Bug#947471: marked as done (upx-ucl: CVE-2019-20021 CVE-2019-20053)

[Debian Bug Tracking System]

Your message dated Sun, 08 Mar 2020 23:19:48 +0000
with message-id <e1jb5d2-0009v9...@fasolo.debian.org>
and subject line Bug#947471: fixed in upx-ucl 3.96-1
has caused the Debian Bug report #947471,
regarding upx-ucl: CVE-2019-20021 CVE-2019-20053
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
947471: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947471
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: upx-ucl
Version: 3.95-2
Severity: normal
Tags: security upstream
Forwarded: https://github.com/upx/upx/issues/315
Control: found -1 3.95-1

Hi,

The following vulnerability was published for upx-ucl.

CVE-2019-20021[0]:
| A heap-based buffer over-read was discovered in canUnpack in
| p_mach.cpp in UPX 3.95 via a crafted Mach-O file.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-20021
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20021
[1] https://github.com/upx/upx/issues/315
[2] https://github.com/upx/upx/commit/819c33fee2b2c33b96bef27a13cb20f2589819aa

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: upx-ucl
Source-Version: 3.96-1
Done: Robert Luberda <rob...@debian.org>

We believe that the bug you reported is fixed in the latest version of
upx-ucl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 947...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Robert Luberda <rob...@debian.org> (supplier of updated upx-ucl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 08 Mar 2020 13:48:26 +0100
Source: upx-ucl
Architecture: source
Version: 3.96-1
Distribution: unstable
Urgency: medium
Maintainer: Robert Luberda <rob...@debian.org>
Changed-By: Robert Luberda <rob...@debian.org>
Closes: 947471
Changes:
 upx-ucl (3.96-1) unstable; urgency=medium
 .
   * New upstream version:
     + fixes heap-based buffer over-read and invalid memory address dereference
       in canUnpack()  (CVE-2019-20021, CVE-2019-20053, closes: #947471).
   * Remove no longer needed patches: 02-Ignore-malformed-ElfXX_Shdr.patch,
     and 03-Malformed-input.patch.
   * Add autopkgtest checks for #947471.
   * Replace debian/compat with build-dependency on debhelper-compat.
   * Add upstream metadata file.
   * Standards-Version: 4.5.0.
Checksums-Sha1:
 d803b1527b606ae73a41ca61d4a526e69f88cf81 1867 upx-ucl_3.96-1.dsc
 53c36d5ba589ded10a6bbd1c58cb74c466ca3204 792524 upx-ucl_3.96.orig.tar.xz
 1ae535da52b28ea297cafb3cea4e48d40ab391d4 57256 upx-ucl_3.96-1.debian.tar.xz
 5aac61297d59bdb6beb1856679046eb39b0f8b58 6050 upx-ucl_3.96-1_amd64.buildinfo
Checksums-Sha256:
 27bf5d0754fe54da6b1492390b149098fca0499135ea594dcb7f8b4887a37101 1867 
upx-ucl_3.96-1.dsc
 47774df5c958f2868ef550fb258b97c73272cb1f44fe776b798e393465993714 792524 
upx-ucl_3.96.orig.tar.xz
 c5a74cc5550a9d42d8a45c0d62c427e38159b642dbc826caf656b968e9129627 57256 
upx-ucl_3.96-1.debian.tar.xz
 46dc7a285b9063b069650b969303863714355fefbb63c50be7e26c373469a78f 6050 
upx-ucl_3.96-1_amd64.buildinfo
Files:
 6d32b55a57cab305a8555adf41d70d10 1867 utils optional upx-ucl_3.96-1.dsc
 bf5564f33fe9062bc48b53abd4b34223 792524 utils optional upx-ucl_3.96.orig.tar.xz
 36f008166f43bed9a9687771b3604119 57256 utils optional 
upx-ucl_3.96-1.debian.tar.xz
 4445a92da7b78a1951868e21cabfc738 6050 utils optional 
upx-ucl_3.96-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEENeh2+rTTcy6TtNI3Yx3nVTvor9QFAl5k7fQACgkQYx3nVTvo
r9QJXRAAjSNsvaqLvleZuTiTnKwZgPvTM+QZXex1KIdAsCttfaqN4pKU7vgFPR95
q62SMJI/LL2+VJ3q5UK84CrlICUyf3qYSzRphU8SURuM91O3/ETLwccYRouLhNB6
OgBvfU9ayK/qh5eRluIkPk5OLG4ZNBMU5870BGOnllbs7LLHiYAClFJiKJBPwObr
Q2Q6LPKvD6ZALQwC8hMwJyXJtCFSAlYTZ1y5jKa6jfaoXzqFL5MJsMsJus8GHFI9
Np3ZpEu8GPNI+60r+95FH6n0P+wbk+F32Ci58zuQBXeQmzmmaptDJbpTD+NUekrJ
P2Et335xVuwLtNjvWnzpDLRS4U3SRB+dTs8vwCFMBLQEVjP+ROBcH3VO/cKaaBcm
l8CLZUCwXO/xC003r1aabAe2BO9nRe/ZVA8xIA584UOILCn7RRaHPRwTgsODNYMW
lQWyUt3OuINe8u6i3zEQafxtGpkSXo5aNkPBJXfD6WN8qXd9WyMpIbUtP5/M6jfE
lhTd/N9RLQ14J5ilPNI8zPXto4gkgu9/xAhCXPEnK/DMNjiowpUGn81pxH+hexIZ
MFINQ1ZSe7pmtANEvPkOzKkDGCcHs3I3AxiiB4mKK3TcLkEWPc0JcRsqQJIjuDNP
sB1zRlBHRf1tuLQ1upRgAQIqHPlNG3vNaxYxhAPkzmukSsdAh2Y=
=Zfvv
-----END PGP SIGNATURE-----

--- End Message ---