Bug 13954

Summary: [CVE 21] upx 4.0.2 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: VERIFIED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: a.proklov, e.kosachev, s.matveev, v.potapov, y.tumanov
Version: AllFlags: v.potapov: qa_verified+
e.kosachev: secteam_verified+
a.proklov: published+
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: CVE-2023-23456, CVE-2023-23457,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-10-18 20:31:57 MSK 
Please patch CVEs for package upx version 4.0.2
  
INFO (CVEs are): upx 4.0.2
 cves found
CVE-2023-23456
Desc: A heap-based buffer overflow issue was discovered in UPX in PackTmt::pack() in p_tmt.cpp file. The flow allows an attacker to cause a denial of service (abort) via a crafted file.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-23456
Severity: MEDIUM
CVE-2023-23457
Desc: A Segmentation fault was found in UPX in PackLinuxElf64::invert_pt_dynamic() in p_lx_elf.cpp. An attacker with a crafted input file allows invalid memory address access that could lead to a denial of service.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-23457
Severity: MEDIUM
Comment 1 Aleksandr Proklov 2023-11-16 07:33:31 MSK 
предлагаю закрыть обновлением версии, уязвимости закрыты, я проверил. сделал запись в spec файле.

upx	4.2.1-1

https://abf.io/build_lists/4825758
https://abf.io/build_lists/4825759 
https://abf.io/build_lists/4825760
https://abf.io/build_lists/4825761
https://abf.io/build_lists/4825762
Comment 2 Vladimir Potapov 2023-11-16 16:18:26 MSK 
*************************************
The update sent to testings
Comment 3 Vladimir Potapov 2023-11-22 16:36:39 MSK 
upx-4.2.1-1
https://abf.io/build_lists/4825758
https://abf.io/build_lists/4825759 
https://abf.io/build_lists/4825760
https://abf.io/build_lists/4825761
https://abf.io/build_lists/4825762
************************* Advisory ************************
CVE-2023-23456 CVE-2023-23457 fix by version update
***********************************************************
QA Verified
Comment 4 Eduard 2024-05-07 10:39:59 MSK 
*******************************************************
Secteam_verified
*******************************************************
https://abf.rosalinux.ru/advisories/ROSA-SA-2024-2414
*******************************************************