Your message dated Wed, 16 Apr 2025 01:04:26 +0000
with message-id <e1u4rcu-00atnd...@fasolo.debian.org>
and subject line Bug#1101500: fixed in upx-ucl 4.2.4-1.1
has caused the Debian Bug report #1101500,
regarding upx-ucl: CVE-2025-2849
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1101500: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101500
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: upx-ucl
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for upx-ucl.
CVE-2025-2849[0]:
| A vulnerability, which was classified as problematic, was found in
| UPX up to 5.0.0. Affected is the function PackLinuxElf64::un_DT_INIT
| of the file src/p_lx_elf.cpp. The manipulation leads to heap-based
| buffer overflow. It is possible to launch the attack on the local
| host. The exploit has been disclosed to the public and may be used.
| The patch is identified as e0b6ff192412f5bb5364c1948f4f6b27a0cd5ea2.
| It is recommended to apply a patch to fix this issue.
https://github.com/upx/upx/issues/898
https://github.com/upx/upx/commit/e0b6ff192412f5bb5364c1948f4f6b27a0cd5ea2
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-2849
https://www.cve.org/CVERecord?id=CVE-2025-2849
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: upx-ucl
Source-Version: 4.2.4-1.1
Done: Matheus Polkorny <mpolko...@gmail.com>
We believe that the bug you reported is fixed in the latest version of
upx-ucl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1101...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matheus Polkorny <mpolko...@gmail.com> (supplier of updated upx-ucl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 05 Apr 2025 22:37:37 -0300
Source: upx-ucl
Architecture: source
Version: 4.2.4-1.1
Distribution: unstable
Urgency: medium
Maintainer: Robert Luberda <rob...@debian.org>
Changed-By: Matheus Polkorny <mpolko...@gmail.com>
Closes: 1101500
Changes:
upx-ucl (4.2.4-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* d/p/CVE-2025-2849.patch: Import upstream patch to fix CVE-2025-2849 Fix
heap-based buffer overflow in PackLinuxElf64::un_DT_INIT (closes:
#1101500).
Checksums-Sha1:
0aac8029933325042c3bcdd0b25d57b725fbdaca 1892 upx-ucl_4.2.4-1.1.dsc
7f390885430bab7c34c1fec8bfe0827573999688 67808 upx-ucl_4.2.4-1.1.debian.tar.xz
44c862aa2039aee0d04d3f0128e24462015a504e 7219 upx-ucl_4.2.4-1.1_amd64.buildinfo
Checksums-Sha256:
2a742074b4c64af33c96e248726b4bc546a5f20e3f19211cd92e894f16ff2540 1892
upx-ucl_4.2.4-1.1.dsc
410475f95f608287a13b5c038c14ed49013c710b00053e86eeb25a40d3395159 67808
upx-ucl_4.2.4-1.1.debian.tar.xz
414f4724f36d2f38b0d9b907f354728073fecc4250a0518df7715659928743be 7219
upx-ucl_4.2.4-1.1_amd64.buildinfo
Files:
ee24358b7e5a843f02f8be14f631153b 1892 utils optional upx-ucl_4.2.4-1.1.dsc
9ab755d43d6b7635363c81915e06df8e 67808 utils optional
upx-ucl_4.2.4-1.1.debian.tar.xz
382c4a6497717fd3197022454141b037 7219 utils optional
upx-ucl_4.2.4-1.1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEECgzx8d8+AINglLHJt4M9ggJ8mQsFAmf8WDYACgkQt4M9ggJ8
mQvevQ/+N5b2qJm2AOEInD6zu88PNGnmVokoeAXh/6ziF591TWOCvsDHf50ULBbk
kLO8FZgCKMxiHpP/fLgoT8UM9tmVjuDQotpvogTMGDXrcajN5HG6XRIkuNxOrbDN
IdGAxfiq5rspMfZE8//rHWAgz2WZM8Vxac8xAYoIpspg0lO2NdsOh8APt9IQllHs
pgIRQd03eHWrOn6Ht3JwwDYf+GXTphHH2WBnHEobe+liBxbN81H+7IxJnET8X/wi
CFRHf44V0RbvL1I7RGnsSNxL80NlX+hOiPhCZjYiNNBd4rQ83zT9e8srrqH/4+Y1
yrEP0ornqhSyXpYmEpVgikC0nXa0PSQbQcH/EoN1kulDl/KyukS2RszolaiUjvpD
zmA5/vBJ9+BxZpQUhV1CAEc0T4ieVNcEvI9Qf+5kIqzgHS4nmO9Yo3olASIwK8FM
iPqLxz4zf4a3v6S5QbSnlk5sfef9+fQ8CrhejGFSV6PKGGs3NNmf2RIIWKMocpc7
c1TvWXsKh/DP+HhWBn+7kF3Npzo84LeawnnOxThOwzFxbPhzHwTUhkJIfe5gdNFU
mWyB+L59uALfU3n4Pyc66jR02Bk9k4QRRD6FJl757bVd+w0ceGvCI8jb6bABkklA
eIKdChHjNvzBrnNl5EsAQ1GTexigZKi7oxHqR9rKipgY2CEcHeE=
=wPtA
-----END PGP SIGNATURE-----
pgp04DL1QHpHd.pgp
Description: PGP signature
--- End Message ---
