Bug#1031874: marked as done (upx-ucl: CVE-2023-23457)

[Debian Bug Tracking System]

Your message dated Tue, 16 Jan 2024 00:32:14 +0100
with message-id <ff77b158-78ca-4759-aa41-c3b3e49df...@debian.org>
and subject line Re: Bug#1033258: Bug#1031874: upx-ucl: CVE-2023-23457
has caused the Debian Bug report #1031874,
regarding upx-ucl: CVE-2023-23457
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1031874: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031874
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: upx-ucl
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for upx-ucl.

CVE-2023-23457[0]:
| A Segmentation fault was found in UPX in
| PackLinuxElf64::invert_pt_dynamic() in p_lx_elf.cpp. An attacker with
| a crafted input file allows invalid memory address access that could
| lead to a denial of service.

https://github.com/upx/upx/issues/631
https://github.com/upx/upx/commit/779b648c5f6aa9b33f4728f79dd4d0efec0bf860
                

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-23457
    https://www.cve.org/CVERecord?id=CVE-2023-23457

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

Source: upx-ucl
Source-Version: 4.2.2-1
Done: Robert Luberda <rob...@debian.org>


Michael Prokop writes:

There are patches available for this and also for #1033258 since
several months, also upstream released multiple versions since 3.96
(latest being v4.1.0 as of 2023-08-08).

Is there any reason why this wasn't yet taken care  > Is the package maintainer 
still around?

Sorry, I didn't have time to maintain my packages in last year.

Anyway both bugs were fixed a few days ago in upx-ucl 4.2.2-1, but this bug was not automatically closed because of a typo in changelog entry:

 upx-ucl (4.2.2-1) unstable; urgency=medium
 .
   * New upstream version (closes: #1025053):

- fixes heap-based buffer overflow issue CVE-2023-23456 (closes: #1033258);

     - fixes segmentation fault issue CVE-2023-23457 (closes: #1033258);

Regards,
robert

--- End Message ---