openSUSE has issued an advisory on February 4: https://lists.opensuse.org/opensuse-updates/2020-02/msg00012.html The issues are fixed upstream in 3.96.
CC: (none) => geiger.david68210, nicolas.salguero
Apparently ucl is also affected by the first issue: https://lists.opensuse.org/opensuse-updates/2020-02/msg00006.html
Fedora has issued an advisory for this on February 3: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/D7XU42G6MUQQXHWRP7DCF2JSIBOJ5GOO/
(In reply to David Walser from comment #2) > Fedora has issued an advisory for this on February 3: > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/D7XU42G6MUQQXHWRP7DCF2JSIBOJ5GOO/ It adds one more CVE.
Summary: upx new security issues CVE-2018-11243 CVE-2019-1010048 CVE-2019-20021 CVE-2019-20053 => upx new security issues CVE-2018-11243 CVE-2019-1010048 CVE-2019-20021 CVE-2019-20051 CVE-2019-20053
Status comment: (none) => Fixed upstream in 3.96
Suggested advisory: ======================== The updated packages fix security vulnerabilities: PackLinuxElf64::unpack in p_lx_elf.cpp in UPX 3.95 allows remote attackers to cause a denial of service (double free), limit the ability of a malware scanner to operate on the entire original data, or possibly have unspecified other impact via a crafted file. (CVE-2018-11243) A denial of service in PackLinuxElf32::PackLinuxElf32help1(). (CVE-2019-1010048) A heap-based buffer over-read was discovered in canUnpack in p_mach.cpp in UPX 3.95 via a crafted Mach-O file. (CVE-2019-20021) A floating-point exception was discovered in PackLinuxElf::elf_hash in p_lx_elf.cpp in UPX 3.95. The vulnerability causes an application crash, which leads to denial of service. (CVE-2019-20051) An invalid memory address dereference was discovered in the canUnpack function in p_mach.cpp in UPX 3.95 via a crafted Mach-O file. (CVE-2019-20053) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11243 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010048 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20021 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20051 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20053 https://lists.opensuse.org/opensuse-updates/2020-02/msg00012.html https://lists.opensuse.org/opensuse-updates/2020-02/msg00006.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/D7XU42G6MUQQXHWRP7DCF2JSIBOJ5GOO/ ======================== Updated packages in core/updates_testing: ======================== lib(64)ucl1-1.03-16.1.mga7 lib(64)ucl-devel-1.03-16.1.mga7 upx-3.96-1.mga7 from SRPMS: ucl-1.03-16.1.mga7.src.rpm upx-3.96-1.mga7.src.rpm
Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNED
Status comment: Fixed upstream in 3.96 => (none)
mga7, x86_64 CVE-2018-11243 https://github.com/upx/upx/issues/206 Two test files available as a poc.zip file: $ unzip poc.zip Archive: poc.zip creating: report/ inflating: report/poc1 inflating: report/poc2 $ upx poc1 [...] upx: poc1: CantPackException: bad PT_DYNAMIC phdr[4] Packed 0 files. $ upx poc2 upx: poc2: CantPackException: DT_STRTAB above stub Packed 0 files. https://github.com/upx/upx/issues/207 poc_free.zip $ upx -d poc_free terminate called after throwing an instance of '13InternalError' what(): std::exception Aborted (core dumped) CVE-2019-20021 https://github.com/upx/upx/issues/315 $ upx -d -f 002 upx: 002: NotPackedException: not packed by UPX Unpacked 0 files. Upstream is using something called upx.out and gets: upx.out: 002: CantUnpackException: file corrupted CVE-2019-20051 https://github.com/upx/upx/issues/313 $ upx -d -f -o foo 004 upx: 004: NotPackedException: not packed by UPX Unpacked 0 files. CVE-2019-20053 https://github.com/upx/upx/issues/314 $ upx -d -f -o foo 001 upx: 001: NotPackedException: not packed by UPX Updated the packages. CVE-2018-11243 The first two tests returned the same messages as before, which look acceptable. The poc_free test still aborts, so there is still a problem. CVEs -2019-200{21,51,53} all behave as before the update. Those mesages give the impression that the issues are being handled effectively. Tried packing and unpacking on a copy of the system celestia binary. $ cp /bin/celestia . $ ll celestia -rwxr-xr-x 1 lcl lcl 3252888 Feb 22 23:34 celestia* $ upx celestia 3252888 -> 1352856 41.59% linux/amd64 celestia Packed 1 file. $ ll celestia -rwxr-xr-x 1 lcl lcl 1352856 Feb 22 23:34 celestia* $ ./celestia The application launches instantly and works as usual. $ upx -d -o celestia2 -f celestia 3252888 <- 1352856 41.59% linux/amd64 celestia2 Unpacked 1 file. $ diff celestia2 /bin/celestia $ ./celestia2 That also works as before so packing and unpacking is totally transparent. $ upx --version upx 3.95 UCL data compression library 1.03 zlib data compression library 1.2.11 LZMA SDK version 4.43 ..... $ upx -L Ultimate Packer for eXecutables Copyright (C) 1996 - 2018 [...] https://upx.github.io http://www.oberhumer.com/opensource/upx/ ... The application is working as designed and most of the various overflow problems have been fixed apart from CVE-2018-11243:207 which I guess will be patched eventually.
CC: (none) => tarazed25Whiteboard: (none) => MGA7-64-OK
Indeed, the openSUSE changes file said only 206 and not 207 is fixed.
Validating, then. Advisory in Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0096.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED