Fedora has issued an advisory on August 11: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MOCJ43HTM45GZCAQ2FLEBDNBM76V22RG/ Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
No registered or evident maintainer for this pkg, so assigning globally. CC'ing José as its last committer.
CC: (none) => lists.jjorgeAssignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated package fixes security vulnerabilities: An Integer overflow in the getElfSections function in p_vmlinx.cpp in UPX 3.95 allows remote attackers to cause a denial of service (crash) via a skewed offset larger than the size of the PE section in a UPX packed executable, which triggers an allocation of excessive memory. (CVE-2019-14295) canUnpack in p_vmlinx.cpp in UPX 3.95 allows remote attackers to cause a denial of service (SEGV or buffer overflow, and application crash) or possibly have unspecified other impact via a crafted UPX packed file. (CVE-2019-14296) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14295 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14296 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MOCJ43HTM45GZCAQ2FLEBDNBM76V22RG/ ======================== Updated packages in core/updates_testing: ======================== upx-3.95-1.1.mga7.src.rpm from SRPMS: upx-3.95-1.1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)Assignee: pkg-bugs => qa-bugsVersion: Cauldron => 7Status: NEW => ASSIGNEDCVE: (none) => CVE-2019-14295, CVE-2019-14296CC: (none) => nicolas.salguero
Mageia7, x86_64 CVE-2019-14295 https://github.com/upx/upx/issues/286 Link to PoC does not work. Tried wget on the underlying address without success. $ wget https://github.com/aheroine/libming-bin/raw/master/crashes/upx/poc-Integer-overflow Returns error 404. Same story for CVE-2019-14296. Updated the upx package. $ cp /usr/bin/caja . $ upx caja Ultimate Packer for eXecutables Copyright (C) 1996 - 2018 UPX 3.95 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 26th 2018 File size Ratio Format Name -------------------- ------ ----------- ----------- 1940992 -> 746308 38.45% linux/amd64 caja Packed 1 file. Used another copy of caja: $ upx --best caja File size Ratio Format Name -------------------- ------ ----------- ----------- 1940992 -> 737724 38.01% linux/amd64 caja $ ./caja The packed version worked exactly like the original. $ upx -d caja File size Ratio Format Name -------------------- ------ ----------- ----------- 1940992 <- 737724 38.01% linux/amd64 caja Unpacked 1 file. This is OK for 64-bits.
CC: (none) => tarazed25Whiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0012.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED