GNU bug report logs -
#31487
[PATCH] gnu: Add upx.
Previous Next
Reported by: Pierre Neidhardt <ambrevar <at> gmail.com>
Date: Thu, 17 May 2018 22:52:01 UTC
Severity: normal
Tags: patch
Done: ludo <at> gnu.org (Ludovic Courtès)
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 31487 in the body.
You can then email your comments to 31487 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#31487; Package
guix-patches.
(Thu, 17 May 2018 22:52:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Pierre Neidhardt <ambrevar <at> gmail.com>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Thu, 17 May 2018 22:52:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/compression.scm (ucl): New variable.
* gnu/packages/compression.scm (upx): New variable.
---
gnu/packages/compression.scm | 73 ++++++++++++++++++++++++++++++++++++
1 file changed, 73 insertions(+)
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 562a2bf8b..b0d7cd971 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -2151,3 +2151,76 @@ with @code{deflate} but offers more dense compression.
The specification of the Brotli Compressed Data Format is defined in RFC 7932.")
(license license:expat)))
+
+(define-public ucl
+ (package
+ (name "ucl")
+ (version "1.03")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "http://www.oberhumer.com/opensource/"
+ name "/download/" name "-" version ".tar.gz"))
+ (sha256
+ (base32
+ "0j036lkwsxvm15gr29n8wn07cqq79dswjs9k54939ms5zngjjrdq"))))
+ (build-system gnu-build-system)
+ (home-page "http://www.oberhumer.com/opensource/ucl/")
+ (synopsis "Portable lossless data compression library")
+ (description "UCL implements a number of compression algorithms that
+achieve an excellent compression ratio while allowing *very* fast
+decompression. Decompression requires no additional memory.
+
+UCL is an OpenSource re-implementation of some NRV compression algorithms.
+
+As compared to LZO, the UCL algorithms achieve a better compression ratio but
+decompression is a little bit slower. See below for some rough timings.")
+ (license license:gpl2)))
+
+(define-public upx
+ (package
+ (name "upx")
+ (version "3.94")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "https://github.com/upx/upx/releases/download/v"
+ version "/" name "-" version "-src.tar.xz"))
+ (sha256
+ (base32
+ "08anybdliqsbsl6x835iwzljahnm9i7v26icdjkcv33xmk6p5vw1"))))
+ (build-system gnu-build-system)
+ (native-inputs `(("zlib" ,zlib)
+ ("perl" ,perl)
+ ("ucl" ,ucl)))
+ (arguments
+ `(#:make-flags
+ (list "all"
+ ;; CHECK_WHITESPACE does not seem to work.
+ ;; See https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/upx.
+ "CHECK_WHITESPACE=true")
+ #:phases
+ (modify-phases %standard-phases
+ (delete 'configure)
+ (delete 'check)
+ (delete 'install)
+ (add-before 'build 'patch-exec-bin-sh
+ (lambda _
+ (substitute* (find-files "Makefile")
+ (("/bin/sh") (which "sh")))
+ (substitute* "src/Makefile"
+ (("/bin/sh") (which "sh")))
+ #t))
+ (add-after 'build 'install-upx
+ (lambda* (#:key outputs #:allow-other-keys)
+ (let* ((out (assoc-ref outputs "out"))
+ (bin (string-append out "/bin")))
+ (mkdir-p bin)
+ (copy-file "src/upx.out" (string-append bin "/upx")))
+ #t))
+ )))
+ (home-page "https://upx.github.io/")
+ (synopsis "The Ultimate Packer for eXecutables")
+ (description "UPX is an advanced executable file compressor. UPX will
+typically reduce the file size of programs and DLLs by around 50%-70%, thus
+reducing disk space, network load times, download times and other distribution
+and storage costs.")
+ (license license:gpl2)))
--
2.17.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#31487; Package
guix-patches.
(Fri, 18 May 2018 06:47:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 31487 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Forgot to add my name to the copyright list.
--
Pierre Neidhardt
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#31487; Package
guix-patches.
(Sat, 26 May 2018 20:15:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 31487 <at> debbugs.gnu.org (full text, mbox):
Hello,
Pierre Neidhardt <ambrevar <at> gmail.com> skribis:
> * gnu/packages/compression.scm (ucl): New variable.
> * gnu/packages/compression.scm (upx): New variable.
I committed both as separate patches (the convention is to have one
patch per package), slightly changed descriptions to remove “marketing
speak”, and changed licenses to ‘gpl2+’ after checking the source file
headers.
There’s one issue left though:
$ ./pre-inst-env guix lint upx
gnu/packages/compression.scm:2179:2: upx <at> 3.94: probably vulnerable to CVE-2017-15056, CVE-2017-16869
Could you check whether patches are available for these? Better be safe
than sorry!
Thank you,
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#31487; Package
guix-patches.
(Sun, 27 May 2018 13:47:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 31487 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Ludovic Courtès <ludo <at> gnu.org> writes:
> There’s one issue left though:
>
> $ ./pre-inst-env guix lint upx
> gnu/packages/compression.scm:2179:2: upx <at> 3.94: probably vulnerable to CVE-2017-15056, CVE-2017-16869
>
> Could you check whether patches are available for these? Better be safe
> than sorry!
Indeed they are.
They are not on the master branch though, only devel I think.
So what's the protocol here? Shall we cherry-pick the fixing commits or
get latest devel?
--
Pierre Neidhardt
The day advanced as if to light some work of mine; it was morning,
and lo! now it is evening, and nothing memorable is accomplished.
-- H.D. Thoreau
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#31487; Package
guix-patches.
(Mon, 28 May 2018 07:56:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 31487 <at> debbugs.gnu.org (full text, mbox):
Hi Pierre,
Pierre Neidhardt <ambrevar <at> gmail.com> skribis:
> Ludovic Courtès <ludo <at> gnu.org> writes:
>
>> There’s one issue left though:
>>
>> $ ./pre-inst-env guix lint upx
>> gnu/packages/compression.scm:2179:2: upx <at> 3.94: probably vulnerable to CVE-2017-15056, CVE-2017-16869
>>
>> Could you check whether patches are available for these? Better be safe
>> than sorry!
>
> Indeed they are.
> They are not on the master branch though, only devel I think.
> So what's the protocol here? Shall we cherry-pick the fixing commits or
> get latest devel?
Yes. You can add them as individual patches (see commit
aa8ac0294421d465f60e18c8271f971ec8407a95 for an example); as usual, make
sure each patch starts with a few lines explaining what the patch does
and where it comes from (you can take the commit log for that plus a
repo URL, for instance.)
Then you can check that ‘guix lint upx’ is happy.
TIA!
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#31487; Package
guix-patches.
(Tue, 29 May 2018 06:43:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 31487 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
The relevant issues:
- https://github.com/upx/upx/issues/146
- https://github.com/upx/upx/pull/190
Both CVEs were rejected, so I guess there is no need to include a patch.
--
Pierre Neidhardt
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#31487; Package
guix-patches.
(Tue, 29 May 2018 13:28:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 31487 <at> debbugs.gnu.org (full text, mbox):
Pierre Neidhardt <ambrevar <at> gmail.com> skribis:
> The relevant issues:
>
> - https://github.com/upx/upx/issues/146
> - https://github.com/upx/upx/pull/190
Hmm I see that:
https://github.com/upx/upx/issues/128
corresponds to:
https://nvd.nist.gov/vuln/detail?vulnId=CVE%2D%32%30%31%37%2D%31%35%30%35%36
and:
https://nvd.nist.gov/vuln/detail?vulnId=CVE%2D%32%30%31%37%2D%31%36%38%36%39
corresponds to:
https://github.com/upx/upx/issues/146
The latter (CVE-2017-16869) is marked as “disputed” above, and I would
agree with the arguments of the UPX maintainers.
The authors did not react to the former (CVE-2017-15056, crash when
reading ELF files), other than by fixing it, but it does look similar in
spirit.
What about adding a patch for CVE-2017-15056 since it would at least fix
a concrete bug?
CVE-2017-16869 is also a bug but it concerns Mach-O files, which are
much less of a concern for our users I suppose. Patching it wouldn’t
hurt either, but you could also add a ‘lint-hidden-cve’ property for
CVE-2017-16869 with a comment.
TIA,
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#31487; Package
guix-patches.
(Fri, 15 Jun 2018 07:14:01 GMT)
Full text and
rfc822 format available.
Message #26 received at 31487 <at> debbugs.gnu.org (full text, mbox):
Ping! :-)
ludo <at> gnu.org (Ludovic Courtès) skribis:
> Pierre Neidhardt <ambrevar <at> gmail.com> skribis:
>
>> The relevant issues:
>>
>> - https://github.com/upx/upx/issues/146
>> - https://github.com/upx/upx/pull/190
>
> Hmm I see that:
>
> https://github.com/upx/upx/issues/128
> corresponds to:
> https://nvd.nist.gov/vuln/detail?vulnId=CVE%2D%32%30%31%37%2D%31%35%30%35%36
>
> and:
>
> https://nvd.nist.gov/vuln/detail?vulnId=CVE%2D%32%30%31%37%2D%31%36%38%36%39
> corresponds to:
> https://github.com/upx/upx/issues/146
>
> The latter (CVE-2017-16869) is marked as “disputed” above, and I would
> agree with the arguments of the UPX maintainers.
>
> The authors did not react to the former (CVE-2017-15056, crash when
> reading ELF files), other than by fixing it, but it does look similar in
> spirit.
>
> What about adding a patch for CVE-2017-15056 since it would at least fix
> a concrete bug?
>
> CVE-2017-16869 is also a bug but it concerns Mach-O files, which are
> much less of a concern for our users I suppose. Patching it wouldn’t
> hurt either, but you could also add a ‘lint-hidden-cve’ property for
> CVE-2017-16869 with a comment.
>
> TIA,
> Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#31487; Package
guix-patches.
(Sat, 16 Jun 2018 14:56:01 GMT)
Full text and
rfc822 format available.
Message #29 received at 31487 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/patches/upx-protect-against-bad-crafted-input.patch: New file.
* gnu/packages/compression.scm (upx)[source]: Use it.
---
gnu/packages/compression.scm | 8 +-
...px-protect-against-bad-crafted-input.patch | 96 +++++++++++++++++++
2 files changed, 103 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/upx-protect-against-bad-crafted-input.patch
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 8f062049a..0be7962b3 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -2209,7 +2209,8 @@ decompression is a little bit slower.")
version "/" name "-" version "-src.tar.xz"))
(sha256
(base32
- "08anybdliqsbsl6x835iwzljahnm9i7v26icdjkcv33xmk6p5vw1"))))
+ "08anybdliqsbsl6x835iwzljahnm9i7v26icdjkcv33xmk6p5vw1"))
+ (patches (search-patches "upx-protect-against-bad-crafted-input.patch"))))
(build-system gnu-build-system)
(native-inputs `(("perl" ,perl)
("ucl" ,ucl)))
@@ -2241,6 +2242,11 @@ decompression is a little bit slower.")
#t))
)))
(home-page "https://upx.github.io/")
+ ;; CVE-16869 is about Mach-O files which is not of a big concern for Guix.
+ ;; See https://github.com/upx/upx/issues/146 and
+ ;; https://nvd.nist.gov/vuln/detail?vulnId=CVE%2D%32%30%31%37%2D%31%36%38%36%39.
+ ;; The issue will be fixed after version 3.94.
+ (properties `((lint-hidden-cve . ("CVE-2017-16869"))))
(synopsis "Compression tool for executables")
(description
"The Ultimate Packer for eXecutables (UPX) is an executable file
diff --git a/gnu/packages/patches/upx-protect-against-bad-crafted-input.patch b/gnu/packages/patches/upx-protect-against-bad-crafted-input.patch
new file mode 100644
index 000000000..525980e73
--- /dev/null
+++ b/gnu/packages/patches/upx-protect-against-bad-crafted-input.patch
@@ -0,0 +1,96 @@
+From 3e0c2966dffb5dadb512a476ef4be3d0cc51c2be Mon Sep 17 00:00:00 2001
+From: Pierre Neidhardt <ambrevar <at> gmail.com>
+Date: Sat, 16 Jun 2018 16:35:00 +0200
+Subject: [PATCH] Protect against bad crafted input
+
+Also check for wrap-around when checking oversize involving e_shoff and e_shnum.
+
+raised by https://github.com/upx/upx/pull/190
+ modified: p_lx_elf.cpp
+---
+ src/p_lx_elf.cpp | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+diff --git a/src/p_lx_elf.cpp b/src/p_lx_elf.cpp
+index 822a7652..41e805ee 100644
+--- a/src/p_lx_elf.cpp
++++ b/src/p_lx_elf.cpp
+@@ -235,8 +235,17 @@ PackLinuxElf32::PackLinuxElf32help1(InputFile *f)
+ sz_phdrs = 0;
+ return;
+ }
++ if (0==e_phnum) throwCantUnpack("0==e_phnum");
+ e_phoff = get_te32(&ehdri.e_phoff);
++ unsigned const last_Phdr = e_phoff + e_phnum * sizeof(Elf32_Phdr);
++ if (last_Phdr < e_phoff || (unsigned long)file_size < last_Phdr) {
++ throwCantUnpack("bad e_phoff");
++ }
+ e_shoff = get_te32(&ehdri.e_shoff);
++ unsigned const last_Shdr = e_shoff + e_shnum * sizeof(Elf32_Shdr);
++ if (last_Shdr < e_shoff || (unsigned long)file_size < last_Shdr) {
++ throwCantUnpack("bad e_shoff");
++ }
+ sz_phdrs = e_phnum * e_phentsize;
+
+ if (f && Elf32_Ehdr::ET_DYN!=e_type) {
+@@ -599,8 +608,17 @@ PackLinuxElf64::PackLinuxElf64help1(InputFile *f)
+ sz_phdrs = 0;
+ return;
+ }
++ if (0==e_phnum) throwCantUnpack("0==e_phnum");
+ e_phoff = get_te64(&ehdri.e_phoff);
++ upx_uint64_t const last_Phdr = e_phoff + e_phnum * sizeof(Elf64_Phdr);
++ if (last_Phdr < e_phoff || (unsigned long)file_size < last_Phdr) {
++ throwCantUnpack("bad e_phoff");
++ }
+ e_shoff = get_te64(&ehdri.e_shoff);
++ upx_uint64_t const last_Shdr = e_shoff + e_shnum * sizeof(Elf64_Shdr);
++ if (last_Shdr < e_shoff || (unsigned long)file_size < last_Shdr) {
++ throwCantUnpack("bad e_shoff");
++ }
+ sz_phdrs = e_phnum * e_phentsize;
+
+ if (f && Elf64_Ehdr::ET_DYN!=e_type) {
+@@ -3763,6 +3781,9 @@ void PackLinuxElf64::pack4(OutputFile *fo, Filter &ft)
+
+ void PackLinuxElf64::unpack(OutputFile *fo)
+ {
++ if (e_phoff != sizeof(Elf64_Ehdr)) {// Phdrs not contiguous with Ehdr
++ throwCantUnpack("bad e_phoff");
++ }
+ unsigned const c_phnum = get_te16(&ehdri.e_phnum);
+ upx_uint64_t old_data_off = 0;
+ upx_uint64_t old_data_len = 0;
+@@ -3828,6 +3849,9 @@ void PackLinuxElf64::unpack(OutputFile *fo)
+ unsigned total_out = 0;
+ unsigned c_adler = upx_adler32(NULL, 0);
+ unsigned u_adler = upx_adler32(NULL, 0);
++ if ((MAX_ELF_HDR - sizeof(Elf64_Ehdr))/sizeof(Elf64_Phdr) < u_phnum) {
++ throwCantUnpack("bad compressed e_phnum");
++ }
+
+ // Packed ET_EXE has no PT_DYNAMIC.
+ // Packed ET_DYN has original PT_DYNAMIC for info needed by rtld.
+@@ -4383,6 +4407,9 @@ Elf64_Sym const *PackLinuxElf64::elf_lookup(char const *name) const
+
+ void PackLinuxElf32::unpack(OutputFile *fo)
+ {
++ if (e_phoff != sizeof(Elf32_Ehdr)) {// Phdrs not contiguous with Ehdr
++ throwCantUnpack("bad e_phoff");
++ }
+ unsigned const c_phnum = get_te16(&ehdri.e_phnum);
+ unsigned old_data_off = 0;
+ unsigned old_data_len = 0;
+@@ -4449,6 +4476,9 @@ void PackLinuxElf32::unpack(OutputFile *fo)
+ unsigned total_out = 0;
+ unsigned c_adler = upx_adler32(NULL, 0);
+ unsigned u_adler = upx_adler32(NULL, 0);
++ if ((MAX_ELF_HDR - sizeof(Elf32_Ehdr))/sizeof(Elf32_Phdr) < u_phnum) {
++ throwCantUnpack("bad compressed e_phnum");
++ }
+
+ // Packed ET_EXE has no PT_DYNAMIC.
+ // Packed ET_DYN has original PT_DYNAMIC for info needed by rtld.
+--
+2.17.0
+
--
2.17.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#31487; Package
guix-patches.
(Sat, 16 Jun 2018 14:59:02 GMT)
Full text and
rfc822 format available.
Message #32 received at 31487 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Ludovic Courtès <ludo <at> gnu.org> writes:
> Ping! :-)
Sorry for the long delay. I've just sent a patch.
I'm having issues with my development setup so I haven't been able to
test it.
--
Pierre Neidhardt
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#31487; Package
guix-patches.
(Sat, 16 Jun 2018 19:16:01 GMT)
Full text and
rfc822 format available.
Message #35 received at 31487 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
I've finally resolved issues with my Guix setup and I've successfully
tested the patched version of upx.
Feel free to merge.
--
Pierre Neidhardt
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
ludo <at> gnu.org (Ludovic Courtès):
You have taken responsibility.
(Sat, 16 Jun 2018 21:58:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Pierre Neidhardt <ambrevar <at> gmail.com>:
bug acknowledged by developer.
(Sat, 16 Jun 2018 21:58:02 GMT)
Full text and
rfc822 format available.
Message #40 received at 31487-done <at> debbugs.gnu.org (full text, mbox):
Hello,
Pierre Neidhardt <ambrevar <at> gmail.com> skribis:
> * gnu/packages/patches/upx-protect-against-bad-crafted-input.patch: New file.
> * gnu/packages/compression.scm (upx)[source]: Use it.
I renamed the patch so that it includes the CVE id, added it to
gnu/local.mk, and committed.
Thanks!
Ludo’.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Mon, 16 Jul 2018 11:24:11 GMT)
Full text and
rfc822 format available.
This bug report was last modified 6 years and 337 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.