| Message ID | 20230205140602.161881-1-fontaine.fabrice@gmail.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/1] package/upx: security bump to version 4.0.2 | expand |
Fabrice, All, On 2023-02-05 15:06 +0100, Fabrice Fontaine spake thusly: > Fix CVE-2023-23456: A heap-based buffer overflow issue was discovered in > UPX in PackTmt::pack() in p_tmt.cpp file. The flow allows an attacker to > cause a denial of service (abort) via a crafted file. > > Fix CVE-2023-23457: A Segmentation fault was found in UPX in > PackLinuxElf64::invert_pt_dynamic() in p_lx_elf.cpp. An attacker with a > crafted input file allows invalid memory address access that could lead > to a denial of service. > > https://github.com/upx/upx/blob/v4.0.2/NEWS > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Applied to master, thanks. Regards, Yann E. MORIN. > --- > package/upx/upx.hash | 2 +- > package/upx/upx.mk | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/package/upx/upx.hash b/package/upx/upx.hash > index 9f7c40c819..7c24906152 100644 > --- a/package/upx/upx.hash > +++ b/package/upx/upx.hash > @@ -1,3 +1,3 @@ > # Locally computed: > -sha256 77003c8e2e29aa9804e2fbaeb30f055903420b3e01d95eafe01aed957fb7e190 upx-4.0.1-src.tar.xz > +sha256 1221e725b1a89e06739df27fae394d6bc88aedbe12f137c630ec772522cbc76f upx-4.0.2-src.tar.xz > sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING > diff --git a/package/upx/upx.mk b/package/upx/upx.mk > index ef346b2310..6018b0a63d 100644 > --- a/package/upx/upx.mk > +++ b/package/upx/upx.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -UPX_VERSION = 4.0.1 > +UPX_VERSION = 4.0.2 > UPX_SITE = https://github.com/upx/upx/releases/download/v$(UPX_VERSION) > UPX_SOURCE = upx-$(UPX_VERSION)-src.tar.xz > UPX_LICENSE = GPL-2.0+ > -- > 2.39.0 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes: > Fix CVE-2023-23456: A heap-based buffer overflow issue was discovered in > UPX in PackTmt::pack() in p_tmt.cpp file. The flow allows an attacker to > cause a denial of service (abort) via a crafted file. > Fix CVE-2023-23457: A Segmentation fault was found in UPX in > PackLinuxElf64::invert_pt_dynamic() in p_lx_elf.cpp. An attacker with a > crafted input file allows invalid memory address access that could lead > to a denial of service. > https://github.com/upx/upx/blob/v4.0.2/NEWS > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Committed to 2022.11.x and 2022.02.x, thanks.
diff --git a/package/upx/upx.hash b/package/upx/upx.hash index 9f7c40c819..7c24906152 100644 --- a/package/upx/upx.hash +++ b/package/upx/upx.hash @@ -1,3 +1,3 @@ # Locally computed: -sha256 77003c8e2e29aa9804e2fbaeb30f055903420b3e01d95eafe01aed957fb7e190 upx-4.0.1-src.tar.xz +sha256 1221e725b1a89e06739df27fae394d6bc88aedbe12f137c630ec772522cbc76f upx-4.0.2-src.tar.xz sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING diff --git a/package/upx/upx.mk b/package/upx/upx.mk index ef346b2310..6018b0a63d 100644 --- a/package/upx/upx.mk +++ b/package/upx/upx.mk @@ -4,7 +4,7 @@ # ################################################################################ -UPX_VERSION = 4.0.1 +UPX_VERSION = 4.0.2 UPX_SITE = https://github.com/upx/upx/releases/download/v$(UPX_VERSION) UPX_SOURCE = upx-$(UPX_VERSION)-src.tar.xz UPX_LICENSE = GPL-2.0+
Fix CVE-2023-23456: A heap-based buffer overflow issue was discovered in UPX in PackTmt::pack() in p_tmt.cpp file. The flow allows an attacker to cause a denial of service (abort) via a crafted file. Fix CVE-2023-23457: A Segmentation fault was found in UPX in PackLinuxElf64::invert_pt_dynamic() in p_lx_elf.cpp. An attacker with a crafted input file allows invalid memory address access that could lead to a denial of service. https://github.com/upx/upx/blob/v4.0.2/NEWS Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> --- package/upx/upx.hash | 2 +- package/upx/upx.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)