diff -Nru upx-ucl-3.95/debian/changelog upx-ucl-3.95/debian/changelog --- upx-ucl-3.95/debian/changelog 2018-08-28 19:47:27.000000000 +0000 +++ upx-ucl-3.95/debian/changelog 2019-07-29 19:08:27.000000000 +0000 @@ -1,3 +1,16 @@ +upx-ucl (3.95-2) unstable; urgency=medium + + * Add two new patches, namely 02-Ignore-malformed-ElfXX_Shdr.patch, and + 03-Malformed-input.patch, taken from upstream to fix CVE-2019-14295, + and CVE-2019-14296 (closes: #933232). + * Add autopkgtest check for the above bug fix. + * Bump debhelper's compat version to 12. + * debian/rules: Use DPKG_*_MAINT_APPEND variables and buildflags.mk + to setup build flags. + * Standards-Version: 4.4.0. + + -- Robert Luberda Mon, 29 Jul 2019 21:10:27 +0200 + upx-ucl (3.95-1) unstable; urgency=medium * New upstream version: diff -Nru upx-ucl-3.95/debian/compat upx-ucl-3.95/debian/compat --- upx-ucl-3.95/debian/compat 2018-08-28 19:47:27.000000000 +0000 +++ upx-ucl-3.95/debian/compat 2019-07-29 19:08:27.000000000 +0000 @@ -1 +1 @@ -11 +12 diff -Nru upx-ucl-3.95/debian/control upx-ucl-3.95/debian/control --- upx-ucl-3.95/debian/control 2018-08-28 19:47:27.000000000 +0000 +++ upx-ucl-3.95/debian/control 2019-07-29 19:08:27.000000000 +0000 @@ -2,10 +2,8 @@ Section: utils Priority: optional Maintainer: Robert Luberda -Standards-Version: 4.2.1 -Build-Depends: debhelper (>= 11), - libucl-dev (>= 1.03), - zlib1g-dev (>= 1:1.1.4) +Standards-Version: 4.4.0 +Build-Depends: debhelper (>= 12), libucl-dev (>= 1.03), zlib1g-dev (>= 1:1.1.4) Homepage: https://upx.github.io/ Rules-Requires-Root: no Vcs-Git: https://salsa.debian.org/debian/upx-ucl.git @@ -15,6 +13,7 @@ Architecture: any Provides: upx Depends: ${misc:Depends}, ${shlibs:Depends} +Pre-Depends: ${misc:Pre-Depends} Description: efficient live-compressor for executables UPX is an advanced executable file compressor. UPX will typically reduce the file size of programs and DLLs by around 50%-70%, thus diff -Nru upx-ucl-3.95/debian/docs upx-ucl-3.95/debian/docs --- upx-ucl-3.95/debian/docs 2018-08-28 19:47:27.000000000 +0000 +++ upx-ucl-3.95/debian/docs 2019-07-29 19:08:27.000000000 +0000 @@ -2,5 +2,5 @@ PROJECTS README THANKS -doc/upx.html doc/upx.doc +doc/upx.html diff -Nru upx-ucl-3.95/debian/patches/01-Documentation.patch upx-ucl-3.95/debian/patches/01-Documentation.patch --- upx-ucl-3.95/debian/patches/01-Documentation.patch 2018-08-28 19:47:27.000000000 +0000 +++ upx-ucl-3.95/debian/patches/01-Documentation.patch 2019-07-29 19:08:27.000000000 +0000 @@ -1,14 +1,13 @@ From: Robert Luberda Date: Sun, 29 Sep 2002 13:50:30 +0100 -Subject: 01 Documentation. +Subject: Add full path to the copyright file. -Add full path to the copyright file. --- doc/upx.pod | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/upx.pod b/doc/upx.pod -index 90507c0..a6e60de 100644 +index 98865e1..ccd1b79 100644 --- a/doc/upx.pod +++ b/doc/upx.pod @@ -24,7 +24,7 @@ no memory overhead or other drawbacks for most of the formats supported, diff -Nru upx-ucl-3.95/debian/patches/02-Ignore-malformed-ElfXX_Shdr.patch upx-ucl-3.95/debian/patches/02-Ignore-malformed-ElfXX_Shdr.patch --- upx-ucl-3.95/debian/patches/02-Ignore-malformed-ElfXX_Shdr.patch 1970-01-01 00:00:00.000000000 +0000 +++ upx-ucl-3.95/debian/patches/02-Ignore-malformed-ElfXX_Shdr.patch 2019-07-29 19:08:27.000000000 +0000 @@ -0,0 +1,26 @@ +From: John Reiser +Date: Sun, 21 Jul 2019 07:40:21 -0700 +Subject: Ignore malformed ElfXX_Shdr in search for .text or .note + +https://github.com/upx/upx/issues/287 + modified: p_vmlinx.cpp + +Patch taken from https://github.com/upx/upx/commit/276b748aa6021c38a2dc699153f61b10e76bc3d2 + +Bugs-Debian: https://bugs.debian.org/#933232 +--- + src/p_vmlinx.cpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/p_vmlinx.cpp b/src/p_vmlinx.cpp +index 8c655d7..e350db0 100644 +--- a/src/p_vmlinx.cpp ++++ b/src/p_vmlinx.cpp +@@ -577,6 +577,7 @@ int PackVmlinuxBase::canUnpack() + Shdr *p; + for (p= shdri, j= ehdri.e_shnum; --j>=0; ++p) { + if ((unsigned)file_size < (p->sh_size + p->sh_offset) ++ || (5+ p->sh_name) < p->sh_name // wrap: ignore malformed + || shstrsec->sh_size < (5+ p->sh_name) ) { + continue; + } diff -Nru upx-ucl-3.95/debian/patches/03-Malformed-input.patch upx-ucl-3.95/debian/patches/03-Malformed-input.patch --- upx-ucl-3.95/debian/patches/03-Malformed-input.patch 1970-01-01 00:00:00.000000000 +0000 +++ upx-ucl-3.95/debian/patches/03-Malformed-input.patch 2019-07-29 19:08:27.000000000 +0000 @@ -0,0 +1,32 @@ +From: John Reiser +Date: Sun, 21 Jul 2019 10:48:50 -0700 +Subject: Better checking for malformed input + +https://github.com/upx/upx/issues/286 + +Patch taken from https://github.com/upx/upx/commit/58b122d97da1e02dfec24b10b6b8f56218b5622c + +Bugs-Debian: https://bugs.debian.org/#933232 +--- + src/p_vmlinx.cpp | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/p_vmlinx.cpp b/src/p_vmlinx.cpp +index e350db0..ab568ed 100644 +--- a/src/p_vmlinx.cpp ++++ b/src/p_vmlinx.cpp +@@ -111,9 +111,11 @@ typename T::Shdr const *PackVmlinuxBase::getElfSections() + int j; + for (p = shdri, j= ehdri.e_shnum; --j>=0; ++p) { + if (Shdr::SHT_STRTAB==p->sh_type +- && (p->sh_size + p->sh_offset) <= (unsigned long)file_size +- && p->sh_name < p->sh_size +- && (10+ p->sh_name) <= p->sh_size // 1+ strlen(".shstrtab") ++ && p->sh_offset < (unsigned long)file_size ++ && p->sh_size <= ((unsigned long)file_size - p->sh_offset) ++ && p->sh_name < (unsigned long)file_size ++ && 10 <= ((unsigned long)file_size - p->sh_name) ++ // 10 == (1+ strlen(".shstrtab")) + ) { + delete [] shstrtab; + shstrtab = new char[1+ p->sh_size]; diff -Nru upx-ucl-3.95/debian/patches/series upx-ucl-3.95/debian/patches/series --- upx-ucl-3.95/debian/patches/series 2018-08-28 19:47:27.000000000 +0000 +++ upx-ucl-3.95/debian/patches/series 2019-07-29 19:08:27.000000000 +0000 @@ -1 +1,3 @@ 01-Documentation.patch +02-Ignore-malformed-ElfXX_Shdr.patch +03-Malformed-input.patch diff -Nru upx-ucl-3.95/debian/rules upx-ucl-3.95/debian/rules --- upx-ucl-3.95/debian/rules 2018-08-28 19:47:27.000000000 +0000 +++ upx-ucl-3.95/debian/rules 2019-07-29 19:08:27.000000000 +0000 @@ -2,28 +2,25 @@ DH_AUTO_OPTIONS := -v -Smakefile --parallel package := $(shell dh_listpackages) - - -include /usr/share/dpkg/architecture.mk - -export DEB_BUILD_MAINT_OPTIONS=hardening=+all export DESTDIR := $(CURDIR)/debian/$(package) - export UPX_UCLDIR := /none export UPX_LZMADIR := /usr/include/lzma -export CXXFLAGS := $(shell dpkg-buildflags --get CXXFLAGS) -export CPPFLAGS := -DWITH_UCL -D_FILE_OFFSET_BITS=64 \ - $(shell dpkg-buildflags --get CPPFLAGS) -export LDFLAGS := $(shell dpkg-buildflags --get LDFLAGS) + +include /usr/share/dpkg/architecture.mk + +DEB_BUILD_MAINT_OPTIONS := hardening=+all +DEB_CPPFLAGS_MAINT_APPEND := -DWITH_UCL -D_FILE_OFFSET_BITS=64 ifeq ($(DEB_HOST_ARCH_ENDIAN),big) - CPPFLAGS += -D__BIG_ENDIAN__=1 + DEB_CPPFLAGS_MAINT_APPEND += -D__BIG_ENDIAN__=1 endif +DPKG_EXPORT_BUILDFLAGS := 1 +include /usr/share/dpkg/buildflags.mk + %: dh "$@" override_dh_auto_build: - # Add here commands to compile the package. @echo "Starting build process ($(DEB_HOST_ARCH))" dh_auto_build $(DH_AUTO_OPTIONS) -- \ CXXFLAGS_OPTIMIZE= \ diff -Nru upx-ucl-3.95/debian/source/include-binaries upx-ucl-3.95/debian/source/include-binaries --- upx-ucl-3.95/debian/source/include-binaries 2018-08-28 19:47:27.000000000 +0000 +++ upx-ucl-3.95/debian/source/include-binaries 2019-07-29 19:08:27.000000000 +0000 @@ -6,3 +6,5 @@ debian/tests/data/899190-poc1 debian/tests/data/899190-poc2 debian/tests/data/907426-poc_free +debian/tests/data/933232-poc-buffer-overflow +debian/tests/data/933232-poc-integer-overflow diff -Nru upx-ucl-3.95/debian/tests/control upx-ucl-3.95/debian/tests/control --- upx-ucl-3.95/debian/tests/control 2018-08-28 19:47:27.000000000 +0000 +++ upx-ucl-3.95/debian/tests/control 2019-07-29 19:08:27.000000000 +0000 @@ -24,3 +24,9 @@ Test-Command: ./debian/tests/regressions-check -d 907426-poc_free "Exception: compressed data violation" Features: test-name=bug907426-check Restrictions: flaky + +Test-Command: ./debian/tests/regressions-check -d 933232-poc-integer-overflow "CantUnpackException: bad e_phoff" +Features: test-name=bug933232-check1 + +Test-Command: ./debian/tests/regressions-check --no-qq -d 933232-poc-buffer-overflow "NotPackedException: not packed by UPX" 2 +Features: test-name=bug933232-check2 Binary files /tmp/tmpJ8w3xD/517qx86PJP/upx-ucl-3.95/debian/tests/data/933232-poc-buffer-overflow and /tmp/tmpJ8w3xD/b8QFROfkpO/upx-ucl-3.95/debian/tests/data/933232-poc-buffer-overflow differ Binary files /tmp/tmpJ8w3xD/517qx86PJP/upx-ucl-3.95/debian/tests/data/933232-poc-integer-overflow and /tmp/tmpJ8w3xD/b8QFROfkpO/upx-ucl-3.95/debian/tests/data/933232-poc-integer-overflow differ diff -Nru upx-ucl-3.95/debian/tests/regressions-check upx-ucl-3.95/debian/tests/regressions-check --- upx-ucl-3.95/debian/tests/regressions-check 2018-08-28 19:47:27.000000000 +0000 +++ upx-ucl-3.95/debian/tests/regressions-check 2019-07-29 19:08:27.000000000 +0000 @@ -2,11 +2,12 @@ # autopkgtest check: Run regression checks, based on a few bugs reported in Debian BTS set -e -[ "$2" ] || { echo "Usage: $0 [ -d ] file-inside-data-dir expected-failure-message [ expected-status ]" >&2; exit 100; } +[ "$2" ] || { echo "Usage: $0 [ --no-qq ] [ -d ] file-inside-data-dir expected-failure-message [ expected-status ]" >&2; exit 100; } set -o nounset -UPXCMD="upx-ucl -qq" +UPXCMD="upx-ucl" +[ "$1" = "--no-qq" ] && shift || { UPXCMD="$UPXCMD -qq"; } [ "$1" != "-d" ] || { UPXCMD="$UPXCMD $1"; shift; } readonly DATAFILE="$(dirname $0)/data/$1"