[meta-virtualization][kirkstone][PATCH] upx: bump to 4.2.2 release - fixes various CVEs

[meta-virtualization][kirkstone][PATCH] upx: bump to 4.2.2 release - fixes various CVEs

[Fathi Boudra]

Update upx recipe from 3.96 to 4.2.2 release:
 * Use the gitsm fetcher to get the source code.
 * Add a note to keep using the git repository.
 * Update the homepage.
 * Drop the build dependencies as they're useless. UPX builds using the
   vendor subdirectory, statically linking the libraries.

Fixes CVEs:
* https://www.cve.org/CVERecord?id=CVE-2023-23456 A heap-based buffer overflow
issue was discovered in UPX in PackTmt::pack() in p_tmt.cpp file. The flow
allows an attacker to cause a denial of service (abort) via a crafted file.
* https://www.cve.org/CVERecord?id=CVE-2023-23457 A Segmentation fault was found
in UPX in PackLinuxElf64::invert_pt_dynamic() in p_lx_elf.cpp. An attacker with
a crafted input file allows invalid memory address access that could lead to a
denial of service.
* https://www.cve.org/CVERecord?id=CVE-2021-46179 Reachable Assertion
vulnerability in upx before 4.0.0 allows attackers to cause a denial of service
via crafted file passed to the the readx function.
* https://www.cve.org/CVERecord?id=CVE-2021-43317 A heap-based buffer overflows
was discovered in upx, during the generic pointer 'p' points to an inaccessible
address in func get_le32(). The problem is essentially caused in
PackLinuxElf64::elf_lookup() at p_lx_elf.cpp:5404
* https://www.cve.org/CVERecord?id=CVE-2021-43316 A heap-based buffer overflow
was discovered in upx, during the generic pointer 'p' points to an inaccessible
address in func get_le64().
* https://www.cve.org/CVERecord?id=CVE-2021-43315 A heap-based buffer overflows
was discovered in upx, during the generic pointer 'p' points to an inaccessible
address in func get_le32(). The problem is essentially caused in
PackLinuxElf32::elf_lookup() at p_lx_elf.cpp:5349
* https://www.cve.org/CVERecord?id=CVE-2021-43314 A heap-based buffer overflows
was discovered in upx, during the generic pointer 'p' points to an inaccessible
address in func get_le32(). The problem is essentially caused in
PackLinuxElf32::elf_lookup() at p_lx_elf.cpp:5368
* https://www.cve.org/CVERecord?id=CVE-2021-43313 A heap-based buffer overflow
was discovered in upx, during the variable 'bucket' points to an inaccessible
address. The issue is being triggered in the function
PackLinuxElf32::invert_pt_dynamic at p_lx_elf.cpp:1688.
* https://www.cve.org/CVERecord?id=CVE-2021-43312 A heap-based buffer overflow
was discovered in upx, during the variable 'bucket' points to an inaccessible
address. The issue is being triggered in the function
PackLinuxElf64::invert_pt_dynamic at p_lx_elf.cpp:5239.
* https://www.cve.org/CVERecord?id=CVE-2021-43311 A heap-based buffer overflow
was discovered in upx, during the generic pointer 'p' points to an inaccessible
address in func get_le32(). The problem is essentially caused in
PackLinuxElf32::elf_lookup() at p_lx_elf.cpp:5382.
* https://www.cve.org/CVERecord?id=CVE-2021-30501 An assertion abort was found
in upx MemBuffer::alloc() in mem.cpp, in version UPX 4.0.0. The flow allows
attackers to cause a denial of service (abort) via a crafted file.
* https://www.cve.org/CVERecord?id=CVE-2021-30500 Null pointer dereference was
found in upx PackLinuxElf::canUnpack() in p_lx_elf.cpp,in version UPX 4.0.0.
That allow attackers to execute arbitrary code and cause a denial of service
via a crafted file.
* https://www.cve.org/CVERecord?id=CVE-2021-20285 A flaw was found in upx
canPack in p_lx_elf.cpp in UPX 3.96. This flaw allows attackers to cause a
denial of service (SEGV or buffer overflow and application crash) or possibly
have unspecified other impacts via a crafted ELF. The highest threat from this
vulnerability is to system availability.
* https://www.cve.org/CVERecord?id=CVE-2020-27802 An floating point exception
was discovered in the elf_lookup function in p_lx_elf.cpp in UPX 4.0.0 via a
crafted Mach-O file.
* https://www.cve.org/CVERecord?id=CVE-2020-27801 A heap-based buffer over-read
was discovered in the get_le64 function in bele.h in UPX 4.0.0 via a crafted
Mach-O file.
* https://www.cve.org/CVERecord?id=CVE-2020-27800 A heap-based buffer over-read
was discovered in the get_le32 function in bele.h in UPX 4.0.0 via a crafted
Mach-O file.
* https://www.cve.org/CVERecord?id=CVE-2020-27799 A heap-based buffer over-read
was discovered in the acc_ua_get_be32 function in miniacc.h in UPX 4.0.0 via a
crafted Mach-O file.
* https://www.cve.org/CVERecord?id=CVE-2020-27798 An invalid memory address
reference was discovered in the adjABS function in p_lx_elf.cpp in UPX 4.0.0
via a crafted Mach-O file.
* https://www.cve.org/CVERecord?id=CVE-2020-27797 An invalid memory address
reference was discovered in the elf_lookup function in p_lx_elf.cpp in UPX
4.0.0 via a crafted Mach-O file.
* https://www.cve.org/CVERecord?id=CVE-2020-27796 A heap-based buffer over-read
was discovered in the invert_pt_dynamic function in p_lx_elf.cpp in UPX 4.0.0
via a crafted Mach-O file.

Signed-off-by: Fathi Boudra <fathi.boudra@linaro.org>
---
 recipes-extended/upx/upx_git.bb | 43 ++++++---------------------------
 1 file changed, 7 insertions(+), 36 deletions(-)

diff --git a/recipes-extended/upx/upx_git.bb b/recipes-extended/upx/upx_git.bb
index bb8004c6..02e70ffe 100644
--- a/recipes-extended/upx/upx_git.bb
+++ b/recipes-extended/upx/upx_git.bb
@@ -1,45 +1,16 @@
-HOMEPAGE = "http://upx.sourceforge.net"
 SUMMARY = "Ultimate executable compressor."
-
-SRCREV_upx = "8d1a98e03bf281b2cee459b6c27347e56d13c6a8"
-SRCREV_vendor_doctest = "666e648b68fda2deb141a1fe93e3fd1e2795dd0f"
-SRCREV_vendor_lzma_sdk = "9ebf8f468c689d83504e6c08c6bc26c4a1cf180f"
-SRCREV_vendor_ucl = "4b58d592199dc1e5db691e1a54fb0e5e9af0ecaf"
-SRCREV_vendor_zlib = "2a5b338eb173a701ed179e951d4c390e75e8d4c7"
-SRCREV_FORMAT = "upx"
-SRC_URI = "git://github.com/upx/upx;name=upx;branch=devel;protocol=https \
-           git://github.com/upx/upx-vendor-doctest;name=vendor_doctest;subdir=git/vendor/doctest;branch=upx-vendor;protocol=https \
-           git://github.com/upx/upx-vendor-lzma-sdk;name=vendor_lzma_sdk;subdir=git/vendor/lzma-sdk;branch=upx-vendor;protocol=https \
-           git://github.com/upx/upx-vendor-ucl;name=vendor_ucl;subdir=git/vendor/ucl;branch=upx-vendor;protocol=https \
-           git://github.com/upx/upx-vendor-zlib;name=vendor_zlib;subdir=git/vendor/zlib;branch=upx-vendor;protocol=https \
-"
-
+HOMEPAGE = "* https://upx.github.io/"
 LICENSE = "GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=353753597aa110e0ded3508408c6374a"
+SRCREV_upx = "099c3d829e80488af7395a4242b318877e980da4"
+PV = "4.2.2+git${SRCPV}"
 
-DEPENDS = "zlib libucl xz cmake-native"
-
-# inherit cmake
+# Note: DO NOT use released tarball in favor of the git repository with submodules.
+# it makes maintenance easier for CVEs or other issues.
+SRC_URI = "gitsm://github.com/upx/upx;protocol=https;;name=upx;branch=devel"
 
 S = "${WORKDIR}/git"
 
-PV = "3.96+${SRCPV}"
-
-EXTRA_OEMAKE += " \
-    UPX_UCLDIR=${STAGING_DIR_TARGET} \
-    UPX_LZMADIR=${STAGING_DIR_TARGET} \
-"
-
-# FIXME: The build fails if security flags are enabled
-SECURITY_CFLAGS = ""
-
-do_compile() {
-    oe_runmake -C src all
-}
-
-do_install:append() {
-    install -d ${D}${bindir}
-    install -m 755 ${B}/build/release/upx ${D}${bindir}/upx
-}
+inherit pkgconfig cmake
 
 BBCLASSEXTEND = "native"
-- 
2.43.0

Re: [meta-virtualization][kirkstone][PATCH] upx: bump to 4.2.2 release - fixes various CVEs

[Bruce Ashfield]

for anyone following and wondering, I've decided to take this patch to
kirstone, even though it is doing more than just a minor version update.

There are enough CVEs fixed, and few enough users of upx, that the risk
is low.

I've also scanned the changelog, and don't see anything that looks to
be incompatble with existing uses.

Bruce

In message: [meta-virtualization][kirkstone][PATCH] upx: bump to 4.2.2 release - fixes various CVEs
on 22/02/2024 Fathi Boudra wrote:

> Update upx recipe from 3.96 to 4.2.2 release:
>  * Use the gitsm fetcher to get the source code.
>  * Add a note to keep using the git repository.
>  * Update the homepage.
>  * Drop the build dependencies as they're useless. UPX builds using the
>    vendor subdirectory, statically linking the libraries.
> 
> Fixes CVEs:
> * https://www.cve.org/CVERecord?id=CVE-2023-23456 A heap-based buffer overflow
> issue was discovered in UPX in PackTmt::pack() in p_tmt.cpp file. The flow
> allows an attacker to cause a denial of service (abort) via a crafted file.
> * https://www.cve.org/CVERecord?id=CVE-2023-23457 A Segmentation fault was found
> in UPX in PackLinuxElf64::invert_pt_dynamic() in p_lx_elf.cpp. An attacker with
> a crafted input file allows invalid memory address access that could lead to a
> denial of service.
> * https://www.cve.org/CVERecord?id=CVE-2021-46179 Reachable Assertion
> vulnerability in upx before 4.0.0 allows attackers to cause a denial of service
> via crafted file passed to the the readx function.
> * https://www.cve.org/CVERecord?id=CVE-2021-43317 A heap-based buffer overflows
> was discovered in upx, during the generic pointer 'p' points to an inaccessible
> address in func get_le32(). The problem is essentially caused in
> PackLinuxElf64::elf_lookup() at p_lx_elf.cpp:5404
> * https://www.cve.org/CVERecord?id=CVE-2021-43316 A heap-based buffer overflow
> was discovered in upx, during the generic pointer 'p' points to an inaccessible
> address in func get_le64().
> * https://www.cve.org/CVERecord?id=CVE-2021-43315 A heap-based buffer overflows
> was discovered in upx, during the generic pointer 'p' points to an inaccessible
> address in func get_le32(). The problem is essentially caused in
> PackLinuxElf32::elf_lookup() at p_lx_elf.cpp:5349
> * https://www.cve.org/CVERecord?id=CVE-2021-43314 A heap-based buffer overflows
> was discovered in upx, during the generic pointer 'p' points to an inaccessible
> address in func get_le32(). The problem is essentially caused in
> PackLinuxElf32::elf_lookup() at p_lx_elf.cpp:5368
> * https://www.cve.org/CVERecord?id=CVE-2021-43313 A heap-based buffer overflow
> was discovered in upx, during the variable 'bucket' points to an inaccessible
> address. The issue is being triggered in the function
> PackLinuxElf32::invert_pt_dynamic at p_lx_elf.cpp:1688.
> * https://www.cve.org/CVERecord?id=CVE-2021-43312 A heap-based buffer overflow
> was discovered in upx, during the variable 'bucket' points to an inaccessible
> address. The issue is being triggered in the function
> PackLinuxElf64::invert_pt_dynamic at p_lx_elf.cpp:5239.
> * https://www.cve.org/CVERecord?id=CVE-2021-43311 A heap-based buffer overflow
> was discovered in upx, during the generic pointer 'p' points to an inaccessible
> address in func get_le32(). The problem is essentially caused in
> PackLinuxElf32::elf_lookup() at p_lx_elf.cpp:5382.
> * https://www.cve.org/CVERecord?id=CVE-2021-30501 An assertion abort was found
> in upx MemBuffer::alloc() in mem.cpp, in version UPX 4.0.0. The flow allows
> attackers to cause a denial of service (abort) via a crafted file.
> * https://www.cve.org/CVERecord?id=CVE-2021-30500 Null pointer dereference was
> found in upx PackLinuxElf::canUnpack() in p_lx_elf.cpp,in version UPX 4.0.0.
> That allow attackers to execute arbitrary code and cause a denial of service
> via a crafted file.
> * https://www.cve.org/CVERecord?id=CVE-2021-20285 A flaw was found in upx
> canPack in p_lx_elf.cpp in UPX 3.96. This flaw allows attackers to cause a
> denial of service (SEGV or buffer overflow and application crash) or possibly
> have unspecified other impacts via a crafted ELF. The highest threat from this
> vulnerability is to system availability.
> * https://www.cve.org/CVERecord?id=CVE-2020-27802 An floating point exception
> was discovered in the elf_lookup function in p_lx_elf.cpp in UPX 4.0.0 via a
> crafted Mach-O file.
> * https://www.cve.org/CVERecord?id=CVE-2020-27801 A heap-based buffer over-read
> was discovered in the get_le64 function in bele.h in UPX 4.0.0 via a crafted
> Mach-O file.
> * https://www.cve.org/CVERecord?id=CVE-2020-27800 A heap-based buffer over-read
> was discovered in the get_le32 function in bele.h in UPX 4.0.0 via a crafted
> Mach-O file.
> * https://www.cve.org/CVERecord?id=CVE-2020-27799 A heap-based buffer over-read
> was discovered in the acc_ua_get_be32 function in miniacc.h in UPX 4.0.0 via a
> crafted Mach-O file.
> * https://www.cve.org/CVERecord?id=CVE-2020-27798 An invalid memory address
> reference was discovered in the adjABS function in p_lx_elf.cpp in UPX 4.0.0
> via a crafted Mach-O file.
> * https://www.cve.org/CVERecord?id=CVE-2020-27797 An invalid memory address
> reference was discovered in the elf_lookup function in p_lx_elf.cpp in UPX
> 4.0.0 via a crafted Mach-O file.
> * https://www.cve.org/CVERecord?id=CVE-2020-27796 A heap-based buffer over-read
> was discovered in the invert_pt_dynamic function in p_lx_elf.cpp in UPX 4.0.0
> via a crafted Mach-O file.
> 
> Signed-off-by: Fathi Boudra <fathi.boudra@linaro.org>
> ---
>  recipes-extended/upx/upx_git.bb | 43 ++++++---------------------------
>  1 file changed, 7 insertions(+), 36 deletions(-)
> 
> diff --git a/recipes-extended/upx/upx_git.bb b/recipes-extended/upx/upx_git.bb
> index bb8004c6..02e70ffe 100644
> --- a/recipes-extended/upx/upx_git.bb
> +++ b/recipes-extended/upx/upx_git.bb
> @@ -1,45 +1,16 @@
> -HOMEPAGE = "http://upx.sourceforge.net"
>  SUMMARY = "Ultimate executable compressor."
> -
> -SRCREV_upx = "8d1a98e03bf281b2cee459b6c27347e56d13c6a8"
> -SRCREV_vendor_doctest = "666e648b68fda2deb141a1fe93e3fd1e2795dd0f"
> -SRCREV_vendor_lzma_sdk = "9ebf8f468c689d83504e6c08c6bc26c4a1cf180f"
> -SRCREV_vendor_ucl = "4b58d592199dc1e5db691e1a54fb0e5e9af0ecaf"
> -SRCREV_vendor_zlib = "2a5b338eb173a701ed179e951d4c390e75e8d4c7"
> -SRCREV_FORMAT = "upx"
> -SRC_URI = "git://github.com/upx/upx;name=upx;branch=devel;protocol=https \
> -           git://github.com/upx/upx-vendor-doctest;name=vendor_doctest;subdir=git/vendor/doctest;branch=upx-vendor;protocol=https \
> -           git://github.com/upx/upx-vendor-lzma-sdk;name=vendor_lzma_sdk;subdir=git/vendor/lzma-sdk;branch=upx-vendor;protocol=https \
> -           git://github.com/upx/upx-vendor-ucl;name=vendor_ucl;subdir=git/vendor/ucl;branch=upx-vendor;protocol=https \
> -           git://github.com/upx/upx-vendor-zlib;name=vendor_zlib;subdir=git/vendor/zlib;branch=upx-vendor;protocol=https \
> -"
> -
> +HOMEPAGE = "* https://upx.github.io/"
>  LICENSE = "GPL-2.0-only"
>  LIC_FILES_CHKSUM = "file://LICENSE;md5=353753597aa110e0ded3508408c6374a"
> +SRCREV_upx = "099c3d829e80488af7395a4242b318877e980da4"
> +PV = "4.2.2+git${SRCPV}"
>  
> -DEPENDS = "zlib libucl xz cmake-native"
> -
> -# inherit cmake
> +# Note: DO NOT use released tarball in favor of the git repository with submodules.
> +# it makes maintenance easier for CVEs or other issues.
> +SRC_URI = "gitsm://github.com/upx/upx;protocol=https;;name=upx;branch=devel"
>  
>  S = "${WORKDIR}/git"
>  
> -PV = "3.96+${SRCPV}"
> -
> -EXTRA_OEMAKE += " \
> -    UPX_UCLDIR=${STAGING_DIR_TARGET} \
> -    UPX_LZMADIR=${STAGING_DIR_TARGET} \
> -"
> -
> -# FIXME: The build fails if security flags are enabled
> -SECURITY_CFLAGS = ""
> -
> -do_compile() {
> -    oe_runmake -C src all
> -}
> -
> -do_install:append() {
> -    install -d ${D}${bindir}
> -    install -m 755 ${B}/build/release/upx ${D}${bindir}/upx
> -}
> +inherit pkgconfig cmake
>  
>  BBCLASSEXTEND = "native"
> -- 
> 2.43.0
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#8570): https://lists.yoctoproject.org/g/meta-virtualization/message/8570
> Mute This Topic: https://lists.yoctoproject.org/mt/104507203/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>