From: Bruce Ashfield <bruce.ashfield@gmail.com>
To: Fathi Boudra <fathi.boudra@linaro.org>
Cc: meta-virtualization@lists.yoctoproject.org
Subject: Re: [meta-virtualization][kirkstone][PATCH] upx: bump to 4.2.2 release - fixes various CVEs
Date: Thu, 22 Feb 2024 17:16:59 +0000 [thread overview]
Message-ID: <ZdeBi3ppuAtTb8vr@gmail.com> (raw)
In-Reply-To: <20240222123346.1928883-1-fathi.boudra@linaro.org>
for anyone following and wondering, I've decided to take this patch to
kirstone, even though it is doing more than just a minor version update.
There are enough CVEs fixed, and few enough users of upx, that the risk
is low.
I've also scanned the changelog, and don't see anything that looks to
be incompatble with existing uses.
Bruce
In message: [meta-virtualization][kirkstone][PATCH] upx: bump to 4.2.2 release - fixes various CVEs
on 22/02/2024 Fathi Boudra wrote:
> Update upx recipe from 3.96 to 4.2.2 release:
> * Use the gitsm fetcher to get the source code.
> * Add a note to keep using the git repository.
> * Update the homepage.
> * Drop the build dependencies as they're useless. UPX builds using the
> vendor subdirectory, statically linking the libraries.
>
> Fixes CVEs:
> * https://www.cve.org/CVERecord?id=CVE-2023-23456 A heap-based buffer overflow
> issue was discovered in UPX in PackTmt::pack() in p_tmt.cpp file. The flow
> allows an attacker to cause a denial of service (abort) via a crafted file.
> * https://www.cve.org/CVERecord?id=CVE-2023-23457 A Segmentation fault was found
> in UPX in PackLinuxElf64::invert_pt_dynamic() in p_lx_elf.cpp. An attacker with
> a crafted input file allows invalid memory address access that could lead to a
> denial of service.
> * https://www.cve.org/CVERecord?id=CVE-2021-46179 Reachable Assertion
> vulnerability in upx before 4.0.0 allows attackers to cause a denial of service
> via crafted file passed to the the readx function.
> * https://www.cve.org/CVERecord?id=CVE-2021-43317 A heap-based buffer overflows
> was discovered in upx, during the generic pointer 'p' points to an inaccessible
> address in func get_le32(). The problem is essentially caused in
> PackLinuxElf64::elf_lookup() at p_lx_elf.cpp:5404
> * https://www.cve.org/CVERecord?id=CVE-2021-43316 A heap-based buffer overflow
> was discovered in upx, during the generic pointer 'p' points to an inaccessible
> address in func get_le64().
> * https://www.cve.org/CVERecord?id=CVE-2021-43315 A heap-based buffer overflows
> was discovered in upx, during the generic pointer 'p' points to an inaccessible
> address in func get_le32(). The problem is essentially caused in
> PackLinuxElf32::elf_lookup() at p_lx_elf.cpp:5349
> * https://www.cve.org/CVERecord?id=CVE-2021-43314 A heap-based buffer overflows
> was discovered in upx, during the generic pointer 'p' points to an inaccessible
> address in func get_le32(). The problem is essentially caused in
> PackLinuxElf32::elf_lookup() at p_lx_elf.cpp:5368
> * https://www.cve.org/CVERecord?id=CVE-2021-43313 A heap-based buffer overflow
> was discovered in upx, during the variable 'bucket' points to an inaccessible
> address. The issue is being triggered in the function
> PackLinuxElf32::invert_pt_dynamic at p_lx_elf.cpp:1688.
> * https://www.cve.org/CVERecord?id=CVE-2021-43312 A heap-based buffer overflow
> was discovered in upx, during the variable 'bucket' points to an inaccessible
> address. The issue is being triggered in the function
> PackLinuxElf64::invert_pt_dynamic at p_lx_elf.cpp:5239.
> * https://www.cve.org/CVERecord?id=CVE-2021-43311 A heap-based buffer overflow
> was discovered in upx, during the generic pointer 'p' points to an inaccessible
> address in func get_le32(). The problem is essentially caused in
> PackLinuxElf32::elf_lookup() at p_lx_elf.cpp:5382.
> * https://www.cve.org/CVERecord?id=CVE-2021-30501 An assertion abort was found
> in upx MemBuffer::alloc() in mem.cpp, in version UPX 4.0.0. The flow allows
> attackers to cause a denial of service (abort) via a crafted file.
> * https://www.cve.org/CVERecord?id=CVE-2021-30500 Null pointer dereference was
> found in upx PackLinuxElf::canUnpack() in p_lx_elf.cpp,in version UPX 4.0.0.
> That allow attackers to execute arbitrary code and cause a denial of service
> via a crafted file.
> * https://www.cve.org/CVERecord?id=CVE-2021-20285 A flaw was found in upx
> canPack in p_lx_elf.cpp in UPX 3.96. This flaw allows attackers to cause a
> denial of service (SEGV or buffer overflow and application crash) or possibly
> have unspecified other impacts via a crafted ELF. The highest threat from this
> vulnerability is to system availability.
> * https://www.cve.org/CVERecord?id=CVE-2020-27802 An floating point exception
> was discovered in the elf_lookup function in p_lx_elf.cpp in UPX 4.0.0 via a
> crafted Mach-O file.
> * https://www.cve.org/CVERecord?id=CVE-2020-27801 A heap-based buffer over-read
> was discovered in the get_le64 function in bele.h in UPX 4.0.0 via a crafted
> Mach-O file.
> * https://www.cve.org/CVERecord?id=CVE-2020-27800 A heap-based buffer over-read
> was discovered in the get_le32 function in bele.h in UPX 4.0.0 via a crafted
> Mach-O file.
> * https://www.cve.org/CVERecord?id=CVE-2020-27799 A heap-based buffer over-read
> was discovered in the acc_ua_get_be32 function in miniacc.h in UPX 4.0.0 via a
> crafted Mach-O file.
> * https://www.cve.org/CVERecord?id=CVE-2020-27798 An invalid memory address
> reference was discovered in the adjABS function in p_lx_elf.cpp in UPX 4.0.0
> via a crafted Mach-O file.
> * https://www.cve.org/CVERecord?id=CVE-2020-27797 An invalid memory address
> reference was discovered in the elf_lookup function in p_lx_elf.cpp in UPX
> 4.0.0 via a crafted Mach-O file.
> * https://www.cve.org/CVERecord?id=CVE-2020-27796 A heap-based buffer over-read
> was discovered in the invert_pt_dynamic function in p_lx_elf.cpp in UPX 4.0.0
> via a crafted Mach-O file.
>
> Signed-off-by: Fathi Boudra <fathi.boudra@linaro.org>
> ---
> recipes-extended/upx/upx_git.bb | 43 ++++++---------------------------
> 1 file changed, 7 insertions(+), 36 deletions(-)
>
> diff --git a/recipes-extended/upx/upx_git.bb b/recipes-extended/upx/upx_git.bb
> index bb8004c6..02e70ffe 100644
> --- a/recipes-extended/upx/upx_git.bb
> +++ b/recipes-extended/upx/upx_git.bb
> @@ -1,45 +1,16 @@
> -HOMEPAGE = "http://upx.sourceforge.net"
> SUMMARY = "Ultimate executable compressor."
> -
> -SRCREV_upx = "8d1a98e03bf281b2cee459b6c27347e56d13c6a8"
> -SRCREV_vendor_doctest = "666e648b68fda2deb141a1fe93e3fd1e2795dd0f"
> -SRCREV_vendor_lzma_sdk = "9ebf8f468c689d83504e6c08c6bc26c4a1cf180f"
> -SRCREV_vendor_ucl = "4b58d592199dc1e5db691e1a54fb0e5e9af0ecaf"
> -SRCREV_vendor_zlib = "2a5b338eb173a701ed179e951d4c390e75e8d4c7"
> -SRCREV_FORMAT = "upx"
> -SRC_URI = "git://github.com/upx/upx;name=upx;branch=devel;protocol=https \
> - git://github.com/upx/upx-vendor-doctest;name=vendor_doctest;subdir=git/vendor/doctest;branch=upx-vendor;protocol=https \
> - git://github.com/upx/upx-vendor-lzma-sdk;name=vendor_lzma_sdk;subdir=git/vendor/lzma-sdk;branch=upx-vendor;protocol=https \
> - git://github.com/upx/upx-vendor-ucl;name=vendor_ucl;subdir=git/vendor/ucl;branch=upx-vendor;protocol=https \
> - git://github.com/upx/upx-vendor-zlib;name=vendor_zlib;subdir=git/vendor/zlib;branch=upx-vendor;protocol=https \
> -"
> -
> +HOMEPAGE = "* https://upx.github.io/"
> LICENSE = "GPL-2.0-only"
> LIC_FILES_CHKSUM = "file://LICENSE;md5=353753597aa110e0ded3508408c6374a"
> +SRCREV_upx = "099c3d829e80488af7395a4242b318877e980da4"
> +PV = "4.2.2+git${SRCPV}"
>
> -DEPENDS = "zlib libucl xz cmake-native"
> -
> -# inherit cmake
> +# Note: DO NOT use released tarball in favor of the git repository with submodules.
> +# it makes maintenance easier for CVEs or other issues.
> +SRC_URI = "gitsm://github.com/upx/upx;protocol=https;;name=upx;branch=devel"
>
> S = "${WORKDIR}/git"
>
> -PV = "3.96+${SRCPV}"
> -
> -EXTRA_OEMAKE += " \
> - UPX_UCLDIR=${STAGING_DIR_TARGET} \
> - UPX_LZMADIR=${STAGING_DIR_TARGET} \
> -"
> -
> -# FIXME: The build fails if security flags are enabled
> -SECURITY_CFLAGS = ""
> -
> -do_compile() {
> - oe_runmake -C src all
> -}
> -
> -do_install:append() {
> - install -d ${D}${bindir}
> - install -m 755 ${B}/build/release/upx ${D}${bindir}/upx
> -}
> +inherit pkgconfig cmake
>
> BBCLASSEXTEND = "native"
> --
> 2.43.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#8570): https://lists.yoctoproject.org/g/meta-virtualization/message/8570
> Mute This Topic: https://lists.yoctoproject.org/mt/104507203/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
prev parent reply other threads:[~2024-02-22 17:17 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-22 12:33 [meta-virtualization][kirkstone][PATCH] upx: bump to 4.2.2 release - fixes various CVEs Fathi Boudra
2024-02-22 17:16 ` Bruce Ashfield [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZdeBi3ppuAtTb8vr@gmail.com \
--to=bruce.ashfield@gmail.com \
--cc=fathi.boudra@linaro.org \
--cc=meta-virtualization@lists.yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).