Your message dated Thu, 11 Jan 2024 23:20:23 +0000 with message-id <e1ro4lx-004fgi...@fasolo.debian.org> and subject line Bug#1033258: fixed in upx-ucl 4.2.2-1 has caused the Debian Bug report #1033258, regarding upx-ucl: CVE-2023-23456 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1033258: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033258 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: upx-ucl X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for upx-ucl. CVE-2023-23456[0]: | A heap-based buffer overflow issue was discovered in UPX in | PackTmt::pack() in p_tmt.cpp file. The flow allows an attacker to | cause a denial of service (abort) via a crafted file. https://github.com/upx/upx/commit/510505a85cbe45e51fbd470f1aa8b02157c429d4 https://github.com/upx/upx/issues/632 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-23456 https://www.cve.org/CVERecord?id=CVE-2023-23456 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: upx-ucl Source-Version: 4.2.2-1 Done: Robert Luberda <rob...@debian.org> We believe that the bug you reported is fixed in the latest version of upx-ucl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1033...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Robert Luberda <rob...@debian.org> (supplier of updated upx-ucl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 11 Jan 2024 23:00:58 +0100 Source: upx-ucl Architecture: source Version: 4.2.2-1 Distribution: unstable Urgency: medium Maintainer: Robert Luberda <rob...@debian.org> Changed-By: Robert Luberda <rob...@debian.org> Closes: 1004137 1025053 1033258 Changes: upx-ucl (4.2.2-1) unstable; urgency=medium . * New upstream version (closes: #1025053): - fixes heap-based buffer overflow issue CVE-2023-23456 (closes: #1033258); - fixes segmentation fault issue CVE-2023-23457 (closes: #1033258); - fixes execution of compressed MIPS binaries (closes: #1004137); - unfortunately both zlib and ucl libraries are now embedded into the upx-ucl binary - this should be fixed in the future somehow. * Remove no longer needed patches 02-arm64-crashes.patch and 03-upstream-silence-compilation-warnings.patch. * Update debian/source/lintan-overrides in a try to disable its useless checks on debian/tests files (see: #1025452). * Update debian/rules for cmake that is now used by upstream. * Add new debian/test cases for the above CVE issues. * Update debian/copyright. * Update standards version to 4.6.2, no changes needed. Checksums-Sha1: 8efa9e19f6f0ef7d36adc92186b333dbb289a4e3 1884 upx-ucl_4.2.2-1.dsc b9144e18a250312576134eb8f21dfdd4044feeee 1275320 upx-ucl_4.2.2.orig.tar.xz c8758f77d3ffe29a0e1aa778607aaeec0640884f 64892 upx-ucl_4.2.2-1.debian.tar.xz 0ad0f3092efef8f2a1003ff41042b3e5fd90c75d 7370 upx-ucl_4.2.2-1_amd64.buildinfo Checksums-Sha256: 2e451b7dd95950cf32cbcf725c023bdd0dc5d774b4ff73fe947995b036148d3f 1884 upx-ucl_4.2.2-1.dsc 42ee0455eea610ef7ee732aa1f657b34a351ebcfa64a24c1e2a7aaec74c1e038 1275320 upx-ucl_4.2.2.orig.tar.xz ce1b366a4cacd4ffc6e15af0fc991c0086dffacc2149d43aa95e9fbcf2b6fa39 64892 upx-ucl_4.2.2-1.debian.tar.xz a0a95d630258205493c0e67a776364e9118ba09d4d9dcafb2457c250b2a26212 7370 upx-ucl_4.2.2-1_amd64.buildinfo Files: cbe142d0d840cc1f5ac6df6ca179b1e2 1884 utils optional upx-ucl_4.2.2-1.dsc 97ea082bc7240b8083316293e2be0e29 1275320 utils optional upx-ucl_4.2.2.orig.tar.xz 7db90a6a34a0cfcad9cb122776751afe 64892 utils optional upx-ucl_4.2.2-1.debian.tar.xz a03369152abbc41d68b66864f636c940 7370 utils optional upx-ucl_4.2.2-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEENeh2+rTTcy6TtNI3Yx3nVTvor9QFAmWgaRIACgkQYx3nVTvo r9Sz7hAAo36X1PtAgn4HjLtOze5Qy/546efLlMDJuPducDJ/mypydN3DiN6XsgaV wrkAK5aSEwj1+2VOjisA12Q9N1KNBFEXjEiVUur+S1Yhx0nsrH1Ll3cQkU6kKxZT v1YeO42BliPcUk1X36DcxGM3weJPukppUMOjLvrOAUKgA1VVY9dVYrvP8rNijKAI yrjEDdERx3k6XLwzZmWlnWF6oAC5AlJWu1QhVp4WM6nbSFc+jPZsZ2/KeVt1nozM e+pzBSZ/k64S/UcqsXANMrYXrfZWyiMEunwWFNA/SxkVmo7E6kZgAcZ6RarXGYEH O/WasvaAvuRdbc16bRjpe7CqnwcpiOb8GZwC6KM5H5zqgUNStHGbmtxQ0c0V0Qrz o7fALdNqv+Uc5bhTKggxfUxQJD3UHRee4MdIOZUxDK5h8Saf2eQfgl3R+wvwe6tX q/PpYkRNut4me8vNHcPtb+iPJ2qMp+e7L4TDO7gR6YKMjcIwM+hQGewAsVaOdOoR pCHbC8nmNezqhRFNQH0eGRdWFRDoqf0x5CmMEXkkMIuNam90ixVV8bsLktlwntKa BahtZDazTtTHlMBBYUiNxa/Q+DZ3Sw2lMu7JiHwQlgOYHaB37tOnFKBVviMgfDUX 8f7t3rG/OwOyNrroco56QvtuR6VE5OyKpxiz9JVxluF9zZnrVAc= =FQPc -----END PGP SIGNATURE-----
--- End Message ---
