upx-ucl: CVE-2018-11243

Debian Bug report logs - #899190
upx-ucl: CVE-2018-11243

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: upx-ucl: CVE-2018-11243

Date: Sun, 20 May 2018 16:19:10 +0200

Source: upx-ucl
Version: 3.94-4
Severity: normal
Tags: security upstream

Hi,

The following vulnerability was published for upx-ucl.

CVE-2018-11243[0]:
| PackLinuxElf64::unpack in p_lx_elf.cpp in UPX 3.95 allows remote
| attackers to cause a denial of service (double free), limit the ability
| of a malware scanner to operate on the entire original data, or
| possibly have unspecified other impact via a crafted file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-11243
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11243
[1] https://github.com/upx/upx/issues/206
[2] https://github.com/upx/upx/issues/207

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #14 received at 899190-close@bugs.debian.org (full text, mbox, reply):

From: Robert Luberda <robert@debian.org>

To: 899190-close@bugs.debian.org

Subject: Bug#899190: fixed in upx-ucl 3.95-1

Date: Tue, 28 Aug 2018 20:54:00 +0000

Source: upx-ucl
Source-Version: 3.95-1

We believe that the bug you reported is fixed in the latest version of
upx-ucl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 899190@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Robert Luberda <robert@debian.org> (supplier of updated upx-ucl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 28 Aug 2018 21:47:27 +0200
Source: upx-ucl
Binary: upx-ucl
Architecture: source amd64
Version: 3.95-1
Distribution: unstable
Urgency: medium
Maintainer: Robert Luberda <robert@debian.org>
Changed-By: Robert Luberda <robert@debian.org>
Description:
 upx-ucl    - efficient live-compressor for executables
Closes: 899190
Changes:
 upx-ucl (3.95-1) unstable; urgency=medium
 .
   * New upstream version:
     + contains fix for multiple memory reading issue (CVE-2018-11243,
       closes: #899190).
   * Add autopkgtest checks for basic functionalities of upx and for
     regressions against a few bugs reported in Debian in last few years.
   * Upload to unstable.
   * Standards-Version: 4.2.1.
Checksums-Sha1:
 d4e2ddde8e735861b241f5b12e6c2016bb4c02b1 1861 upx-ucl_3.95-1.dsc
 2f69002bd6012011c90732e8da96c366157e51e9 790776 upx-ucl_3.95.orig.tar.xz
 65e8fb7b60d77c8c2171a61af4bee06fbfb4c44a 54676 upx-ucl_3.95-1.debian.tar.xz
 8ceb9215b49f412beef37d40aa2fe22f7abd68f3 1620440 upx-ucl-dbgsym_3.95-1_amd64.deb
 1364a5e8622e17cda96a7a2b95c4fed10e727fa7 5891 upx-ucl_3.95-1_amd64.buildinfo
 68dc7ea44f0a5703c0f2761c25137623a92ce89e 404924 upx-ucl_3.95-1_amd64.deb
Checksums-Sha256:
 81a68bb2d81b8830e83cbc418ae3ab477e73e4d723b34d5dd93ec9dcd2ee8d31 1861 upx-ucl_3.95-1.dsc
 3b0f55468d285c760fcf5ea865a070b27696393002712054c69ff40d8f7f5592 790776 upx-ucl_3.95.orig.tar.xz
 acaf445b07aa131c2dfe16e9dbf2c631b454cdd30249460a286c12fce8b54e01 54676 upx-ucl_3.95-1.debian.tar.xz
 409bca36d923d27ac75acaa08c37d880e2829dbdc2021170620ee18478c9dfd5 1620440 upx-ucl-dbgsym_3.95-1_amd64.deb
 1c70c3d3e1adb2f9ef750652eb17d6a833143c0c52dd724acb9b094fd152c118 5891 upx-ucl_3.95-1_amd64.buildinfo
 fe4ee9d376ee5008319ce0d9f70bf8608d7240694ad4842582d406caad23f130 404924 upx-ucl_3.95-1_amd64.deb
Files:
 af9f3d0dee613994f81ae2f8182ce2b5 1861 utils optional upx-ucl_3.95-1.dsc
 fa95336d9ddcaac3b494a1b6ae9d3557 790776 utils optional upx-ucl_3.95.orig.tar.xz
 96a534b0a854d5f3acaa44596e5d20dc 54676 utils optional upx-ucl_3.95-1.debian.tar.xz
 b09fccf64dae120b53b1201dd2fac764 1620440 debug optional upx-ucl-dbgsym_3.95-1_amd64.deb
 1611ad000f2584dcfc49e2cf0222e620 5891 utils optional upx-ucl_3.95-1_amd64.buildinfo
 05dd016d95b043647602d68e88ccb2b6 404924 utils optional upx-ucl_3.95-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEENeh4+rTTcy6TtNI3Yx3nVTvor9QFAluFp1IACgkQYx3nVTvo
r9RBcg//X4/fiDb+joYnww/HtdL+G/9Krac8D5H0NGJN7gmjc4I48QOuodHjNSvS
ptzhGcBJrN7wX5V6hJkoI4ICGyk2MdR1Y36oxCMlZYleLl2FN3+fikB3Pm4Hn7gz
2Cv8xLzWZi3rLzibJDnFUfegAvKGyJWgBtrlAb1r8kKCDNkdEeLocgNZiRLtNIqF
myY4oMeB56+ZtZufvIbQbL7QcyYJXgyLmRNEi5BmWyikslfxOtmSYV4/QxNc4Cmq
w8R4QSWcVUXqRi84ajGv3fgWWTpINEDoIItpCcSUiIH3ElIQwt2glE9nIqphz61P
P7n0lDGLMMLKbjEBw9ecie1fHih/b7w8dUpGwSMONy6TbQ8NlasMo7xN+JWTnpPO
8Murq1sMDOyBWlCTWgBUE2SQ0ZVuvnHCh4WKKl+fE30aUGhHrhw3FwbrxOdG+z1u
daIMfFHfYdCW7IGMJXbx5YE3y4pDXmrwuYew4ubVVXo3juEkqACy/fPbpf7EvxFw
99PsO7iAjCI/S5ee1czIW5TmpDxQ0wFXHAadLXLgNIi9ZfcluVIYhztDjzcYUKOV
gSIqGydRjeJ5yXBsWSNQsRQUQuxwRCWSHNmHA4kF5ocO8IutYRNA0pIrvN3neC41
Nuv/GbBSMeh/8ZqtaJYzHtFsQdQxK11IcH6Q08Wu5YNUe600stQ=
=0AX3
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.