CVE-2021-20285 (https://github.com/upx/upx/issues/421): A flaw was found in upx canPack in p_lx_elf.cpp in UPX 3.96. This flaw allows attackers to cause a denial of service (SEGV or buffer overflow and application crash) or possibly have unspecified other impacts via a crafted ELF. The highest threat from this vulnerability is to system availability. Looks like there's a patch upstream, please apply if suitable.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=97ac6e82a6949ade17754dc18110dd0f3cd67c5d commit 97ac6e82a6949ade17754dc18110dd0f3cd67c5d Author: Azamat H. Hackimov <azamat.hackimov@gmail.com> AuthorDate: 2021-03-27 12:09:35 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2021-03-27 14:26:23 +0000 app-arch/upx: remove old version Bug: https://bugs.gentoo.org/778530 Package-Manager: Portage-3.0.13, Repoman-3.0.2 Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com> Signed-off-by: Conrad Kostecki <conikost@gentoo.org> app-arch/upx/upx-3.96.ebuild | 34 ---------------------------------- 1 file changed, 34 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ec0f3f52f3f3d4dd8a267f5788cd5e440b2f86d2 commit ec0f3f52f3f3d4dd8a267f5788cd5e440b2f86d2 Author: Azamat H. Hackimov <azamat.hackimov@gmail.com> AuthorDate: 2021-03-27 12:08:19 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2021-03-27 14:24:13 +0000 app-arch/upx: fix CVE-2021-20285 Patch taken from upstream commit https://github.com/upx/upx/commit/3781df9da23840e596d5e9e8493f22666802fe6c. Bug: https://bugs.gentoo.org/778530 Package-Manager: Portage-3.0.13, Repoman-3.0.2 Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com> Signed-off-by: Conrad Kostecki <conikost@gentoo.org> app-arch/upx/files/upx-3.96_CVE-2021-20285.patch | 76 ++++++++++++++++++++++++ app-arch/upx/upx-3.96-r1.ebuild | 38 ++++++++++++ 2 files changed, 114 insertions(+)
Thank you! I also apologize, I missed -bin at first, that one will need to be done too.
At least for -bin, i guess, we have to wait, until there is a newer version.
Package list is empty or all packages have requested keywords.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0079cd3b6bd983ac029d76507960a3cf40413ae4 commit 0079cd3b6bd983ac029d76507960a3cf40413ae4 Author: Azamat H. Hackimov <azamat.hackimov@gmail.com> AuthorDate: 2022-10-30 12:37:24 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2022-10-31 22:50:58 +0000 app-arch/upx-bin: add 4.0.0 Bug: https://bugs.gentoo.org/778530 Bug: https://bugs.gentoo.org/790281 Bug: https://bugs.gentoo.org/792348 Bug: https://bugs.gentoo.org/866794 Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com> Signed-off-by: Conrad Kostecki <conikost@gentoo.org> app-arch/upx-bin/Manifest | 7 +++++++ app-arch/upx-bin/upx-bin-4.0.0.ebuild | 39 +++++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5f6c4062375fef16a763f3d413b099addef73432 commit 5f6c4062375fef16a763f3d413b099addef73432 Author: Azamat H. Hackimov <azamat.hackimov@gmail.com> AuthorDate: 2022-10-30 11:49:41 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2022-10-31 22:50:57 +0000 app-arch/upx: add 4.0.0 Bug: https://bugs.gentoo.org/778530 Bug: https://bugs.gentoo.org/790281 Bug: https://bugs.gentoo.org/792348 Bug: https://bugs.gentoo.org/866794 Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com> Signed-off-by: Conrad Kostecki <conikost@gentoo.org> app-arch/upx/Manifest | 1 + app-arch/upx/upx-4.0.0.ebuild | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+)
