Bug 31449

Summary: upx new security issues CVE-2023-2345[67]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, geiger.david68210, herman.viaene, marja11, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: upx-4.0.1-1.mga9.src.rpm CVE:
Status comment:

Description David Walser 2023-01-23 22:04:58 CET 
openSUSE has issued an advisory today (January 23):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OY3PZTUNJBOAOSBB3625O5WLS7HRY73I/

Mageia 8 is also affected.
David Walser 2023-01-23 22:05:09 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patches available from upstream and openSUSE

Comment 1 David Walser 2023-01-23 22:20:17 CET 
Fedora has issued an advisory on January 22:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TGEP3FBNRZXGLIA2B2ICMB32JVMPREFZ/

There were actually two security issues fixed upstream post-4.0.1.

Summary: upx new security issue CVE-2023-23457 => upx new security issues CVE-2023-2345[67]
Status comment: Patches available from upstream and openSUSE => Patches available from upstream and Fedora

David Walser 2023-01-23 22:20:48 CET

Severity: normal => major

Comment 2 David GEIGER 2023-01-23 22:34:36 CET 
Cauldron is already fixed with release 4.0.1 and 2 patches.

CC: (none) => geiger.david68210

Comment 3 David Walser 2023-01-23 23:43:21 CET 
You should have filed a bug then.

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 4 Marja Van Waes 2023-02-04 23:18:42 CET 
Assigning to all packagers collectively, because there is no registered maintainer for this package

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 5 David GEIGER 2023-02-11 06:18:53 CET 
Done for mga8! updating to 4.0.2 release.
Comment 6 David Walser 2023-02-11 19:44:36 CET 
upx-4.0.2-1.mga8

from upx-4.0.2-1.mga8.src.rpm

Assignee: pkg-bugs => qa-bugs
Status comment: Patches available from upstream and Fedora => (none)

Comment 7 Herman Viaene 2023-02-14 10:52:35 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Ref bug 29016 Comment 5 for testing:
cd tmp/upxtest/
$ upx --version
upx 4.0.2
UCL data compression library 1.03
zlib data compression library 1.2.13.1-motley
LZMA SDK version 4.43
doctest C++ testing framework version 2.4.9
Copyright (C) 1996-2023 Markus Franz Xaver Johannes Oberhumer
and more.....
UPX comes with ABSOLUTELY NO WARRANTY; for details type 'upx -L'.
$ upx -L
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2023
UPX 4.0.2       Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 30th 2023

   This program may be used freely, and you are welcome to
and more ....
$ cp /bin/blender .
$ ll blender
-rwxr-xr-x 1 tester8 tester8 80046904 Feb 14 10:27 blender*
$ upx blender
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2023
UPX 4.0.2       Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 30th 2023

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
  80046904 ->  31067232   38.81%   linux/amd64   blender                       

Packed 1 file.
$ ll blender
-rwxr-xr-x 1 tester8 tester8 31067232 Feb 14 10:27 blender*
Definitely smaller size
$ upx -d -o blender.clone -f blender
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2023
UPX 4.0.2       Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 30th 2023

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
[WARNING] bad b_info at 0x1cef6aa

[WARNING] ... recovery at 0x1cef6aa

  80050472 <-  31067232   38.81%   linux/amd64   blender.clone

Unpacked 1 file.
$ ./blender.clone
Read prefs: /home/tester8/.config/blender/2.83/config/userpref.blend
Blender opened, I could select Video editing, added an mpg file and played it in the View, seems OK
$ ./blender
Read prefs: /home/tester8/.config/blender/2.83/config/userpref.blend
Saved session recovery to '/tmp/quit.blend'

Blender quit
Also opened correcly, select Video editing, added an avi file and played it in the View, seems OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 8 Thomas Andrews 2023-02-15 21:35:45 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-02-20 20:51:10 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 9 Mageia Robot 2023-02-20 22:27:02 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0052.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED