Bug 29016

Summary: upx new security issues CVE-2020-24119 and CVE-2021-20285
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, nicolas.salguero, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Source RPM: upx-3.96-2.mga8.src.rpm CVE: CVE-2020-24119, CVE-2021-20285
Status comment:

Description David Walser 2021-05-29 18:48:08 CEST 
Fedora has issued an advisory on March 19:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/G3BQABK4YLXENDJBLDMHAIPRTC3ZMLYK/

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-05-29 18:48:25 CEST

Status comment: (none) => Patch available from Fedora
Whiteboard: (none) => MGA8TOO, MGA7TOO
CC: (none) => nicolas.salguero

Comment 1 Lewis Smith 2021-05-29 21:54:32 CEST 
A homeless SRPM with no particular maintainer, so assigning this bug globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2021-05-30 04:25:01 CEST 
Fedora has issued an advisory on May 27:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VSQRO7YC72PSYDQG4PQLQYXZTZE3B4YV/

Mageia 7 and Mageia 8 are also affected.

Summary: upx new security issue CVE-2021-20285 => upx new security issues CVE-2020-24115 and CVE-2021-20285

David Walser 2021-05-30 04:25:07 CEST

Status comment: Patch available from Fedora => Patches available from Fedora

David Walser 2021-05-30 04:25:20 CEST

Summary: upx new security issues CVE-2020-24115 and CVE-2021-20285 => upx new security issues CVE-2020-24119 and CVE-2021-20285

Comment 3 David Walser 2021-05-31 01:09:49 CEST 
openSUSE has issued an advisory for CVE-2020-24119 today (May 30):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/V2GCFGL5HHPU3GIC7XYIPIMYFFLH2M4U/
Comment 4 Nicolas Salguero 2021-06-01 16:05:10 CEST 
Suggested advisory:
========================

The updated package fixes security vulnerabilities:

A heap buffer overflow read was discovered in upx 4.0.0, because the check in p_lx_elf.cpp is not perfect. (CVE-2020-24119)

A flaw was found in upx canPack in p_lx_elf.cpp in UPX 3.96. This flaw allows attackers to cause a denial of service (SEGV or buffer overflow and application crash) or possibly have unspecified other impacts via a crafted ELF. The highest threat from this vulnerability is to system availability. (CVE-2021-20285)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24119
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20285
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/G3BQABK4YLXENDJBLDMHAIPRTC3ZMLYK/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VSQRO7YC72PSYDQG4PQLQYXZTZE3B4YV/
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/V2GCFGL5HHPU3GIC7XYIPIMYFFLH2M4U/
========================

Updated package in 7/core/updates_testing:
========================
upx-3.96-1.1.mga7

from SRPM:
upx-3.96-1.1.mga7.src.rpm

Updated package in 8/core/updates_testing:
========================
upx-3.96-2.1.mga8

from SRPM:
upx-3.96-2.1.mga8.src.rpm

Status comment: Patches available from Fedora => (none)
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 8
Status: NEW => ASSIGNED
CVE: (none) => CVE-2020-24119, CVE-2021-20285
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO

Comment 5 Len Lawrence 2021-06-07 01:27:35 CEST 
mga8, x64

CVE-2020-24119
https://github.com/upx/upx/issues/388
$ upx -d poc-heap-buffer-overflow-get_le32.tar.gz
upx: poc-heap-buffer-overflow-get_le32.tar.gz: Exception: compressed data violation
Unpacked 1 file: 0 ok, 1 error.

Likely that this issue was already fixed.

CVE-2021-20285
https://github.com/upx/upx/issues/421
$ upx upx_crash_p_lx_elf_dev_2490
Segmentation fault (core dumped)

Updated upx from testing.
CVE-2020-24119
PoC test returns the same text as before which confirms already fixed.

CVE-2021-20285
$ upx upx_crash_p_lx_elf_dev_2490
upx: upx_crash_p_lx_elf_dev_2490: CantPackException: bad Elf64_Dynamic[DT_RELA] 0x2000000000400fe8
Packed 0 files.
Segfault avoided - good.

$ upx --version
upx 3.96
UCL data compression library 1.03
zlib data compression library 1.2.11
LZMA SDK version 4.43
$ upx -L
returns licence information.

Packed a system binary then unpacked a copy.
$ cp /bin/blender .
$ ll blender
-rwxr-xr-x 1 lcl lcl 80046904 Jun  7 00:08 blender*
$ upx blender
  80046904 ->  31066872   38.81%   linux/amd64   blender
Packed 1 file.
$ ll blender
-rwxr-xr-x 1 lcl lcl 31066872 Jun  7 00:08 blender*
$ upx -d -o blender.clone -f blender
  80046904 <-  31066872   38.81%   linux/amd64   blender.clone
Unpacked 1 file

$ ./blender.clone
acts just like /bin/blender
$ diff blender.clone /bin/blender
$

Ready for use.

Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK
CC: (none) => tarazed25

Comment 6 Len Lawrence 2021-06-07 01:33:16 CEST 
Sorry - forgot to mention that the compressed version of blender also works like the original.  Seems like magic.
Comment 7 Len Lawrence 2021-06-07 22:07:25 CEST 
mga7, x64

CVE-2020-24119
https://github.com/upx/upx/issues/388
$ upx -d poc-heap-buffer-overflow-get_le32.tar.gz
[...]
upx: poc-heap-buffer-overflow-get_le32.tar.gz: Exception: compressed data violation
Unpacked 1 file: 0 ok, 1 error.

CVE-2021-20285
https://github.com/upx/upx/issues/421
$ upx upx_crash_p_lx_elf_dev_2490
Segmentation fault (core dumped)

Updated upx from testing.
CVE-2020-24119
PoC test returns the same text as before which probably confirms that the issue had already been fixed.

CVE-2021-20285
$ upx upx_crash_p_lx_elf_dev_2490
upx: upx_crash_p_lx_elf_dev_2490: CantPackException: bad Elf64_Dynamic[DT_RELA] 0x2000000000400fe8
Packed 0 files.
Segfault avoided - good result.

$ upx --version
upx 3.96
UCL data compression library 1.03
zlib data compression library 1.2.11
LZMA SDK version 4.43
$ upx -L
returns licence information.

Packed a system binary then unpacked a copy.
$ cp /bin/celestia .
$ ll celestia
-rwxr-xr-x 1 lcl lcl 3252984 Jun  7  2021 celestia*
$ upx celestia
   3252984 ->   1354924   41.65%   linux/amd64   celestia                      
Packed 1 file.
$ ll celestia
-rwxr-xr-x 1 lcl lcl 1354924 Jun  7 20:56 celestia*
$ ./celestia
Works just like the original.
$ upx -d -o celestia.clone  -f celestia
   3252984 <-   1354924   41.65%   linux/amd64   celestia.clone
Unpacked 1 file.
$ diff celestia.clone /bin/celestia
$

OK for Mageia 7.

Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 8 Thomas Andrews 2021-06-08 14:27:42 CEST 
Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2021-06-08 17:30:56 CEST

Keywords: (none) => advisory

Comment 9 Mageia Robot 2021-06-08 18:47:32 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0241.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED