Fedora has issued an advisory on April 6: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZHWZN2NX5W3WYA6ACJ746PAZXXNZETKD/ The problem is fixed in 4.2.3, which is already in Cauldron, so only Mageia 9 is affected.
Source RPM: (none) => upx-4.0.2-1.mga9.src.rpmCVE: (none) => CVE-2024-3209
Assigning to you, David; you already put version 4.2.3 in Cauldron, and have been the main committer of this pkg.
Assignee: bugsquad => geiger.david68210Status comment: (none) => fixed in 4.2.3 already in Cauldron, so only for Mageia 9
Assigning to QA, Packages in 9/Core/Updates_testing: ====================== upx-4.2.3-1.mga9 From SRPMS: upx-4.2.3-1.mga9.src.rpm
Assignee: geiger.david68210 => qa-bugs
Keywords: (none) => advisory
Mageia9, x86_64 upx is an executable compression tool. Made a copy of celestia and compressed it using the 'better' option. $ ll total 1360 -rwxr-xr-x 1 lcl lcl 692696 Apr 13 17:15 celestia* -rwxr-xr-x 1 lcl lcl 692696 Apr 13 17:15 celestia.bak* $ upx -k -9 -o celestina celestia Ultimate Packer for eXecutables Copyright (C) 1996 - 2023 UPX 4.0.2 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 30th 2023 File size Ratio Format Name -------------------- ------ ----------- ----------- 692696 -> 270672 39.08% linux/amd64 celestina Packed 1 file. $ ll total 1628 -rwxr-xr-x 1 lcl lcl 692696 Apr 13 17:15 celestia* -rwxr-xr-x 1 lcl lcl 692696 Apr 13 17:15 celestia.bak* -rwxr-xr-x 1 lcl lcl 270672 Apr 13 17:15 celestina* $ upx -t celestina Ultimate Packer for eXecutables Copyright (C) 1996 - 2023 UPX 4.0.2 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 30th 2023 testing celestina [OK] Tested 1 file. $ ./celestina That launched Celestia as normal, without any delay. So, working OK before update. Updated upx via qarepo... Tried uncompressing celestina; $ upx -d -o celestia.copy celestina Ultimate Packer for eXecutables Copyright (C) 1996 - 2024 UPX 4.2.3 Markus Oberhumer, Laszlo Molnar & John Reiser Mar 27th 2024 File size Ratio Format Name -------------------- ------ ----------- ----------- 700527 <- 270672 38.64% linux/amd64 celestia.copy Unpacked 1 file. $ ll total 2308 -rwxr-xr-x 1 lcl lcl 692696 Apr 13 17:15 celestia* -rwxr-xr-x 1 lcl lcl 692696 Apr 13 17:15 celestia.bak* -rwxr-xr-x 1 lcl lcl 692696 Apr 13 17:15 celestia.copy* -rwxr-xr-x 1 lcl lcl 270672 Apr 13 17:15 celestina* and celestia.copy works. Tried compressing celestia again: $ upx -1 --lzma -o celestina.new celestia Ultimate Packer for eXecutables Copyright (C) 1996 - 2024 UPX 4.2.3 Markus Oberhumer, Laszlo Molnar & John Reiser Mar 27th 2024 File size Ratio Format Name -------------------- ------ ----------- ----------- 692696 -> 238992 34.50% linux/amd64 celestina.new Packed 1 file. $ upx -t celestina.new Ultimate Packer for eXecutables Copyright (C) 1996 - 2024 UPX 4.2.3 Markus Oberhumer, Laszlo Molnar & John Reiser Mar 27th 2024 testing celestina.new [OK] Tested 1 file. $ ./celestina.new and the compressed version works just like celestia. There is a lot more to this utility but this should suffice for an OK. Ran the previous commands
CC: (none) => tarazed25Whiteboard: (none) => MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0134.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED