CVE-2020-27796 (https://github.com/upx/upx/issues/392): A heap-based buffer over-read was discovered in the invert_pt_dynamic function in p_lx_elf.cpp in UPX 4.0.0 via a crafted Mach-O file. CVE-2020-27797 (https://github.com/upx/upx/issues/390): An invalid memory address reference was discovered in the elf_lookup function in p_lx_elf.cpp in UPX 4.0.0 via a crafted Mach-O file. CVE-2020-27799 (https://github.com/upx/upx/issues/391): A heap-based buffer over-read was discovered in the acc_ua_get_be32 function in miniacc.h in UPX 4.0.0 via a crafted Mach-O file. CVE-2020-27800 (https://github.com/upx/upx/issues/395): A heap-based buffer over-read was discovered in the get_le32 function in bele.h in UPX 4.0.0 via a crafted Mach-O file. CVE-2020-27801 (https://github.com/upx/upx/issues/394): A heap-based buffer over-read was discovered in the get_le64 function in bele.h in UPX 4.0.0 via a crafted Mach-O file. CVE-2020-27802 (https://github.com/upx/upx/issues/393): An floating point exception was discovered in the elf_lookup function in p_lx_elf.cpp in UPX 4.0.0 via a crafted Mach-O file. Patches: https://github.com/upx/upx/commit/7d093174597483053e95f07d9f4614024c09890e https://github.com/upx/upx/commit/8764fdc24c31c21dc43b2a2f99eb8c48a34e5e9c https://github.com/upx/upx/commit/76cd518110a9e7597363012ff4e31bcd526a081e https://github.com/upx/upx/commit/49edccd7165696dcc0bf79f50cae4011313ddd28 https://github.com/upx/upx/commit/8d1d605b3d8c49bdfe9376454f0196738bed8166 Do we need to poke upstream to release another binary?
For -bin, probably yes. Do you happen to know if any of these vulnerabilities affect generated executables?
I have no familiarity with UPX, so I'd defer to Azamat there
Azamat, can we last rite upx-bin now that it doesn't have any reverse dependencies?
Hello. I would wait for the 4.0.0 release, but for now we can mask the upx-bin package for a while. <app-arch/upx-bin-4.0.0
(In reply to Azamat H. Hackimov from comment #4) > Hello. > > I would wait for the 4.0.0 release, but for now we can mask the upx-bin > package for a while. > > <app-arch/upx-bin-4.0.0 I'm not sure it's sane to have to fight with an unstable leaf package like this.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0079cd3b6bd983ac029d76507960a3cf40413ae4 commit 0079cd3b6bd983ac029d76507960a3cf40413ae4 Author: Azamat H. Hackimov <azamat.hackimov@gmail.com> AuthorDate: 2022-10-30 12:37:24 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2022-10-31 22:50:58 +0000 app-arch/upx-bin: add 4.0.0 Bug: https://bugs.gentoo.org/778530 Bug: https://bugs.gentoo.org/790281 Bug: https://bugs.gentoo.org/792348 Bug: https://bugs.gentoo.org/866794 Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com> Signed-off-by: Conrad Kostecki <conikost@gentoo.org> app-arch/upx-bin/Manifest | 7 +++++++ app-arch/upx-bin/upx-bin-4.0.0.ebuild | 39 +++++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5f6c4062375fef16a763f3d413b099addef73432 commit 5f6c4062375fef16a763f3d413b099addef73432 Author: Azamat H. Hackimov <azamat.hackimov@gmail.com> AuthorDate: 2022-10-30 11:49:41 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2022-10-31 22:50:57 +0000 app-arch/upx: add 4.0.0 Bug: https://bugs.gentoo.org/778530 Bug: https://bugs.gentoo.org/790281 Bug: https://bugs.gentoo.org/792348 Bug: https://bugs.gentoo.org/866794 Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com> Signed-off-by: Conrad Kostecki <conikost@gentoo.org> app-arch/upx/Manifest | 1 + app-arch/upx/upx-4.0.0.ebuild | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+)
Thanks, all done!