commit: ec0f3f52f3f3d4dd8a267f5788cd5e440b2f86d2 Author: Azamat H. Hackimov <azamat.hackimov <AT> gmail <DOT> com> AuthorDate: Sat Mar 27 12:08:19 2021 +0000 Commit: Conrad Kostecki <conikost <AT> gentoo <DOT> org> CommitDate: Sat Mar 27 14:24:13 2021 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ec0f3f52
app-arch/upx: fix CVE-2021-20285 Patch taken from upstream commit https://github.com/upx/upx/commit/3781df9da23840e596d5e9e8493f22666802fe6c. Bug: https://bugs.gentoo.org/778530 Package-Manager: Portage-3.0.13, Repoman-3.0.2 Signed-off-by: Azamat H. Hackimov <azamat.hackimov <AT> gmail.com> Signed-off-by: Conrad Kostecki <conikost <AT> gentoo.org> app-arch/upx/files/upx-3.96_CVE-2021-20285.patch | 76 ++++++++++++++++++++++++ app-arch/upx/upx-3.96-r1.ebuild | 38 ++++++++++++ 2 files changed, 114 insertions(+) diff --git a/app-arch/upx/files/upx-3.96_CVE-2021-20285.patch b/app-arch/upx/files/upx-3.96_CVE-2021-20285.patch new file mode 100644 index 00000000000..1d47b2a8bb6 --- /dev/null +++ b/app-arch/upx/files/upx-3.96_CVE-2021-20285.patch @@ -0,0 +1,76 @@ +From 3781df9da23840e596d5e9e8493f22666802fe6c Mon Sep 17 00:00:00 2001 +From: John Reiser <[email protected]> +Date: Fri, 11 Dec 2020 13:38:18 -0800 +Subject: [PATCH] Check DT_REL/DT_RELA, DT_RELSZ/DT_RELASZ + +https://github.com/upx/upx/issues/421 + modified: p_lx_elf.cpp +--- + src/p_lx_elf.cpp | 34 +++++++++++++++++++++++++++++----- + 1 file changed, 29 insertions(+), 5 deletions(-) + +diff --git a/src/p_lx_elf.cpp b/src/p_lx_elf.cpp +index 182db192..3a4101cf 100644 +--- a/src/p_lx_elf.cpp ++++ b/src/p_lx_elf.cpp +@@ -2222,8 +2222,20 @@ bool PackLinuxElf32::canPack() + int z_rsz = dt_table[Elf32_Dyn::DT_RELSZ]; + if (z_rel && z_rsz) { + unsigned rel_off = get_te32(&dynseg[-1+ z_rel].d_val); ++ if ((unsigned)file_size <= rel_off) { ++ char msg[70]; snprintf(msg, sizeof(msg), ++ "bad Elf32_Dynamic[DT_REL] %#x\n", ++ rel_off); ++ throwCantPack(msg); ++ } + Elf32_Rel *rp = (Elf32_Rel *)&file_image[rel_off]; + unsigned relsz = get_te32(&dynseg[-1+ z_rsz].d_val); ++ if ((unsigned)file_size <= relsz) { ++ char msg[70]; snprintf(msg, sizeof(msg), ++ "bad Elf32_Dynamic[DT_RELSZ] %#x\n", ++ relsz); ++ throwCantPack(msg); ++ } + Elf32_Rel *last = (Elf32_Rel *)(relsz + (char *)rp); + for (; rp < last; ++rp) { + unsigned r_va = get_te32(&rp->r_offset); +@@ -2562,14 +2574,26 @@ PackLinuxElf64::canPack() + int z_rel = dt_table[Elf64_Dyn::DT_RELA]; + int z_rsz = dt_table[Elf64_Dyn::DT_RELASZ]; + if (z_rel && z_rsz) { +- unsigned rel_off = get_te64(&dynseg[-1+ z_rel].d_val); ++ upx_uint64_t rel_off = get_te64(&dynseg[-1+ z_rel].d_val); ++ if ((u64_t)file_size <= rel_off) { ++ char msg[70]; snprintf(msg, sizeof(msg), ++ "bad Elf64_Dynamic[DT_RELA] %#llx\n", ++ rel_off); ++ throwCantPack(msg); ++ } + Elf64_Rela *rp = (Elf64_Rela *)&file_image[rel_off]; +- unsigned relsz = get_te64(&dynseg[-1+ z_rsz].d_val); ++ upx_uint64_t relsz = get_te64(&dynseg[-1+ z_rsz].d_val); ++ if ((u64_t)file_size <= relsz) { ++ char msg[70]; snprintf(msg, sizeof(msg), ++ "bad Elf64_Dynamic[DT_RELASZ] %#llx\n", ++ relsz); ++ throwCantPack(msg); ++ } + Elf64_Rela *last = (Elf64_Rela *)(relsz + (char *)rp); + for (; rp < last; ++rp) { +- unsigned r_va = get_te64(&rp->r_offset); ++ upx_uint64_t r_va = get_te64(&rp->r_offset); + if (r_va == user_init_ava) { // found the Elf64_Rela +- unsigned r_info = get_te64(&rp->r_info); ++ upx_uint64_t r_info = get_te64(&rp->r_info); + unsigned r_type = ELF64_R_TYPE(r_info); + if (Elf64_Ehdr::EM_AARCH64 == e_machine + && R_AARCH64_RELATIVE == r_type) { +@@ -2581,7 +2605,7 @@ PackLinuxElf64::canPack() + } + else { + char msg[50]; snprintf(msg, sizeof(msg), +- "bad relocation %#x DT_INIT_ARRAY[0]", ++ "bad relocation %#llx DT_INIT_ARRAY[0]", + r_info); + throwCantPack(msg); + } diff --git a/app-arch/upx/upx-3.96-r1.ebuild b/app-arch/upx/upx-3.96-r1.ebuild new file mode 100644 index 00000000000..26a73f6191a --- /dev/null +++ b/app-arch/upx/upx-3.96-r1.ebuild @@ -0,0 +1,38 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit toolchain-funcs + +DESCRIPTION="Ultimate Packer for eXecutables (free version using UCL compression and not NRV)" +HOMEPAGE="https://upx.github.io/"; +SRC_URI="https://github.com/upx/upx/releases/download/v${PV}/${P}-src.tar.xz"; + +LICENSE="GPL-2+ UPX-exception" # Read the exception before applying any patches +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~ppc64 ~sparc ~x86" +IUSE="" + +RDEPEND=">=dev-libs/ucl-1.03 + sys-libs/zlib + !app-arch/upx-bin" +DEPEND="${RDEPEND} + dev-lang/perl" + +S="${WORKDIR}/${P}-src" + +PATCHES=( + "${FILESDIR}/${P}_CVE-2021-20285.patch" +) + +src_compile() { + tc-export CXX + emake CXXFLAGS_WERROR="" all +} + +src_install() { + newbin src/upx.out upx + dodoc BUGS NEWS PROJECTS README* THANKS doc/*.txt doc/upx.html + doman doc/upx.1 +}
