diff options
author | Léo Le Bouter <lle-bout@zaclys.net> | 2021-03-26 22:51:14 +0100 |
---|---|---|
committer | Léo Le Bouter <lle-bout@zaclys.net> | 2021-03-26 22:52:33 +0100 |
commit | 53dd99bc0b2e23c5463b4cb95546fd438a72d229 (patch) | |
tree | c1cb3205914000f4896e93e609c86ad863413d82 | |
parent | 147b86ad30bb574e0d3b4e30486b70ae31fd16c3 (diff) | |
download | guix-53dd99bc0b2e23c5463b4cb95546fd438a72d229.tar.gz |
gnu: upx: Fix CVE-2021-20285.
* gnu/packages/patches/upx-CVE-2021-20285.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/compression.scm (upx): Apply patch.
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/compression.scm | 3 | ||||
-rw-r--r-- | gnu/packages/patches/upx-CVE-2021-20285.patch | 76 |
3 files changed, 79 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 40956598db..f8c4e73402 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1765,6 +1765,7 @@ dist_patch_DATA = \ %D%/packages/patches/unzip-zipbomb-part2.patch \ %D%/packages/patches/unzip-zipbomb-part3.patch \ %D%/packages/patches/unzip-32bit-zipbomb-fix.patch \ + %D%/packages/patches/upx-CVE-2021-20285.patch \ %D%/packages/patches/ustr-fix-build-with-gcc-5.patch \ %D%/packages/patches/util-linux-tests.patch \ %D%/packages/patches/upower-builddir.patch \ diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index 2d065046ee..ef73e6038b 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -2100,7 +2100,8 @@ decompression is a little bit slower.") version "/upx-" version "-src.tar.xz")) (sha256 (base32 - "051pk5jk8fcfg5mpgzj43z5p4cn7jy5jbyshyn78dwjqr7slsxs7")))) + "051pk5jk8fcfg5mpgzj43z5p4cn7jy5jbyshyn78dwjqr7slsxs7")) + (patches (search-patches "upx-CVE-2021-20285.patch")))) (build-system gnu-build-system) (native-inputs `(("perl" ,perl))) diff --git a/gnu/packages/patches/upx-CVE-2021-20285.patch b/gnu/packages/patches/upx-CVE-2021-20285.patch new file mode 100644 index 0000000000..1d47b2a8bb --- /dev/null +++ b/gnu/packages/patches/upx-CVE-2021-20285.patch @@ -0,0 +1,76 @@ +From 3781df9da23840e596d5e9e8493f22666802fe6c Mon Sep 17 00:00:00 2001 +From: John Reiser <jreiser@BitWagon.com> +Date: Fri, 11 Dec 2020 13:38:18 -0800 +Subject: [PATCH] Check DT_REL/DT_RELA, DT_RELSZ/DT_RELASZ + +https://github.com/upx/upx/issues/421 + modified: p_lx_elf.cpp +--- + src/p_lx_elf.cpp | 34 +++++++++++++++++++++++++++++----- + 1 file changed, 29 insertions(+), 5 deletions(-) + +diff --git a/src/p_lx_elf.cpp b/src/p_lx_elf.cpp +index 182db192..3a4101cf 100644 +--- a/src/p_lx_elf.cpp ++++ b/src/p_lx_elf.cpp +@@ -2222,8 +2222,20 @@ bool PackLinuxElf32::canPack() + int z_rsz = dt_table[Elf32_Dyn::DT_RELSZ]; + if (z_rel && z_rsz) { + unsigned rel_off = get_te32(&dynseg[-1+ z_rel].d_val); ++ if ((unsigned)file_size <= rel_off) { ++ char msg[70]; snprintf(msg, sizeof(msg), ++ "bad Elf32_Dynamic[DT_REL] %#x\n", ++ rel_off); ++ throwCantPack(msg); ++ } + Elf32_Rel *rp = (Elf32_Rel *)&file_image[rel_off]; + unsigned relsz = get_te32(&dynseg[-1+ z_rsz].d_val); ++ if ((unsigned)file_size <= relsz) { ++ char msg[70]; snprintf(msg, sizeof(msg), ++ "bad Elf32_Dynamic[DT_RELSZ] %#x\n", ++ relsz); ++ throwCantPack(msg); ++ } + Elf32_Rel *last = (Elf32_Rel *)(relsz + (char *)rp); + for (; rp < last; ++rp) { + unsigned r_va = get_te32(&rp->r_offset); +@@ -2562,14 +2574,26 @@ PackLinuxElf64::canPack() + int z_rel = dt_table[Elf64_Dyn::DT_RELA]; + int z_rsz = dt_table[Elf64_Dyn::DT_RELASZ]; + if (z_rel && z_rsz) { +- unsigned rel_off = get_te64(&dynseg[-1+ z_rel].d_val); ++ upx_uint64_t rel_off = get_te64(&dynseg[-1+ z_rel].d_val); ++ if ((u64_t)file_size <= rel_off) { ++ char msg[70]; snprintf(msg, sizeof(msg), ++ "bad Elf64_Dynamic[DT_RELA] %#llx\n", ++ rel_off); ++ throwCantPack(msg); ++ } + Elf64_Rela *rp = (Elf64_Rela *)&file_image[rel_off]; +- unsigned relsz = get_te64(&dynseg[-1+ z_rsz].d_val); ++ upx_uint64_t relsz = get_te64(&dynseg[-1+ z_rsz].d_val); ++ if ((u64_t)file_size <= relsz) { ++ char msg[70]; snprintf(msg, sizeof(msg), ++ "bad Elf64_Dynamic[DT_RELASZ] %#llx\n", ++ relsz); ++ throwCantPack(msg); ++ } + Elf64_Rela *last = (Elf64_Rela *)(relsz + (char *)rp); + for (; rp < last; ++rp) { +- unsigned r_va = get_te64(&rp->r_offset); ++ upx_uint64_t r_va = get_te64(&rp->r_offset); + if (r_va == user_init_ava) { // found the Elf64_Rela +- unsigned r_info = get_te64(&rp->r_info); ++ upx_uint64_t r_info = get_te64(&rp->r_info); + unsigned r_type = ELF64_R_TYPE(r_info); + if (Elf64_Ehdr::EM_AARCH64 == e_machine + && R_AARCH64_RELATIVE == r_type) { +@@ -2581,7 +2605,7 @@ PackLinuxElf64::canPack() + } + else { + char msg[50]; snprintf(msg, sizeof(msg), +- "bad relocation %#x DT_INIT_ARRAY[0]", ++ "bad relocation %#llx DT_INIT_ARRAY[0]", + r_info); + throwCantPack(msg); + } |