Fedora has issued an advisory on October 14: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RJRF5BAMX5AS2PZ2P56VA2XW6ZXF7VOV/ It's not clear if the older versions we have are affected.
Assigning to all packagers collectively, since it has no registered maintainer.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
openSUSE updated from 3.91 to 3.94 (on October 19): https://lists.opensuse.org/opensuse-updates/2017-10/msg00065.html That suggests to me that 3.91 is affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
The issue : https://github.com/upx/upx/issues/128 Upstream has patched this issue : https://github.com/upx/upx/commit/ef336dbcc6dc8344482f8cf6c909ae96c3286317
CC: (none) => jackal.j
Assignee: pkg-bugs => jackal.j
Jack and José are working on this and have uploaded updated packages for Mageia 5, Mageia 6, and Cauldron. I'll see if they want to take a crack at the advisory.
CC: (none) => lists.jjorgeWhiteboard: MGA6TOO, MGA5TOO => MGA5TOOVersion: Cauldron => 6
Assignee: jackal.j => qa-bugs
Advisory: ======================== Updated upx package fixes security vulnerability: p_lx_elf.cpp in UPX 3.94 mishandles ELF headers, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by an Invalid Pointer Read in PackLinuxElf64::unpack() (CVE-2017-15056). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15056 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RJRF5BAMX5AS2PZ2P56VA2XW6ZXF7VOV/ ======================== Updated packages in core/updates_testing: ======================== upx-3.94-1.mga5 upx-3.94-1.mga6 from SRPMS: upx-3.94-1.mga5.src.rpm upx-3.94-1.mga6.src.rpm
MGA5-32 on Asus A6000VM Xfce No installation issues. Copied thunar executable to my ~/Documenten and then at CLI: ]$ upx thunar Ultimate Packer for eXecutables Copyright (C) 1996 - 2017 UPX 3.94 Markus Oberhumer, Laszlo Molnar & John Reiser May 12th 2017 File size Ratio Format Name -------------------- ------ ----------- ----------- 873204 -> 308460 35.33% linux/i386 thunar Packed 1 file. then $ ./thunar worked OK and $ upx -t thunar Ultimate Packer for eXecutables Copyright (C) 1996 - 2017 UPX 3.94 Markus Oberhumer, Laszlo Molnar & John Reiser May 12th 2017 testing thunar [OK] Tested 1 file. $ upx -l thunar Ultimate Packer for eXecutables Copyright (C) 1996 - 2017 UPX 3.94 Markus Oberhumer, Laszlo Molnar & John Reiser May 12th 2017 File size Ratio Format Name -------------------- ------ ----------- ----------- 873204 -> 308460 35.33% linux/i386 thunar This seems all OK
CC: (none) => herman.viaeneWhiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
mga5::x86_64 Mate desktop Three POCs available from https://github.com/upx/upx/issues/128, meant to be run in the ASAN framework (!!). Here the before update tests produced these results from the commands: $ upx -d -o /dev/null -f POC{1,2,3} "upx: POC1: EOFException: premature end of file" ASAN result: READ of size 4 - ABORTING "upx: POC2: IOException: seek error: Invalid argument" ASAN result: DEADLYSIGNAL - SEGV - ABORTING No apparent error for POC3 - "Unpacked 1 file" ASAN result: DEADLYSIGNAL - SEGV - ABORTING After update: Following Herman's lead in comment 6. Installed Thunar and copied /bin/thunar to ~/test/ $ upx thunar Ultimate Packer for eXecutables Copyright (C) 1996 - 2017 UPX 3.94 Markus Oberhumer, Laszlo Molnar & John Reiser May 12th 2017 File size Ratio Format Name -------------------- ------ ----------- ----------- 793912 -> 286444 36.08% linux/amd64 thunar Packed 1 file. $ ./thunar Compressed file launched the gui. $ upx -l thunar Ultimate Packer for eXecutables Copyright (C) 1996 - 2017 UPX 3.94 Markus Oberhumer, Laszlo Molnar & John Reiser May 12th 2017 File size Ratio Format Name -------------------- ------ ----------- ----------- 793912 -> 286444 36.08% linux/amd64 thunar Check the compressed size: $ ls -l thunar -rwxr-xr-x 1 lcl lcl 286444 Oct 24 15:38 thunar* $ ls -l /bin/thunar -rwxr-xr-x 1 root root 793912 Feb 12 2016 /bin/thunar* Both as stated. The process can be reversed OK. $ upx -d thunar Ultimate Packer for eXecutables Copyright (C) 1996 - 2017 UPX 3.94 Markus Oberhumer, Laszlo Molnar & John Reiser May 12th 2017 File size Ratio Format Name -------------------- ------ ----------- ----------- 793912 <- 286444 36.08% linux/amd64 thunar Unpacked 1 file. $ ./thunar This still works. POC tests: upx: POC1: FileAlreadyExistsException: /dev/null: File exists upx: POC2: FileAlreadyExistsException: /dev/null: File exists upx: POC3: FileAlreadyExistsException: /dev/null: File exists Tried this: $ upx -d -o squerk POC upx: POC1: CantUnpackException: bad e_phoff upx: POC2: CantUnpackException: bad e_phoff upx: POC3: CantUnpackException: bad e_phoff Those look acceptable. Good for 64 bits.
CC: (none) => tarazed25
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA5-64-OK
mga6::x86_64 Mate Ran the POC tests before and after the update with identical results as reported in comment 7. Used a dummy file thoughout rather than /dev/null. $ upx -V upx 3.94 UCL data compression library 1.03 zlib data compression library 1.2.11 LZMA SDK version 4.43 Copyright (C) 1996-2017 Markus Franz Xaver Johannes Oberhumer Copyright (C) 1996-2017 Laszlo Molnar Copyright (C) 2000-2017 John F. Reiser Copyright (C) 2002-2017 Jens Medoch Copyright (C) 1995-2005 Jean-loup Gailly and Mark Adler Copyright (C) 1999-2006 Igor Pavlov UPX comes with ABSOLUTELY NO WARRANTY; for details type 'upx -L'. Copied thunar from /bin as a test object and carried out the same sequence of tests as in comments 6 and 7 with virtually identical results. This is good for 64 bits.
Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-64-OK
Advisory uploaded, validating.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0389.html
Status: NEW => RESOLVEDResolution: (none) => FIXED