Description: "A heap buffer overflow read was discovered in upx 4.0.0, because the check in p_lx_elf.cpp is not perfect." Patch available: https://github.com/upx/upx/issues/388
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=185c785c239b6e5f7fcadc14be183c2f5fb37cfe commit 185c785c239b6e5f7fcadc14be183c2f5fb37cfe Author: Azamat H. Hackimov <azamat.hackimov@gmail.com> AuthorDate: 2021-05-21 19:36:03 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2021-05-23 16:53:07 +0000 app-arch/upx: fix CVE-2020-24119 Bug: https://bugs.gentoo.org/790281 Package-Manager: Portage-3.0.18, Repoman-3.0.2 Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/20914 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> app-arch/upx/files/upx-3.96_CVE-2020-24119.patch | 34 +++++++++++++++++++++ app-arch/upx/upx-3.96-r2.ebuild | 39 ++++++++++++++++++++++++ 2 files changed, 73 insertions(+)
Package list is empty or all packages have requested keywords.
No vulnerable versions left in tree. (Patch for this vuln is already in tree.) See: https://gitweb.gentoo.org/repo/gentoo.git/tree/app-arch/upx/upx-3.96-r2.ebuild https://github.com/upx/upx/commit/87b73e5cfdc12da94c251b2cd83bb01c7d9f616c https://github.com/upx/upx/issues/388 I'd recommend to close this one...
Binary version still vulnerable.
(In reply to Azamat H. Hackimov from comment #9) > Binary version still vulnerable. Can we last rite it?
(In reply to John Helmert III from comment #10) > (In reply to Azamat H. Hackimov from comment #9) > > Binary version still vulnerable. > > Can we last rite it? app-arch/upx-bin is reverse dependency for media-video/tsmuxer (#857153, resolved in https://github.com/gentoo/gentoo/pull/14665). And why we should last rite it? upx-bin has proprietary NRV compression library, which not available in opensource upx
(In reply to Azamat H. Hackimov from comment #11) > (In reply to John Helmert III from comment #10) > > (In reply to Azamat H. Hackimov from comment #9) > > > Binary version still vulnerable. > > > > Can we last rite it? > > app-arch/upx-bin is reverse dependency for media-video/tsmuxer (#857153, > resolved in https://github.com/gentoo/gentoo/pull/14665). And why we should > last rite it? upx-bin has proprietary NRV compression library, which not > available in opensource upx To resolve this bug. Didn't notice -bin had any reverse dependencies. Does tsmuxer still really require -bin? It looks like it's at least several years out of date and is itself vulnerable.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0079cd3b6bd983ac029d76507960a3cf40413ae4 commit 0079cd3b6bd983ac029d76507960a3cf40413ae4 Author: Azamat H. Hackimov <azamat.hackimov@gmail.com> AuthorDate: 2022-10-30 12:37:24 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2022-10-31 22:50:58 +0000 app-arch/upx-bin: add 4.0.0 Bug: https://bugs.gentoo.org/778530 Bug: https://bugs.gentoo.org/790281 Bug: https://bugs.gentoo.org/792348 Bug: https://bugs.gentoo.org/866794 Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com> Signed-off-by: Conrad Kostecki <conikost@gentoo.org> app-arch/upx-bin/Manifest | 7 +++++++ app-arch/upx-bin/upx-bin-4.0.0.ebuild | 39 +++++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5f6c4062375fef16a763f3d413b099addef73432 commit 5f6c4062375fef16a763f3d413b099addef73432 Author: Azamat H. Hackimov <azamat.hackimov@gmail.com> AuthorDate: 2022-10-30 11:49:41 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2022-10-31 22:50:57 +0000 app-arch/upx: add 4.0.0 Bug: https://bugs.gentoo.org/778530 Bug: https://bugs.gentoo.org/790281 Bug: https://bugs.gentoo.org/792348 Bug: https://bugs.gentoo.org/866794 Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com> Signed-off-by: Conrad Kostecki <conikost@gentoo.org> app-arch/upx/Manifest | 1 + app-arch/upx/upx-4.0.0.ebuild | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+)
