CVE-2021-43311 (https://github.com/upx/upx/issues/380): A heap-based buffer overflow was discovered in upx, during the generic pointer 'p' points to an inaccessible address in func get_le32(). The problem is essentially caused in PackLinuxElf32::elf_lookup() at p_lx_elf.cpp:5382. CVE-2021-43312 (https://github.com/upx/upx/issues/379): A heap-based buffer overflow was discovered in upx, during the variable 'bucket' points to an inaccessible address. The issue is being triggered in the function PackLinuxElf64::invert_pt_dynamic at p_lx_elf.cpp:5239. CVE-2021-43313 (https://github.com/upx/upx/issues/378): A heap-based buffer overflow was discovered in upx, during the variable 'bucket' points to an inaccessible address. The issue is being triggered in the function PackLinuxElf32::invert_pt_dynamic at p_lx_elf.cpp:1688. CVE-2021-43314 (https://github.com/upx/upx/issues/380): A heap-based buffer overflows was discovered in upx, during the generic pointer 'p' points to an inaccessible address in func get_le32(). The problem is essentially caused in PackLinuxElf32::elf_lookup() at p_lx_elf.cpp:5368 CVE-2021-43315 (https://github.com/upx/upx/issues/380): A heap-based buffer overflows was discovered in upx, during the generic pointer 'p' points to an inaccessible address in func get_le32(). The problem is essentially caused in PackLinuxElf32::elf_lookup() at p_lx_elf.cpp:5349 CVE-2021-43316 (https://github.com/upx/upx/issues/381): A heap-based buffer overflow was discovered in upx, during the generic pointer 'p' points to an inaccessible address in func get_le64(). CVE-2021-43317 (https://github.com/upx/upx/issues/380): A heap-based buffer overflows was discovered in upx, during the generic pointer 'p' points to an inaccessible address in func get_le32(). The problem is essentially caused in PackLinuxElf64::elf_lookup() at p_lx_elf.cpp:5404 Unsure if these patches were pulled into upx-4.0.1-r1, but I guess we can just clean up?
There no vulnerable package versions in tree.
