Summary: | <app-arch/upx{-bin,}-4.0.0: heap buffer overflow in p_lx_elf.cpp (CVE-2020-24119) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | azamat.hackimov, proxy-maint |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/upx/upx/issues/388 | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=778530 https://github.com/gentoo/gentoo/pull/20914 https://bugs.gentoo.org/show_bug.cgi?id=792348 https://github.com/gentoo/gentoo/pull/28041 |
||
Whiteboard: | ~3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Sam James
2021-05-15 01:06:06 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=185c785c239b6e5f7fcadc14be183c2f5fb37cfe commit 185c785c239b6e5f7fcadc14be183c2f5fb37cfe Author: Azamat H. Hackimov <azamat.hackimov@gmail.com> AuthorDate: 2021-05-21 19:36:03 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2021-05-23 16:53:07 +0000 app-arch/upx: fix CVE-2020-24119 Bug: https://bugs.gentoo.org/790281 Package-Manager: Portage-3.0.18, Repoman-3.0.2 Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/20914 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> app-arch/upx/files/upx-3.96_CVE-2020-24119.patch | 34 +++++++++++++++++++++ app-arch/upx/upx-3.96-r2.ebuild | 39 ++++++++++++++++++++++++ 2 files changed, 73 insertions(+) Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. No vulnerable versions left in tree. (Patch for this vuln is already in tree.) See: https://gitweb.gentoo.org/repo/gentoo.git/tree/app-arch/upx/upx-3.96-r2.ebuild https://github.com/upx/upx/commit/87b73e5cfdc12da94c251b2cd83bb01c7d9f616c https://github.com/upx/upx/issues/388 I'd recommend to close this one... Binary version still vulnerable. (In reply to Azamat H. Hackimov from comment #9) > Binary version still vulnerable. Can we last rite it? (In reply to John Helmert III from comment #10) > (In reply to Azamat H. Hackimov from comment #9) > > Binary version still vulnerable. > > Can we last rite it? app-arch/upx-bin is reverse dependency for media-video/tsmuxer (#857153, resolved in https://github.com/gentoo/gentoo/pull/14665). And why we should last rite it? upx-bin has proprietary NRV compression library, which not available in opensource upx (In reply to Azamat H. Hackimov from comment #11) > (In reply to John Helmert III from comment #10) > > (In reply to Azamat H. Hackimov from comment #9) > > > Binary version still vulnerable. > > > > Can we last rite it? > > app-arch/upx-bin is reverse dependency for media-video/tsmuxer (#857153, > resolved in https://github.com/gentoo/gentoo/pull/14665). And why we should > last rite it? upx-bin has proprietary NRV compression library, which not > available in opensource upx To resolve this bug. Didn't notice -bin had any reverse dependencies. Does tsmuxer still really require -bin? It looks like it's at least several years out of date and is itself vulnerable. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0079cd3b6bd983ac029d76507960a3cf40413ae4 commit 0079cd3b6bd983ac029d76507960a3cf40413ae4 Author: Azamat H. Hackimov <azamat.hackimov@gmail.com> AuthorDate: 2022-10-30 12:37:24 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2022-10-31 22:50:58 +0000 app-arch/upx-bin: add 4.0.0 Bug: https://bugs.gentoo.org/778530 Bug: https://bugs.gentoo.org/790281 Bug: https://bugs.gentoo.org/792348 Bug: https://bugs.gentoo.org/866794 Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com> Signed-off-by: Conrad Kostecki <conikost@gentoo.org> app-arch/upx-bin/Manifest | 7 +++++++ app-arch/upx-bin/upx-bin-4.0.0.ebuild | 39 +++++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5f6c4062375fef16a763f3d413b099addef73432 commit 5f6c4062375fef16a763f3d413b099addef73432 Author: Azamat H. Hackimov <azamat.hackimov@gmail.com> AuthorDate: 2022-10-30 11:49:41 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2022-10-31 22:50:57 +0000 app-arch/upx: add 4.0.0 Bug: https://bugs.gentoo.org/778530 Bug: https://bugs.gentoo.org/790281 Bug: https://bugs.gentoo.org/792348 Bug: https://bugs.gentoo.org/866794 Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com> Signed-off-by: Conrad Kostecki <conikost@gentoo.org> app-arch/upx/Manifest | 1 + app-arch/upx/upx-4.0.0.ebuild | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) |