Fedora has issued an advisory on March 19: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/G3BQABK4YLXENDJBLDMHAIPRTC3ZMLYK/ Mageia 7 and Mageia 8 are also affected.
Status comment: (none) => Patch available from FedoraWhiteboard: (none) => MGA8TOO, MGA7TOOCC: (none) => nicolas.salguero
A homeless SRPM with no particular maintainer, so assigning this bug globally.
Assignee: bugsquad => pkg-bugs
Fedora has issued an advisory on May 27: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VSQRO7YC72PSYDQG4PQLQYXZTZE3B4YV/ Mageia 7 and Mageia 8 are also affected.
Summary: upx new security issue CVE-2021-20285 => upx new security issues CVE-2020-24115 and CVE-2021-20285
Status comment: Patch available from Fedora => Patches available from Fedora
Summary: upx new security issues CVE-2020-24115 and CVE-2021-20285 => upx new security issues CVE-2020-24119 and CVE-2021-20285
openSUSE has issued an advisory for CVE-2020-24119 today (May 30): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/V2GCFGL5HHPU3GIC7XYIPIMYFFLH2M4U/
Suggested advisory: ======================== The updated package fixes security vulnerabilities: A heap buffer overflow read was discovered in upx 4.0.0, because the check in p_lx_elf.cpp is not perfect. (CVE-2020-24119) A flaw was found in upx canPack in p_lx_elf.cpp in UPX 3.96. This flaw allows attackers to cause a denial of service (SEGV or buffer overflow and application crash) or possibly have unspecified other impacts via a crafted ELF. The highest threat from this vulnerability is to system availability. (CVE-2021-20285) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24119 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20285 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/G3BQABK4YLXENDJBLDMHAIPRTC3ZMLYK/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VSQRO7YC72PSYDQG4PQLQYXZTZE3B4YV/ https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/V2GCFGL5HHPU3GIC7XYIPIMYFFLH2M4U/ ======================== Updated package in 7/core/updates_testing: ======================== upx-3.96-1.1.mga7 from SRPM: upx-3.96-1.1.mga7.src.rpm Updated package in 8/core/updates_testing: ======================== upx-3.96-2.1.mga8 from SRPM: upx-3.96-2.1.mga8.src.rpm
Status comment: Patches available from Fedora => (none)Assignee: pkg-bugs => qa-bugsVersion: Cauldron => 8Status: NEW => ASSIGNEDCVE: (none) => CVE-2020-24119, CVE-2021-20285Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
mga8, x64 CVE-2020-24119 https://github.com/upx/upx/issues/388 $ upx -d poc-heap-buffer-overflow-get_le32.tar.gz upx: poc-heap-buffer-overflow-get_le32.tar.gz: Exception: compressed data violation Unpacked 1 file: 0 ok, 1 error. Likely that this issue was already fixed. CVE-2021-20285 https://github.com/upx/upx/issues/421 $ upx upx_crash_p_lx_elf_dev_2490 Segmentation fault (core dumped) Updated upx from testing. CVE-2020-24119 PoC test returns the same text as before which confirms already fixed. CVE-2021-20285 $ upx upx_crash_p_lx_elf_dev_2490 upx: upx_crash_p_lx_elf_dev_2490: CantPackException: bad Elf64_Dynamic[DT_RELA] 0x2000000000400fe8 Packed 0 files. Segfault avoided - good. $ upx --version upx 3.96 UCL data compression library 1.03 zlib data compression library 1.2.11 LZMA SDK version 4.43 $ upx -L returns licence information. Packed a system binary then unpacked a copy. $ cp /bin/blender . $ ll blender -rwxr-xr-x 1 lcl lcl 80046904 Jun 7 00:08 blender* $ upx blender 80046904 -> 31066872 38.81% linux/amd64 blender Packed 1 file. $ ll blender -rwxr-xr-x 1 lcl lcl 31066872 Jun 7 00:08 blender* $ upx -d -o blender.clone -f blender 80046904 <- 31066872 38.81% linux/amd64 blender.clone Unpacked 1 file $ ./blender.clone acts just like /bin/blender $ diff blender.clone /bin/blender $ Ready for use.
Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OKCC: (none) => tarazed25
Sorry - forgot to mention that the compressed version of blender also works like the original. Seems like magic.
mga7, x64 CVE-2020-24119 https://github.com/upx/upx/issues/388 $ upx -d poc-heap-buffer-overflow-get_le32.tar.gz [...] upx: poc-heap-buffer-overflow-get_le32.tar.gz: Exception: compressed data violation Unpacked 1 file: 0 ok, 1 error. CVE-2021-20285 https://github.com/upx/upx/issues/421 $ upx upx_crash_p_lx_elf_dev_2490 Segmentation fault (core dumped) Updated upx from testing. CVE-2020-24119 PoC test returns the same text as before which probably confirms that the issue had already been fixed. CVE-2021-20285 $ upx upx_crash_p_lx_elf_dev_2490 upx: upx_crash_p_lx_elf_dev_2490: CantPackException: bad Elf64_Dynamic[DT_RELA] 0x2000000000400fe8 Packed 0 files. Segfault avoided - good result. $ upx --version upx 3.96 UCL data compression library 1.03 zlib data compression library 1.2.11 LZMA SDK version 4.43 $ upx -L returns licence information. Packed a system binary then unpacked a copy. $ cp /bin/celestia . $ ll celestia -rwxr-xr-x 1 lcl lcl 3252984 Jun 7 2021 celestia* $ upx celestia 3252984 -> 1354924 41.65% linux/amd64 celestia Packed 1 file. $ ll celestia -rwxr-xr-x 1 lcl lcl 1354924 Jun 7 20:56 celestia* $ ./celestia Works just like the original. $ upx -d -o celestia.clone -f celestia 3252984 <- 1354924 41.65% linux/amd64 celestia.clone Unpacked 1 file. $ diff celestia.clone /bin/celestia $ OK for Mageia 7.
Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Validating. Advisory in Comment 4.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0241.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED