Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 778530 (CVE-2021-20285) - app-arch/upx{-bin,}: buffer overflow vulnerability (CVE-2021-20285)
Summary: app-arch/upx{-bin,}: buffer overflow vulnerability (CVE-2021-20285)
Status: CONFIRMED
Alias: CVE-2021-20285
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~3 [upstream/ebuild]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2021-03-27 01:41 UTC by John Helmert III
Modified: 2021-07-29 18:12 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-03-27 01:41:37 UTC
CVE-2021-20285 (https://github.com/upx/upx/issues/421):

A flaw was found in upx canPack in p_lx_elf.cpp in UPX 3.96. This flaw allows attackers to cause a denial of service (SEGV or buffer overflow and application crash) or possibly have unspecified other impacts via a crafted ELF. The highest threat from this vulnerability is to system availability.


Looks like there's a patch upstream, please apply if suitable.
Comment 1 Larry the Git Cow gentoo-dev 2021-03-27 14:26:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=97ac6e82a6949ade17754dc18110dd0f3cd67c5d

commit 97ac6e82a6949ade17754dc18110dd0f3cd67c5d
Author:     Azamat H. Hackimov <azamat.hackimov@gmail.com>
AuthorDate: 2021-03-27 12:09:35 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2021-03-27 14:26:23 +0000

    app-arch/upx: remove old version
    
    Bug: https://bugs.gentoo.org/778530
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com>
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 app-arch/upx/upx-3.96.ebuild | 34 ----------------------------------
 1 file changed, 34 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ec0f3f52f3f3d4dd8a267f5788cd5e440b2f86d2

commit ec0f3f52f3f3d4dd8a267f5788cd5e440b2f86d2
Author:     Azamat H. Hackimov <azamat.hackimov@gmail.com>
AuthorDate: 2021-03-27 12:08:19 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2021-03-27 14:24:13 +0000

    app-arch/upx: fix CVE-2021-20285
    
    Patch taken from upstream commit
    https://github.com/upx/upx/commit/3781df9da23840e596d5e9e8493f22666802fe6c.
    
    Bug: https://bugs.gentoo.org/778530
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com>
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 app-arch/upx/files/upx-3.96_CVE-2021-20285.patch | 76 ++++++++++++++++++++++++
 app-arch/upx/upx-3.96-r1.ebuild                  | 38 ++++++++++++
 2 files changed, 114 insertions(+)
Comment 2 John Helmert III gentoo-dev Security 2021-03-27 15:40:18 UTC
Thank you! I also apologize, I missed -bin at first, that one will need to be done too.
Comment 3 Conrad Kostecki gentoo-dev 2021-03-27 18:22:33 UTC
At least for -bin, i guess, we have to wait, until there is a newer version.
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:23:28 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:31:51 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:39:45 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:47:56 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 18:03:53 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 18:12:11 UTC
Package list is empty or all packages have requested keywords.