GNU bug report logs -
#31487
[PATCH] gnu: Add upx.
Previous Next
Reported by: Pierre Neidhardt <ambrevar <at> gmail.com>
Date: Thu, 17 May 2018 22:52:01 UTC
Severity: normal
Tags: patch
Done: ludo <at> gnu.org (Ludovic Courtès)
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
Pierre Neidhardt <ambrevar <at> gmail.com> skribis:
> The relevant issues:
>
> - https://github.com/upx/upx/issues/146
> - https://github.com/upx/upx/pull/190
Hmm I see that:
https://github.com/upx/upx/issues/128
corresponds to:
https://nvd.nist.gov/vuln/detail?vulnId=CVE%2D%32%30%31%37%2D%31%35%30%35%36
and:
https://nvd.nist.gov/vuln/detail?vulnId=CVE%2D%32%30%31%37%2D%31%36%38%36%39
corresponds to:
https://github.com/upx/upx/issues/146
The latter (CVE-2017-16869) is marked as “disputed” above, and I would
agree with the arguments of the UPX maintainers.
The authors did not react to the former (CVE-2017-15056, crash when
reading ELF files), other than by fixing it, but it does look similar in
spirit.
What about adding a patch for CVE-2017-15056 since it would at least fix
a concrete bug?
CVE-2017-16869 is also a bug but it concerns Mach-O files, which are
much less of a concern for our users I suppose. Patching it wouldn’t
hurt either, but you could also add a ‘lint-hidden-cve’ property for
CVE-2017-16869 with a comment.
TIA,
Ludo’.
This bug report was last modified 6 years and 337 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.