MGASA-2020-0012 - Updated upx packages fix security vulnerability

Publication date: 05 Jan 2020
URL: https://advisories.mageia.org/MGASA-2020-0012.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2019-14295,
     CVE-2019-14296

The updated package fixes security vulnerabilities:

An Integer overflow in the getElfSections function in p_vmlinx.cpp in UPX
3.95 allows remote attackers to cause a denial of service (crash) via a
skewed offset larger than the size of the PE section in a UPX packed
executable, which triggers an allocation of excessive memory.
(CVE-2019-14295)

canUnpack in p_vmlinx.cpp in UPX 3.95 allows remote attackers to cause a
denial of service (SEGV or buffer overflow, and application crash) or
possibly have unspecified other impact via a crafted UPX packed file.
(CVE-2019-14296)

References:
- https://bugs.mageia.org/show_bug.cgi?id=25935
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/MOCJ43HTM45GZCAQ2FLEBDNBM76V22RG/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14295
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14296

SRPMS:
- 7/core/upx-3.95-1.1.mga7