overview

Hello together,

in this thread we like to introduce now an overview of current reported threads and how they affect Hyperbola. We will start now with a current report about a severe issue in newer version of glibc:

CVE-2023-6779 (glibc): This vulnerability involves an off-by-one heap-based buffer overflow in the __vsyslog_internal() function.
CVE-2023-6780 (glibc): This is an integer overflow issue in the __vsyslog_internal() function.

Conclusion based also on this article as source: Hyperbola is not affected as our version of glibc is 2.30.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

2

Re: [Hyperbola] Current security-threads overview

CVE-2022-24300: Our minetest-version has patches for this reported issue.

CVE-2022-24301: Our minetest-version has patches for this reported issue.

CVE-2022-35978: Our minetest-version is not having any patch for this reported issue. Backport would be possible and was tested, see conclusion for further annotations.

Conclusion: As minetest is going into a complete different direction Hyperbola has decided to no longer provide any packaged version. Ports done in favor from the community are surely welcome, but minetest won't be any longer part in the Hyperbola-repositories.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

3

Re: [Hyperbola] Current security-threads overview

CVE-2024-24806:
Improper Domain Lookup that potentially leads to SSRF attacks

Conclusion: We update our libuv to comply!

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

4

Re: [Hyperbola] Current security-threads overview

CVE-2023-50387 and CVE-2023-50868: https://www.isc.org/blogs/2024-bind-security-release/, fixed into --> 9.16.48
(Thanks for reporting to heckyel!)

Conclusion: Package bind will be updated corresponding!

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

5

Re: [Hyperbola] Current security-threads overview

CVE-2021-44847: A stack-based buffer overflow in handle_request function in DHT.c in toxcore 0.1.9 through 0.1.11 and 0.2.0 through 0.2.12 (caused by an improper length calculation during the handling of received network packets) allows remote attackers to crash the process or potentially execute arbitrary code via a network packet.

Conclusion: Our version is not vulnerable.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

6

Re: [Hyperbola] Current security-threads overview

CVE-2023-46724, CVE-2023-46846, CVE-2023-46847, CVE-2023-49285: Several security vulnerabilities have been discovered in Squid, a full featured web proxy cache. Due to programming errors in Squid's HTTP request parsing, remote attackers may be able to execute a denial of service attack by sending large X-Forwarded-For header or trigger a stack buffer overflow while performing HTTP Digest authentication. Other issues facilitate request smuggling past a firewall or a denial of service against Squid's Helper process management.

Conclusion: We will upgrade and patch our squid.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

7

Re: [Hyperbola] Current security-threads overview

CVE-2023-29132: Irssi 1.3.x and 1.4.x before 1.4.4 has a use-after-free because of use of a stale special collector reference. This occurs when printing of a non-formatted line is concurrent with printing of a formatted line.

Conclusion: We upgrade our packaged version of irssi to 1.4.5.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

8

Re: [Hyperbola] Current security-threads overview

CVE-2024-3094: Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

Conclusion: Our version of xz is not affected.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

9

Re: [Hyperbola] Current security-threads overview

More to read about the xz issue: https://boehs.org/node/everything-i-kno … z-backdoor

No, our libarchive is also not affected. Our version is from 2020, the version suspicious with commits done to weaken the security is from 2021 and beyond.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

10

Re: [Hyperbola] Current security-threads overview

General annotation: The package dillo will be reworked as the URL dillo.org is no longer under control of the project-team. Nevertheless the URL is used wide for that package and project. The project-team has written a clear article about their perspective: https://dillo-browser.github.io/dillo.org.html

Also a note from us direct: Please be always careful. Surely we track here the security-issues and situation. But also about packages from elsewhere it is better to stay critical. Not direct with sources first but with websites for sure. This example is a light one as there are foremost spam-articles mixed into a wordpress-blog now on dillo.org. But this can be also quite more severe for example used as honeypot, in that term just to collect metadata on the first run of visitors or even quite more.

Conclusion: We will use the new address as soon as possible.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

11

Re: [Hyperbola] Current security-threads overview

CVE-2024-38428: url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent.

Conclusion: We will patch our current version of wget.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

12

Re: [Hyperbola] Current security-threads overview

CVE-2024-24577: libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2.

Conclusion: We will update our current version of libgit2 to version 1.7.2.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

13

Re: [Hyperbola] Current security-threads overview

CVE-2024-23770: darkhttpd through 1.15 allows local users to discover credentials (for --auth) by listing processes and their arguments.

CVE-2024-23771: darkhttpd before 1.15 uses strcmp (which is not constant time) to verify authentication, which makes it easier for remote attackers to bypass authentication via a timing side channel.

Conclusion: We will update our current version of darkhttpd to version 1.16.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

14

Re: [Hyperbola] Current security-threads overview

CVE-2024-6655: A flaw was found in the GTK library. Under certain conditions, it is possible for a library to be injected into a GTK application from the current working directory.

Conclusion: We will patch our packages gtk and gtk2.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

15

Re: [Hyperbola] Current security-threads overview

CVE-2024-39936: An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed.

Conclusion: We will patch our package qt-base.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

16

Re: [Hyperbola] Current security-threads overview

CVE-2023-36328: Integer Overflow vulnerability in mp_grow in libtom libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to execute arbitrary code and cause a denial of service (DoS).

Conclusion: We will patch our package libtommath.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

17

Re: [Hyperbola] Current security-threads overview

CVE-2021-41816: CGI.escape_html in Ruby before 2.7.5 and 3.x before 3.0.3 has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. This also affects the CGI gem before 0.3.1 for Ruby.

CVE-2021-41817: Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.

Conclusion: We will patch our package ruby and have already backported patchsets.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

18

Re: [Hyperbola] Current security-threads overview

CVE-2022-24836: Nokogiri is a XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue.

Conclusion: We will patch our package ruby-nokogiri.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

19

Re: [Hyperbola] Current security-threads overview

CVE-2023-52890: NTFS-3G before 75dcdc2 has a use-after-free in ntfs_uppercase_mbs in libntfs-3g/unistr.c. NOTE: discussion suggests that exploitation would be challenging.

Conclusion: We will patch our package ntfs-3g and have backported the fix.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

20

Re: [Hyperbola] Current security-threads overview

CVE-2024-41957: Vim is a command line text editor. Vim < v9.1.0647 has double free in src/alloc.c:616. When closing a window, the corresponding tagstack data will be cleared and freed. However a bit later, the quickfix list belonging to that window will also be cleared and if that quickfix list points to the same tagstack data, Vim will try to free it again, resulting in a double-free/use-after-free access exception. Impact is low since the user must intentionally execute vim with several non-default flags, but it may cause a crash of Vim. The issue has been fixed as of Vim patch v9.1.0647

CVE-2024-43374: The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling. When adding a new file to the argument list, this triggers `Buf*` autocommands. If in such an autocommand the buffer that was just opened is closed (including the window where it is shown), this causes the window structure to be freed which contains a reference to the argument list that we are actually modifying. Once the autocommands are completed, the references to the window and argument list are no longer valid and as such cause an use-after-free. Impact is low since the user must either intentionally add some unusual autocommands that wipe a buffer during creation (either manually or by sourcing a malicious plugin), but it will crash Vim. The issue has been fixed as of Vim patch v9.1.0678.

Conclusion: We will update our package vim to version 9.1.0707.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

21

Re: [Hyperbola] Current security-threads overview

CVE-2024-7055: A vulnerability was found in FFmpeg up to 7.0.1. It has been classified as critical. This affects the function pnm_decode_frame in the library /libavcodec/pnmdec.c. The manipulation leads to heap-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Conclusion: We will update our package ffmpeg to version 4.4.5.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

22

Re: [Hyperbola] Current security-threads overview

CVE-2024-43167: A NULL pointer dereference flaw was found in the ub_ctx_set_fwd function in Unbound. This issue could allow an attacker who can invoke specific sequences of API calls to cause a segmentation fault. When certain API functions such as ub_ctx_set_fwd and ub_ctx_resolvconf are called in a particular order, the program attempts to read from a NULL pointer, leading to a crash. This issue can result in a denial of service by causing the application to terminate unexpectedly.

Conclusion: We have backported a fix and patch our package unbound.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

23

Re: [Hyperbola] Current security-threads overview

CVE-2024-9680: An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, Firefox ESR < 115.16.1, Thunderbird < 131.0.1, Thunderbird < 128.3.1, and Thunderbird < 115.16.0.

Conclusion: The security-threat does not apply to UXP and therefore not to iceweasel-uxp and icedove-uxp.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

24

Re: [Hyperbola] Current security-threads overview

Generic:  A generic warning about interpreter-projects like Godot. As of now further details gone clear we can clearly state that we won't package and include any of those interpreter-engines at any given time, especially not the Godot named framework. The reasoning behind is here to read: https://research.checkpoint.com/2024/ga … e-loaders/

We can only warn about too much trust, even though the projects and packages are marked as "free and permissive". Nevertheless never forget they are software running and the more complex it gets the more problematic it can be.

Use also verification of attack-vectors, common known steps from recurring attacks:

  • Manipulated repositories: Attacker using widely known and used platforms like Github to create false or fake projects, including malicious code

  • Compromised dependencies: In this case malicious code is added within the libraries and frameworks other projects are using

  • Social engineering: In some cases attacking groups and / or individuals pretend first to grant help and support for a project and when getting more rights likewise to modify and add code start with adding their malicious actions

Free software is always based on trust and therefore those attacks are very harmful for the future of free and libre software and culture. Also the further analysis of this current thread shows exactly why Hyperbola as project persists on exactly a full package and software running only local after the installation. We do not plan to include any kind of software sideloading further data after its installation without the users knowledge and we will always patch or remove packages (applications) when adding such demands and features.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

25

Re: [Hyperbola] Current security-threads overview

CVE-2022-0847: A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.

Conclusion: The security-threat does not apply to our system / kernel.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!