Bug 21876

Summary: upx new security issue CVE-2017-15056
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, jackal.j, lists.jjorge, marja11, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-64-OK
Source RPM: upx-3.91-4.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-10-15 17:00:02 CEST 
Fedora has issued an advisory on October 14:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RJRF5BAMX5AS2PZ2P56VA2XW6ZXF7VOV/

It's not clear if the older versions we have are affected.
Comment 1 Marja Van Waes 2017-10-15 17:42:44 CEST 
Assigning to all packagers collectively, since it has no registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2017-10-20 17:15:38 CEST 
openSUSE updated from 3.91 to 3.94 (on October 19):
https://lists.opensuse.org/opensuse-updates/2017-10/msg00065.html

That suggests to me that 3.91 is affected.

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 3 Jack M 2017-10-21 19:35:04 CEST 
The issue :
https://github.com/upx/upx/issues/128

Upstream has patched this issue :
https://github.com/upx/upx/commit/ef336dbcc6dc8344482f8cf6c909ae96c3286317

CC: (none) => jackal.j

Jack M 2017-10-21 19:35:29 CEST

Assignee: pkg-bugs => jackal.j

Comment 4 David Walser 2017-10-22 20:03:48 CEST 
Jack and José are working on this and have uploaded updated packages for Mageia 5, Mageia 6, and Cauldron.  I'll see if they want to take a crack at the advisory.

CC: (none) => lists.jjorge
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Version: Cauldron => 6

Jack M 2017-10-22 21:24:58 CEST

Assignee: jackal.j => qa-bugs

Comment 5 David Walser 2017-10-22 22:27:14 CEST 
Advisory:
========================

Updated upx package fixes security vulnerability:

p_lx_elf.cpp in UPX 3.94 mishandles ELF headers, which allows remote attackers
to cause a denial of service (application crash) or possibly have unspecified
other impact via a crafted binary file, as demonstrated by an Invalid Pointer
Read in PackLinuxElf64::unpack() (CVE-2017-15056).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15056
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RJRF5BAMX5AS2PZ2P56VA2XW6ZXF7VOV/
========================

Updated packages in core/updates_testing:
========================
upx-3.94-1.mga5
upx-3.94-1.mga6

from SRPMS:
upx-3.94-1.mga5.src.rpm
upx-3.94-1.mga6.src.rpm
Comment 6 Herman Viaene 2017-10-24 11:48:05 CEST 
MGA5-32 on Asus A6000VM Xfce
No installation issues.
Copied thunar executable to my ~/Documenten and then at CLI:
]$ upx thunar            
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2017
UPX 3.94        Markus Oberhumer, Laszlo Molnar & John Reiser   May 12th 2017

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
    873204 ->    308460   35.33%   linux/i386    thunar                        

Packed 1 file.
then
$ ./thunar 
worked OK
and
$ upx -t thunar 
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2017
UPX 3.94        Markus Oberhumer, Laszlo Molnar & John Reiser   May 12th 2017

testing thunar [OK]

Tested 1 file.
$ upx -l thunar 
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2017
UPX 3.94        Markus Oberhumer, Laszlo Molnar & John Reiser   May 12th 2017

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
    873204 ->    308460   35.33%   linux/i386    thunar
This seems all OK

CC: (none) => herman.viaene
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK

Comment 7 Len Lawrence 2017-10-24 17:00:41 CEST 
mga5::x86_64  Mate desktop

Three POCs available from https://github.com/upx/upx/issues/128, meant to be run in the ASAN framework (!!).

Here the before update tests produced these results from the commands:
$ upx -d -o /dev/null -f POC{1,2,3}

"upx: POC1: EOFException: premature end of file"
ASAN result: READ of size 4 - ABORTING
"upx: POC2: IOException: seek error: Invalid argument"
ASAN result: DEADLYSIGNAL - SEGV - ABORTING
No apparent error for POC3 - "Unpacked 1 file"
ASAN result: DEADLYSIGNAL - SEGV - ABORTING

After update:
Following Herman's lead in comment 6.
Installed Thunar and copied /bin/thunar to ~/test/
$ upx thunar
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2017
UPX 3.94        Markus Oberhumer, Laszlo Molnar & John Reiser   May 12th 2017

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
    793912 ->    286444   36.08%   linux/amd64   thunar                        

Packed 1 file.
$ ./thunar
Compressed file launched the gui.

$ upx -l thunar
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2017
UPX 3.94        Markus Oberhumer, Laszlo Molnar & John Reiser   May 12th 2017

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
    793912 ->    286444   36.08%   linux/amd64   thunar

Check the compressed size:
$ ls -l thunar
-rwxr-xr-x 1 lcl lcl 286444 Oct 24 15:38 thunar*
$ ls -l /bin/thunar
-rwxr-xr-x 1 root root 793912 Feb 12  2016 /bin/thunar*
Both as stated.

The process can be reversed OK.
$ upx -d thunar
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2017
UPX 3.94        Markus Oberhumer, Laszlo Molnar & John Reiser   May 12th 2017

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
    793912 <-    286444   36.08%   linux/amd64   thunar

Unpacked 1 file.
$ ./thunar
This still works.

POC tests:
upx: POC1: FileAlreadyExistsException: /dev/null: File exists
upx: POC2: FileAlreadyExistsException: /dev/null: File exists
upx: POC3: FileAlreadyExistsException: /dev/null: File exists

Tried this:
$ upx -d -o squerk POC
upx: POC1: CantUnpackException: bad e_phoff
upx: POC2: CantUnpackException: bad e_phoff
upx: POC3: CantUnpackException: bad e_phoff
Those look acceptable.

Good for 64 bits.

CC: (none) => tarazed25

Len Lawrence 2017-10-24 17:01:03 CEST

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA5-64-OK

Comment 8 Len Lawrence 2017-10-24 17:46:39 CEST 
mga6::x86_64  Mate

Ran the POC tests before and after the update with identical results as reported in comment 7.  Used a dummy file thoughout rather than /dev/null.

$ upx -V
upx 3.94
UCL data compression library 1.03
zlib data compression library 1.2.11
LZMA SDK version 4.43
Copyright (C) 1996-2017 Markus Franz Xaver Johannes Oberhumer
Copyright (C) 1996-2017 Laszlo Molnar
Copyright (C) 2000-2017 John F. Reiser
Copyright (C) 2002-2017 Jens Medoch
Copyright (C) 1995-2005 Jean-loup Gailly and Mark Adler
Copyright (C) 1999-2006 Igor Pavlov
UPX comes with ABSOLUTELY NO WARRANTY; for details type 'upx -L'.

Copied thunar from /bin as a test object and carried out the same sequence of tests as in comments 6 and 7 with virtually identical results.

This is good for 64 bits.
Len Lawrence 2017-10-24 17:46:55 CEST

Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-64-OK

Comment 9 Rémi Verschelde 2017-10-25 11:56:50 CEST 
Advisory uploaded, validating.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2017-10-27 09:16:45 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0389.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED