Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 866794 (CVE-2020-27796, CVE-2020-27797, CVE-2020-27799, CVE-2020-27800, CVE-2020-27801, CVE-2020-27802)

Summary: <app-arch/upx{-bin,}-4.0.0: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: azamat.hackimov, mgorny, proxy-maint
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/28041
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-26 17:34:17 UTC 
CVE-2020-27796 (https://github.com/upx/upx/issues/392):

A heap-based buffer over-read was discovered in the invert_pt_dynamic function in p_lx_elf.cpp in UPX 4.0.0 via a crafted Mach-O file.

CVE-2020-27797 (https://github.com/upx/upx/issues/390):

An invalid memory address reference was discovered in the elf_lookup function in p_lx_elf.cpp in UPX 4.0.0 via a crafted Mach-O file.

CVE-2020-27799 (https://github.com/upx/upx/issues/391):

A heap-based buffer over-read was discovered in the acc_ua_get_be32 function in miniacc.h in UPX 4.0.0 via a crafted Mach-O file.

CVE-2020-27800 (https://github.com/upx/upx/issues/395):

A heap-based buffer over-read was discovered in the get_le32 function in bele.h in UPX 4.0.0 via a crafted Mach-O file.

CVE-2020-27801 (https://github.com/upx/upx/issues/394):

A heap-based buffer over-read was discovered in the get_le64 function in bele.h in UPX 4.0.0 via a crafted Mach-O file.

CVE-2020-27802 (https://github.com/upx/upx/issues/393):

An floating point exception was discovered in the elf_lookup function in p_lx_elf.cpp in UPX 4.0.0 via a crafted Mach-O file.

Patches: https://github.com/upx/upx/commit/7d093174597483053e95f07d9f4614024c09890e
https://github.com/upx/upx/commit/8764fdc24c31c21dc43b2a2f99eb8c48a34e5e9c
https://github.com/upx/upx/commit/76cd518110a9e7597363012ff4e31bcd526a081e
https://github.com/upx/upx/commit/49edccd7165696dcc0bf79f50cae4011313ddd28
https://github.com/upx/upx/commit/8d1d605b3d8c49bdfe9376454f0196738bed8166

Do we need to poke upstream to release another binary?
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-08-27 06:00:49 UTC 
For -bin, probably yes.

Do you happen to know if any of these vulnerabilities affect generated executables?
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-27 21:33:21 UTC 
I have no familiarity with UPX, so I'd defer to Azamat there
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-07 23:14:16 UTC 
Azamat, can we last rite upx-bin now that it doesn't have any reverse dependencies?
Comment 4 Azamat H. Hackimov 2022-09-16 03:04:47 UTC 
Hello.

I would wait for the 4.0.0 release, but for now we can mask the upx-bin package for a while.

<app-arch/upx-bin-4.0.0
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-16 04:19:16 UTC 
(In reply to Azamat H. Hackimov from comment #4)
> Hello.
> 
> I would wait for the 4.0.0 release, but for now we can mask the upx-bin
> package for a while.
> 
> <app-arch/upx-bin-4.0.0

I'm not sure it's sane to have to fight with an unstable leaf package like this.
Comment 6 Larry the Git Cow gentoo-dev 2022-10-31 22:51:18 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0079cd3b6bd983ac029d76507960a3cf40413ae4

commit 0079cd3b6bd983ac029d76507960a3cf40413ae4
Author:     Azamat H. Hackimov <azamat.hackimov@gmail.com>
AuthorDate: 2022-10-30 12:37:24 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2022-10-31 22:50:58 +0000

    app-arch/upx-bin: add 4.0.0
    
    Bug: https://bugs.gentoo.org/778530
    Bug: https://bugs.gentoo.org/790281
    Bug: https://bugs.gentoo.org/792348
    Bug: https://bugs.gentoo.org/866794
    Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com>
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 app-arch/upx-bin/Manifest             |  7 +++++++
 app-arch/upx-bin/upx-bin-4.0.0.ebuild | 39 +++++++++++++++++++++++++++++++++++
 2 files changed, 46 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5f6c4062375fef16a763f3d413b099addef73432

commit 5f6c4062375fef16a763f3d413b099addef73432
Author:     Azamat H. Hackimov <azamat.hackimov@gmail.com>
AuthorDate: 2022-10-30 11:49:41 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2022-10-31 22:50:57 +0000

    app-arch/upx: add 4.0.0
    
    Bug: https://bugs.gentoo.org/778530
    Bug: https://bugs.gentoo.org/790281
    Bug: https://bugs.gentoo.org/792348
    Bug: https://bugs.gentoo.org/866794
    Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com>
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 app-arch/upx/Manifest         |  1 +
 app-arch/upx/upx-4.0.0.ebuild | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-01 04:08:20 UTC 
Thanks, all done!