31449 – upx new security issues CVE-2023-2345[67]

Bug 31449 - upx new security issues CVE-2023-2345[67]

Summary: upx new security issues CVE-2023-2345[67]

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2023-01-23 22:04 CET by David Walser
Modified:	2023-02-20 22:27 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	upx-4.0.1-1.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-01-23 22:04:58 CET

openSUSE has issued an advisory today (January 23):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OY3PZTUNJBOAOSBB3625O5WLS7HRY73I/

Mageia 8 is also affected.

David Walser 2023-01-23 22:05:09 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patches available from upstream and openSUSE

Comment 1 David Walser 2023-01-23 22:20:17 CET

Fedora has issued an advisory on January 22:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TGEP3FBNRZXGLIA2B2ICMB32JVMPREFZ/

There were actually two security issues fixed upstream post-4.0.1.

Summary: upx new security issue CVE-2023-23457 => upx new security issues CVE-2023-2345[67]
Status comment: Patches available from upstream and openSUSE => Patches available from upstream and Fedora

David Walser 2023-01-23 22:20:48 CET

Severity: normal => major

Comment 2 David GEIGER 2023-01-23 22:34:36 CET

Cauldron is already fixed with release 4.0.1 and 2 patches.

CC: (none) => geiger.david68210

Comment 3 David Walser 2023-01-23 23:43:21 CET

You should have filed a bug then.

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 4 Marja Van Waes 2023-02-04 23:18:42 CET

Assigning to all packagers collectively, because there is no registered maintainer for this package

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 5 David GEIGER 2023-02-11 06:18:53 CET

Done for mga8! updating to 4.0.2 release.

Comment 6 David Walser 2023-02-11 19:44:36 CET

upx-4.0.2-1.mga8

from upx-4.0.2-1.mga8.src.rpm

Assignee: pkg-bugs => qa-bugs
Status comment: Patches available from upstream and Fedora => (none)

Comment 7 Herman Viaene 2023-02-14 10:52:35 CET

MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Ref bug 29016 Comment 5 for testing:
cd tmp/upxtest/
$ upx --version
upx 4.0.2
UCL data compression library 1.03
zlib data compression library 1.2.13.1-motley
LZMA SDK version 4.43
doctest C++ testing framework version 2.4.9
Copyright (C) 1996-2023 Markus Franz Xaver Johannes Oberhumer
and more.....
UPX comes with ABSOLUTELY NO WARRANTY; for details type 'upx -L'.
$ upx -L
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2023
UPX 4.0.2       Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 30th 2023

   This program may be used freely, and you are welcome to
and more ....
$ cp /bin/blender .
$ ll blender
-rwxr-xr-x 1 tester8 tester8 80046904 Feb 14 10:27 blender*
$ upx blender
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2023
UPX 4.0.2       Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 30th 2023

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
  80046904 ->  31067232   38.81%   linux/amd64   blender                       

Packed 1 file.
$ ll blender
-rwxr-xr-x 1 tester8 tester8 31067232 Feb 14 10:27 blender*
Definitely smaller size
$ upx -d -o blender.clone -f blender
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2023
UPX 4.0.2       Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 30th 2023

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
[WARNING] bad b_info at 0x1cef6aa

[WARNING] ... recovery at 0x1cef6aa

  80050472 <-  31067232   38.81%   linux/amd64   blender.clone

Unpacked 1 file.
$ ./blender.clone
Read prefs: /home/tester8/.config/blender/2.83/config/userpref.blend
Blender opened, I could select Video editing, added an mpg file and played it in the View, seems OK
$ ./blender
Read prefs: /home/tester8/.config/blender/2.83/config/userpref.blend
Saved session recovery to '/tmp/quit.blend'

Blender quit
Also opened correcly, select Video editing, added an avi file and played it in the View, seems OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 8 Thomas Andrews 2023-02-15 21:35:45 CET

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-02-20 20:51:10 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 9 Mageia Robot 2023-02-20 22:27:02 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0052.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.