From: Fathi Boudra <fathi.boudra@linaro.org>
To: meta-virtualization@lists.yoctoproject.org
Cc: Fathi Boudra <fathi.boudra@linaro.org>
Subject: [meta-virtualization][kirkstone][PATCH] upx: bump to 4.2.2 release - fixes various CVEs
Date: Thu, 22 Feb 2024 13:33:46 +0100 [thread overview]
Message-ID: <20240222123346.1928883-1-fathi.boudra@linaro.org> (raw)
Update upx recipe from 3.96 to 4.2.2 release:
* Use the gitsm fetcher to get the source code.
* Add a note to keep using the git repository.
* Update the homepage.
* Drop the build dependencies as they're useless. UPX builds using the
vendor subdirectory, statically linking the libraries.
Fixes CVEs:
* https://www.cve.org/CVERecord?id=CVE-2023-23456 A heap-based buffer overflow
issue was discovered in UPX in PackTmt::pack() in p_tmt.cpp file. The flow
allows an attacker to cause a denial of service (abort) via a crafted file.
* https://www.cve.org/CVERecord?id=CVE-2023-23457 A Segmentation fault was found
in UPX in PackLinuxElf64::invert_pt_dynamic() in p_lx_elf.cpp. An attacker with
a crafted input file allows invalid memory address access that could lead to a
denial of service.
* https://www.cve.org/CVERecord?id=CVE-2021-46179 Reachable Assertion
vulnerability in upx before 4.0.0 allows attackers to cause a denial of service
via crafted file passed to the the readx function.
* https://www.cve.org/CVERecord?id=CVE-2021-43317 A heap-based buffer overflows
was discovered in upx, during the generic pointer 'p' points to an inaccessible
address in func get_le32(). The problem is essentially caused in
PackLinuxElf64::elf_lookup() at p_lx_elf.cpp:5404
* https://www.cve.org/CVERecord?id=CVE-2021-43316 A heap-based buffer overflow
was discovered in upx, during the generic pointer 'p' points to an inaccessible
address in func get_le64().
* https://www.cve.org/CVERecord?id=CVE-2021-43315 A heap-based buffer overflows
was discovered in upx, during the generic pointer 'p' points to an inaccessible
address in func get_le32(). The problem is essentially caused in
PackLinuxElf32::elf_lookup() at p_lx_elf.cpp:5349
* https://www.cve.org/CVERecord?id=CVE-2021-43314 A heap-based buffer overflows
was discovered in upx, during the generic pointer 'p' points to an inaccessible
address in func get_le32(). The problem is essentially caused in
PackLinuxElf32::elf_lookup() at p_lx_elf.cpp:5368
* https://www.cve.org/CVERecord?id=CVE-2021-43313 A heap-based buffer overflow
was discovered in upx, during the variable 'bucket' points to an inaccessible
address. The issue is being triggered in the function
PackLinuxElf32::invert_pt_dynamic at p_lx_elf.cpp:1688.
* https://www.cve.org/CVERecord?id=CVE-2021-43312 A heap-based buffer overflow
was discovered in upx, during the variable 'bucket' points to an inaccessible
address. The issue is being triggered in the function
PackLinuxElf64::invert_pt_dynamic at p_lx_elf.cpp:5239.
* https://www.cve.org/CVERecord?id=CVE-2021-43311 A heap-based buffer overflow
was discovered in upx, during the generic pointer 'p' points to an inaccessible
address in func get_le32(). The problem is essentially caused in
PackLinuxElf32::elf_lookup() at p_lx_elf.cpp:5382.
* https://www.cve.org/CVERecord?id=CVE-2021-30501 An assertion abort was found
in upx MemBuffer::alloc() in mem.cpp, in version UPX 4.0.0. The flow allows
attackers to cause a denial of service (abort) via a crafted file.
* https://www.cve.org/CVERecord?id=CVE-2021-30500 Null pointer dereference was
found in upx PackLinuxElf::canUnpack() in p_lx_elf.cpp,in version UPX 4.0.0.
That allow attackers to execute arbitrary code and cause a denial of service
via a crafted file.
* https://www.cve.org/CVERecord?id=CVE-2021-20285 A flaw was found in upx
canPack in p_lx_elf.cpp in UPX 3.96. This flaw allows attackers to cause a
denial of service (SEGV or buffer overflow and application crash) or possibly
have unspecified other impacts via a crafted ELF. The highest threat from this
vulnerability is to system availability.
* https://www.cve.org/CVERecord?id=CVE-2020-27802 An floating point exception
was discovered in the elf_lookup function in p_lx_elf.cpp in UPX 4.0.0 via a
crafted Mach-O file.
* https://www.cve.org/CVERecord?id=CVE-2020-27801 A heap-based buffer over-read
was discovered in the get_le64 function in bele.h in UPX 4.0.0 via a crafted
Mach-O file.
* https://www.cve.org/CVERecord?id=CVE-2020-27800 A heap-based buffer over-read
was discovered in the get_le32 function in bele.h in UPX 4.0.0 via a crafted
Mach-O file.
* https://www.cve.org/CVERecord?id=CVE-2020-27799 A heap-based buffer over-read
was discovered in the acc_ua_get_be32 function in miniacc.h in UPX 4.0.0 via a
crafted Mach-O file.
* https://www.cve.org/CVERecord?id=CVE-2020-27798 An invalid memory address
reference was discovered in the adjABS function in p_lx_elf.cpp in UPX 4.0.0
via a crafted Mach-O file.
* https://www.cve.org/CVERecord?id=CVE-2020-27797 An invalid memory address
reference was discovered in the elf_lookup function in p_lx_elf.cpp in UPX
4.0.0 via a crafted Mach-O file.
* https://www.cve.org/CVERecord?id=CVE-2020-27796 A heap-based buffer over-read
was discovered in the invert_pt_dynamic function in p_lx_elf.cpp in UPX 4.0.0
via a crafted Mach-O file.
Signed-off-by: Fathi Boudra <fathi.boudra@linaro.org>
---
recipes-extended/upx/upx_git.bb | 43 ++++++---------------------------
1 file changed, 7 insertions(+), 36 deletions(-)
diff --git a/recipes-extended/upx/upx_git.bb b/recipes-extended/upx/upx_git.bb
index bb8004c6..02e70ffe 100644
--- a/recipes-extended/upx/upx_git.bb
+++ b/recipes-extended/upx/upx_git.bb
@@ -1,45 +1,16 @@
-HOMEPAGE = "http://upx.sourceforge.net"
SUMMARY = "Ultimate executable compressor."
-
-SRCREV_upx = "8d1a98e03bf281b2cee459b6c27347e56d13c6a8"
-SRCREV_vendor_doctest = "666e648b68fda2deb141a1fe93e3fd1e2795dd0f"
-SRCREV_vendor_lzma_sdk = "9ebf8f468c689d83504e6c08c6bc26c4a1cf180f"
-SRCREV_vendor_ucl = "4b58d592199dc1e5db691e1a54fb0e5e9af0ecaf"
-SRCREV_vendor_zlib = "2a5b338eb173a701ed179e951d4c390e75e8d4c7"
-SRCREV_FORMAT = "upx"
-SRC_URI = "git://github.com/upx/upx;name=upx;branch=devel;protocol=https \
- git://github.com/upx/upx-vendor-doctest;name=vendor_doctest;subdir=git/vendor/doctest;branch=upx-vendor;protocol=https \
- git://github.com/upx/upx-vendor-lzma-sdk;name=vendor_lzma_sdk;subdir=git/vendor/lzma-sdk;branch=upx-vendor;protocol=https \
- git://github.com/upx/upx-vendor-ucl;name=vendor_ucl;subdir=git/vendor/ucl;branch=upx-vendor;protocol=https \
- git://github.com/upx/upx-vendor-zlib;name=vendor_zlib;subdir=git/vendor/zlib;branch=upx-vendor;protocol=https \
-"
-
+HOMEPAGE = "* https://upx.github.io/"
LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://LICENSE;md5=353753597aa110e0ded3508408c6374a"
+SRCREV_upx = "099c3d829e80488af7395a4242b318877e980da4"
+PV = "4.2.2+git${SRCPV}"
-DEPENDS = "zlib libucl xz cmake-native"
-
-# inherit cmake
+# Note: DO NOT use released tarball in favor of the git repository with submodules.
+# it makes maintenance easier for CVEs or other issues.
+SRC_URI = "gitsm://github.com/upx/upx;protocol=https;;name=upx;branch=devel"
S = "${WORKDIR}/git"
-PV = "3.96+${SRCPV}"
-
-EXTRA_OEMAKE += " \
- UPX_UCLDIR=${STAGING_DIR_TARGET} \
- UPX_LZMADIR=${STAGING_DIR_TARGET} \
-"
-
-# FIXME: The build fails if security flags are enabled
-SECURITY_CFLAGS = ""
-
-do_compile() {
- oe_runmake -C src all
-}
-
-do_install:append() {
- install -d ${D}${bindir}
- install -m 755 ${B}/build/release/upx ${D}${bindir}/upx
-}
+inherit pkgconfig cmake
BBCLASSEXTEND = "native"
--
2.43.0
next reply other threads:[~2024-02-22 12:33 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-22 12:33 Fathi Boudra [this message]
2024-02-22 17:16 ` [meta-virtualization][kirkstone][PATCH] upx: bump to 4.2.2 release - fixes various CVEs Bruce Ashfield
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240222123346.1928883-1-fathi.boudra@linaro.org \
--to=fathi.boudra@linaro.org \
--cc=meta-virtualization@lists.yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).