[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
branch master updated: gnu: upx: Fix CVE-2021-20285.
|
From: |
guix-commits |
|
Subject: |
branch master updated: gnu: upx: Fix CVE-2021-20285. |
|
Date: |
Fri, 26 Mar 2021 17:52:57 -0400 |
This is an automated email from the git hooks/post-receive script.
lle_bout pushed a commit to branch master
in repository guix.
The following commit(s) were added to refs/heads/master by this push:
new 53dd99b gnu: upx: Fix CVE-2021-20285.
53dd99b is described below
commit 53dd99bc0b2e23c5463b4cb95546fd438a72d229
Author: Léo Le Bouter <lle-bout@zaclys.net>
AuthorDate: Fri Mar 26 22:51:14 2021 +0100
gnu: upx: Fix CVE-2021-20285.
* gnu/packages/patches/upx-CVE-2021-20285.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/compression.scm (upx): Apply patch.
---
gnu/local.mk | 1 +
gnu/packages/compression.scm | 3 +-
gnu/packages/patches/upx-CVE-2021-20285.patch | 76 +++++++++++++++++++++++++++
3 files changed, 79 insertions(+), 1 deletion(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index 4095659..f8c4e73 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1765,6 +1765,7 @@ dist_patch_DATA =
\
%D%/packages/patches/unzip-zipbomb-part2.patch \
%D%/packages/patches/unzip-zipbomb-part3.patch \
%D%/packages/patches/unzip-32bit-zipbomb-fix.patch \
+ %D%/packages/patches/upx-CVE-2021-20285.patch \
%D%/packages/patches/ustr-fix-build-with-gcc-5.patch \
%D%/packages/patches/util-linux-tests.patch \
%D%/packages/patches/upower-builddir.patch \
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 2d06504..ef73e60 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -2100,7 +2100,8 @@ decompression is a little bit slower.")
version "/upx-" version "-src.tar.xz"))
(sha256
(base32
- "051pk5jk8fcfg5mpgzj43z5p4cn7jy5jbyshyn78dwjqr7slsxs7"))))
+ "051pk5jk8fcfg5mpgzj43z5p4cn7jy5jbyshyn78dwjqr7slsxs7"))
+ (patches (search-patches "upx-CVE-2021-20285.patch"))))
(build-system gnu-build-system)
(native-inputs
`(("perl" ,perl)))
diff --git a/gnu/packages/patches/upx-CVE-2021-20285.patch
b/gnu/packages/patches/upx-CVE-2021-20285.patch
new file mode 100644
index 0000000..1d47b2a
--- /dev/null
+++ b/gnu/packages/patches/upx-CVE-2021-20285.patch
@@ -0,0 +1,76 @@
+From 3781df9da23840e596d5e9e8493f22666802fe6c Mon Sep 17 00:00:00 2001
+From: John Reiser <jreiser@BitWagon.com>
+Date: Fri, 11 Dec 2020 13:38:18 -0800
+Subject: [PATCH] Check DT_REL/DT_RELA, DT_RELSZ/DT_RELASZ
+
+https://github.com/upx/upx/issues/421
+ modified: p_lx_elf.cpp
+---
+ src/p_lx_elf.cpp | 34 +++++++++++++++++++++++++++++-----
+ 1 file changed, 29 insertions(+), 5 deletions(-)
+
+diff --git a/src/p_lx_elf.cpp b/src/p_lx_elf.cpp
+index 182db192..3a4101cf 100644
+--- a/src/p_lx_elf.cpp
++++ b/src/p_lx_elf.cpp
+@@ -2222,8 +2222,20 @@ bool PackLinuxElf32::canPack()
+ int z_rsz = dt_table[Elf32_Dyn::DT_RELSZ];
+ if (z_rel && z_rsz) {
+ unsigned rel_off = get_te32(&dynseg[-1+
z_rel].d_val);
++ if ((unsigned)file_size <= rel_off) {
++ char msg[70]; snprintf(msg, sizeof(msg),
++ "bad Elf32_Dynamic[DT_REL] %#x\n",
++ rel_off);
++ throwCantPack(msg);
++ }
+ Elf32_Rel *rp = (Elf32_Rel *)&file_image[rel_off];
+ unsigned relsz = get_te32(&dynseg[-1+
z_rsz].d_val);
++ if ((unsigned)file_size <= relsz) {
++ char msg[70]; snprintf(msg, sizeof(msg),
++ "bad Elf32_Dynamic[DT_RELSZ] %#x\n",
++ relsz);
++ throwCantPack(msg);
++ }
+ Elf32_Rel *last = (Elf32_Rel *)(relsz + (char
*)rp);
+ for (; rp < last; ++rp) {
+ unsigned r_va = get_te32(&rp->r_offset);
+@@ -2562,14 +2574,26 @@ PackLinuxElf64::canPack()
+ int z_rel = dt_table[Elf64_Dyn::DT_RELA];
+ int z_rsz = dt_table[Elf64_Dyn::DT_RELASZ];
+ if (z_rel && z_rsz) {
+- unsigned rel_off = get_te64(&dynseg[-1+
z_rel].d_val);
++ upx_uint64_t rel_off = get_te64(&dynseg[-1+
z_rel].d_val);
++ if ((u64_t)file_size <= rel_off) {
++ char msg[70]; snprintf(msg, sizeof(msg),
++ "bad Elf64_Dynamic[DT_RELA] %#llx\n",
++ rel_off);
++ throwCantPack(msg);
++ }
+ Elf64_Rela *rp = (Elf64_Rela
*)&file_image[rel_off];
+- unsigned relsz = get_te64(&dynseg[-1+
z_rsz].d_val);
++ upx_uint64_t relsz = get_te64(&dynseg[-1+
z_rsz].d_val);
++ if ((u64_t)file_size <= relsz) {
++ char msg[70]; snprintf(msg, sizeof(msg),
++ "bad Elf64_Dynamic[DT_RELASZ] %#llx\n",
++ relsz);
++ throwCantPack(msg);
++ }
+ Elf64_Rela *last = (Elf64_Rela *)(relsz + (char
*)rp);
+ for (; rp < last; ++rp) {
+- unsigned r_va = get_te64(&rp->r_offset);
++ upx_uint64_t r_va = get_te64(&rp->r_offset);
+ if (r_va == user_init_ava) { // found the
Elf64_Rela
+- unsigned r_info = get_te64(&rp->r_info);
++ upx_uint64_t r_info =
get_te64(&rp->r_info);
+ unsigned r_type = ELF64_R_TYPE(r_info);
+ if (Elf64_Ehdr::EM_AARCH64 == e_machine
+ && R_AARCH64_RELATIVE == r_type) {
+@@ -2581,7 +2605,7 @@ PackLinuxElf64::canPack()
+ }
+ else {
+ char msg[50]; snprintf(msg,
sizeof(msg),
+- "bad relocation %#x
DT_INIT_ARRAY[0]",
++ "bad relocation %#llx
DT_INIT_ARRAY[0]",
+ r_info);
+ throwCantPack(msg);
+ }
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- branch master updated: gnu: upx: Fix CVE-2021-20285.,
guix-commits <=