Advisories ยป MGASA-2020-0096

Updated upx packages fix security vulnerabilities

Publication date: 24 Feb 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2018-11243 , CVE-2019-20021 , CVE-2019-20051 , CVE-2019-20053 , CVE-2019-1010048

Description

The updated packages fix security vulnerabilities:

PackLinuxElf64::unpack in p_lx_elf.cpp in UPX 3.95 allows remote attackers
to cause a denial of service (double free), limit the ability of a malware
scanner to operate on the entire original data, or possibly have
 unspecified other impact via a crafted file. (CVE-2018-11243)

A heap-based buffer over-read was discovered in canUnpack in p_mach.cpp in
UPX 3.95 via a crafted Mach-O file. (CVE-2019-20021)

A floating-point exception was discovered in PackLinuxElf::elf_hash in
p_lx_elf.cpp in UPX 3.95. The vulnerability causes an application crash,
which leads to denial of service. (CVE-2019-20051)

An invalid memory address dereference was discovered in the canUnpack
function in p_mach.cpp in UPX 3.95 via a crafted Mach-O file.
(CVE-2019-20053)

A denial of service in PackLinuxElf32::PackLinuxElf32help1().
(CVE-2019-1010048)
                

References

SRPMS

7/core