From 3820c4b934ddc90c7f34c923254f0b2c9fad2c4f Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Sun, 5 Feb 2023 15:06:02 +0100 Subject: [PATCH] package/upx: security bump to version 4.0.2 Fix CVE-2023-23456: A heap-based buffer overflow issue was discovered in UPX in PackTmt::pack() in p_tmt.cpp file. The flow allows an attacker to cause a denial of service (abort) via a crafted file. Fix CVE-2023-23457: A Segmentation fault was found in UPX in PackLinuxElf64::invert_pt_dynamic() in p_lx_elf.cpp. An attacker with a crafted input file allows invalid memory address access that could lead to a denial of service. https://github.com/upx/upx/blob/v4.0.2/NEWS Signed-off-by: Fabrice Fontaine Signed-off-by: Yann E. MORIN (cherry picked from commit 02befac8f9404ae30d0d090221d21a8460c82ec7) Signed-off-by: Peter Korsgaard --- package/upx/upx.hash | 2 +- package/upx/upx.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package/upx/upx.hash b/package/upx/upx.hash index 9f7c40c819..7c24906152 100644 --- a/package/upx/upx.hash +++ b/package/upx/upx.hash @@ -1,3 +1,3 @@ # Locally computed: -sha256 77003c8e2e29aa9804e2fbaeb30f055903420b3e01d95eafe01aed957fb7e190 upx-4.0.1-src.tar.xz +sha256 1221e725b1a89e06739df27fae394d6bc88aedbe12f137c630ec772522cbc76f upx-4.0.2-src.tar.xz sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING diff --git a/package/upx/upx.mk b/package/upx/upx.mk index ef346b2310..6018b0a63d 100644 --- a/package/upx/upx.mk +++ b/package/upx/upx.mk @@ -4,7 +4,7 @@ # ################################################################################ -UPX_VERSION = 4.0.1 +UPX_VERSION = 4.0.2 UPX_SITE = https://github.com/upx/upx/releases/download/v$(UPX_VERSION) UPX_SOURCE = upx-$(UPX_VERSION)-src.tar.xz UPX_LICENSE = GPL-2.0+