CVE-2023-23456 (https://github.com/upx/upx/issues/632): A heap-based buffer overflow issue was discovered in UPX in PackTmt::pack() in p_tmt.cpp file. The flow allows an attacker to cause a denial of service (abort) via a crafted file. Patch: https://github.com/upx/upx/commit/510505a85cbe45e51fbd470f1aa8b02157c429d4 CVE-2023-23457 (https://github.com/upx/upx/issues/631): A Segmentation fault was found in UPX in PackLinuxElf64::invert_pt_dynamic() in p_lx_elf.cpp. An attacker with a crafted input file allows invalid memory address access that could lead to a denial of service. Patch: https://github.com/upx/upx/commit/779b648c5f6aa9b33f4728f79dd4d0efec0bf860 Both are in the 4.0.2 milestone, doesn't seem released yet.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=184f12a638b19c54c8966c640d837c09622b5c88 commit 184f12a638b19c54c8966c640d837c09622b5c88 Author: Azamat H. Hackimov <azamat.hackimov@gmail.com> AuthorDate: 2023-01-13 09:44:16 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2023-01-13 13:05:07 +0000 app-arch/upx: add 4.0.1-r1, security fixes Fixes issues CVE-2023-23456 and CVE-2023-23457. Bug: https://bugs.gentoo.org/890616 Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/29085 Signed-off-by: Joonas Niilola <juippis@gentoo.org> app-arch/upx/files/upx-4.0.1-CVE-2023-23456.patch | 61 +++++++++++++++++++++++ app-arch/upx/files/upx-4.0.1-CVE-2023-23457.patch | 45 +++++++++++++++++ app-arch/upx/upx-4.0.1-r1.ebuild | 35 +++++++++++++ 3 files changed, 141 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0eef8eee1cdd098c9550908515843c7d30f7e63 commit b0eef8eee1cdd098c9550908515843c7d30f7e63 Author: Azamat H. Hackimov <azamat.hackimov@gmail.com> AuthorDate: 2023-01-15 20:47:41 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-01-20 01:21:40 +0000 app-arch/upx: drop 4.0.0, 4.0.1 Remove vulnerable versions. Bug: https://bugs.gentoo.org/890616 Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/29126 Signed-off-by: Sam James <sam@gentoo.org> app-arch/upx/Manifest | 1 - app-arch/upx/upx-4.0.0.ebuild | 23 ----------------------- app-arch/upx/upx-4.0.1.ebuild | 30 ------------------------------ 3 files changed, 54 deletions(-)
Waiting on a upx-bin bump, then. I think we're back to this question: why don't we treeclean it?
(In reply to John Helmert III from comment #3) > Waiting on a upx-bin bump, then. I think we're back to this question: why > don't we treeclean it? upx and upx-bin provides different features. upx-bin uses proprietary NRV library with some features lacks in upx's UCL default compression library. I don't see any reasons to treeclean it since upstream is not dead, very responsive and releases packages with security fixes regularly.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=71a013f90e061c94bb606ef2ba3e48609d64f50a commit 71a013f90e061c94bb606ef2ba3e48609d64f50a Author: Azamat H. Hackimov <azamat.hackimov@gmail.com> AuthorDate: 2023-02-02 07:22:49 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-02-20 19:45:44 +0000 app-arch/upx-bin: add 4.0.2, security fix Fixes issues CVE-2023-23456 and CVE-2023-23457. Bug: https://bugs.gentoo.org/890616 Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com> Signed-off-by: John Helmert III <ajak@gentoo.org> app-arch/upx-bin/Manifest | 7 +++++++ app-arch/upx-bin/upx-bin-4.0.2.ebuild | 39 +++++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+)
Please stabilize upx-bin-4.0.2 when ready.
app-arch/upx{,-bin}-4.0.2 stabilized.
