25935 – upx new security issues CVE-2019-1429[56]

Bug 25935 - upx new security issues CVE-2019-1429[56]

Summary: upx new security issues CVE-2019-1429[56]

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2019-12-23 21:40 CET by David Walser
Modified:	2020-01-05 16:39 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	upx-3.95-1.mga7.src.rpm
CVE:	CVE-2019-14295, CVE-2019-14296
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-12-23 21:40:03 CET

Fedora has issued an advisory on August 11:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MOCJ43HTM45GZCAQ2FLEBDNBM76V22RG/

Mageia 7 is also affected.

David Walser 2019-12-23 21:40:19 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2019-12-24 21:21:43 CET

No registered or evident maintainer for this pkg, so assigning globally.
CC'ing José as its last committer.

CC: (none) => lists.jjorge
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2019-12-28 15:52:39 CET

Suggested advisory:
========================

The updated package fixes security vulnerabilities:

An Integer overflow in the getElfSections function in p_vmlinx.cpp in UPX 3.95 allows remote attackers to cause a denial of service (crash) via a skewed offset larger than the size of the PE section in a UPX packed executable, which triggers an allocation of excessive memory. (CVE-2019-14295)

canUnpack in p_vmlinx.cpp in UPX 3.95 allows remote attackers to cause a denial of service (SEGV or buffer overflow, and application crash) or possibly have unspecified other impact via a crafted UPX packed file. (CVE-2019-14296)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14295
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14296
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MOCJ43HTM45GZCAQ2FLEBDNBM76V22RG/
========================

Updated packages in core/updates_testing:
========================
upx-3.95-1.1.mga7.src.rpm

from SRPMS:
upx-3.95-1.1.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 7
Status: NEW => ASSIGNED
CVE: (none) => CVE-2019-14295, CVE-2019-14296
CC: (none) => nicolas.salguero

Comment 3 Len Lawrence 2020-01-02 02:35:34 CET

Mageia7, x86_64

CVE-2019-14295
https://github.com/upx/upx/issues/286
Link to PoC does not work.  Tried wget on the underlying address without success.
$ wget https://github.com/aheroine/libming-bin/raw/master/crashes/upx/poc-Integer-overflow 
Returns error 404.
Same story for CVE-2019-14296.

Updated the upx package.

$ cp /usr/bin/caja .
$ upx caja
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2018
UPX 3.95        Markus Oberhumer, Laszlo Molnar & John Reiser   Aug 26th 2018
        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   1940992 ->    746308   38.45%   linux/amd64   caja                          
Packed 1 file.

Used another copy of caja:
$ upx --best caja
File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   1940992 ->    737724   38.01%   linux/amd64   caja                          

$ ./caja
The packed version worked exactly like the original.

$ upx -d caja
        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   1940992 <-    737724   38.01%   linux/amd64   caja

Unpacked 1 file.

This is OK for 64-bits.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 4 Thomas Andrews 2020-01-03 19:41:32 CET

Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-01-05 14:36:55 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 5 Mageia Robot 2020-01-05 16:39:58 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0012.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.