Bug 25935

Summary: upx new security issues CVE-2019-1429[56]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, lists.jjorge, nicolas.salguero, sysadmin-bugs, tarazed25, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: upx-3.95-1.mga7.src.rpm CVE: CVE-2019-14295, CVE-2019-14296
Status comment:

Description David Walser 2019-12-23 21:40:03 CET 
Fedora has issued an advisory on August 11:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MOCJ43HTM45GZCAQ2FLEBDNBM76V22RG/

Mageia 7 is also affected.
David Walser 2019-12-23 21:40:19 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2019-12-24 21:21:43 CET 
No registered or evident maintainer for this pkg, so assigning globally.
CC'ing José as its last committer.

CC: (none) => lists.jjorge
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2019-12-28 15:52:39 CET 
Suggested advisory:
========================

The updated package fixes security vulnerabilities:

An Integer overflow in the getElfSections function in p_vmlinx.cpp in UPX 3.95 allows remote attackers to cause a denial of service (crash) via a skewed offset larger than the size of the PE section in a UPX packed executable, which triggers an allocation of excessive memory. (CVE-2019-14295)

canUnpack in p_vmlinx.cpp in UPX 3.95 allows remote attackers to cause a denial of service (SEGV or buffer overflow, and application crash) or possibly have unspecified other impact via a crafted UPX packed file. (CVE-2019-14296)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14295
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14296
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MOCJ43HTM45GZCAQ2FLEBDNBM76V22RG/
========================

Updated packages in core/updates_testing:
========================
upx-3.95-1.1.mga7.src.rpm

from SRPMS:
upx-3.95-1.1.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 7
Status: NEW => ASSIGNED
CVE: (none) => CVE-2019-14295, CVE-2019-14296
CC: (none) => nicolas.salguero

Comment 3 Len Lawrence 2020-01-02 02:35:34 CET 
Mageia7, x86_64

CVE-2019-14295
https://github.com/upx/upx/issues/286
Link to PoC does not work.  Tried wget on the underlying address without success.
$ wget https://github.com/aheroine/libming-bin/raw/master/crashes/upx/poc-Integer-overflow 
Returns error 404.
Same story for CVE-2019-14296.

Updated the upx package.

$ cp /usr/bin/caja .
$ upx caja
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2018
UPX 3.95        Markus Oberhumer, Laszlo Molnar & John Reiser   Aug 26th 2018
        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   1940992 ->    746308   38.45%   linux/amd64   caja                          
Packed 1 file.

Used another copy of caja:
$ upx --best caja
File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   1940992 ->    737724   38.01%   linux/amd64   caja                          

$ ./caja
The packed version worked exactly like the original.

$ upx -d caja
        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   1940992 <-    737724   38.01%   linux/amd64   caja

Unpacked 1 file.

This is OK for 64-bits.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 4 Thomas Andrews 2020-01-03 19:41:32 CET 
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-01-05 14:36:55 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 5 Mageia Robot 2020-01-05 16:39:58 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0012.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED