Bug 26172

Summary: upx new security issues CVE-2018-11243 CVE-2019-1010048 CVE-2019-20021 CVE-2019-20051 CVE-2019-20053
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, nicolas.salguero, sysadmin-bugs, tarazed25, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: upx-3.95-1.1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-02-07 21:29:17 CET 
openSUSE has issued an advisory on February 4:
https://lists.opensuse.org/opensuse-updates/2020-02/msg00012.html

The issues are fixed upstream in 3.96.
David Walser 2020-02-07 21:29:29 CET

CC: (none) => geiger.david68210, nicolas.salguero

Comment 1 David Walser 2020-02-07 21:31:14 CET 
Apparently ucl is also affected by the first issue:
https://lists.opensuse.org/opensuse-updates/2020-02/msg00006.html
Comment 2 David Walser 2020-02-07 21:47:22 CET 
Fedora has issued an advisory for this on February 3:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/D7XU42G6MUQQXHWRP7DCF2JSIBOJ5GOO/
Comment 3 David Walser 2020-02-07 21:48:48 CET 
(In reply to David Walser from comment #2)
> Fedora has issued an advisory for this on February 3:
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/D7XU42G6MUQQXHWRP7DCF2JSIBOJ5GOO/

It adds one more CVE.

Summary: upx new security issues CVE-2018-11243 CVE-2019-1010048 CVE-2019-20021 CVE-2019-20053 => upx new security issues CVE-2018-11243 CVE-2019-1010048 CVE-2019-20021 CVE-2019-20051 CVE-2019-20053

David Walser 2020-02-21 17:50:26 CET

Status comment: (none) => Fixed upstream in 3.96

Comment 4 Nicolas Salguero 2020-02-21 22:34:39 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

PackLinuxElf64::unpack in p_lx_elf.cpp in UPX 3.95 allows remote attackers to cause a denial of service (double free), limit the ability of a malware scanner to operate on the entire original data, or possibly have unspecified other impact via a crafted file. (CVE-2018-11243)

A denial of service in PackLinuxElf32::PackLinuxElf32help1(). (CVE-2019-1010048)

A heap-based buffer over-read was discovered in canUnpack in p_mach.cpp in UPX 3.95 via a crafted Mach-O file. (CVE-2019-20021)

A floating-point exception was discovered in PackLinuxElf::elf_hash in p_lx_elf.cpp in UPX 3.95. The vulnerability causes an application crash, which leads to denial of service. (CVE-2019-20051)

An invalid memory address dereference was discovered in the canUnpack function in p_mach.cpp in UPX 3.95 via a crafted Mach-O file. (CVE-2019-20053)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11243
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010048
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20021
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20051
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20053
https://lists.opensuse.org/opensuse-updates/2020-02/msg00012.html
https://lists.opensuse.org/opensuse-updates/2020-02/msg00006.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/D7XU42G6MUQQXHWRP7DCF2JSIBOJ5GOO/
========================

Updated packages in core/updates_testing:
========================
lib(64)ucl1-1.03-16.1.mga7
lib(64)ucl-devel-1.03-16.1.mga7
upx-3.96-1.mga7

from SRPMS:
ucl-1.03-16.1.mga7.src.rpm
upx-3.96-1.mga7.src.rpm

Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED

David Walser 2020-02-21 23:14:20 CET

Status comment: Fixed upstream in 3.96 => (none)

Comment 5 Len Lawrence 2020-02-23 00:55:16 CET 
mga7, x86_64

CVE-2018-11243
https://github.com/upx/upx/issues/206
Two test files available as a poc.zip file:
$ unzip poc.zip
Archive:  poc.zip
   creating: report/                 
  inflating: report/poc1             
  inflating: report/poc2             

$ upx poc1
[...]
upx: poc1: CantPackException: bad PT_DYNAMIC phdr[4]
Packed 0 files.
$ upx poc2
upx: poc2: CantPackException: DT_STRTAB above stub
Packed 0 files.

https://github.com/upx/upx/issues/207
poc_free.zip
$ upx -d poc_free
terminate called after throwing an instance of '13InternalError'
  what():  std::exception
Aborted (core dumped)

CVE-2019-20021
https://github.com/upx/upx/issues/315
$ upx -d -f 002
upx: 002: NotPackedException: not packed by UPX
Unpacked 0 files.

Upstream is using something called upx.out and gets:
upx.out: 002: CantUnpackException: file corrupted

CVE-2019-20051
https://github.com/upx/upx/issues/313
$ upx -d -f -o foo 004
upx: 004: NotPackedException: not packed by UPX
Unpacked 0 files.

CVE-2019-20053
https://github.com/upx/upx/issues/314
$ upx -d -f -o foo 001
upx: 001: NotPackedException: not packed by UPX

Updated the packages.

CVE-2018-11243
The first two tests returned the same messages as before, which look acceptable.
The poc_free test still aborts, so there is still a problem.

CVEs -2019-200{21,51,53} all behave as before the update.  Those mesages give the impression that the issues are being handled effectively.

Tried packing and unpacking on a copy of the system celestia binary.
$ cp /bin/celestia .
$ ll celestia
-rwxr-xr-x 1 lcl lcl 3252888 Feb 22 23:34 celestia*
$ upx celestia
   3252888 ->   1352856   41.59%   linux/amd64   celestia                      
Packed 1 file.
$ ll celestia
-rwxr-xr-x 1 lcl lcl 1352856 Feb 22 23:34 celestia*
$ ./celestia
The application launches instantly and works as usual.
$ upx -d -o celestia2 -f celestia
   3252888 <-   1352856   41.59%   linux/amd64   celestia2
Unpacked 1 file.
$ diff celestia2 /bin/celestia
$ ./celestia2
That also works as before so packing and unpacking is totally transparent.

$ upx --version
upx 3.95
UCL data compression library 1.03
zlib data compression library 1.2.11
LZMA SDK version 4.43
.....
$ upx -L
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2018
[...]
        https://upx.github.io
        http://www.oberhumer.com/opensource/upx/
...

The application is working as designed and most of the various overflow problems have been fixed apart from CVE-2018-11243:207 which I guess will be patched eventually.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 6 David Walser 2020-02-23 01:22:20 CET 
Indeed, the openSUSE changes file said only 206 and not 207 is fixed.
Comment 7 Thomas Andrews 2020-02-23 16:18:00 CET 
Validating, then. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-02-24 21:47:13 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 8 Mageia Robot 2020-02-24 22:45:58 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0096.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED