GNU bug report logs -
#58977
[PATCH] gnu: upx: Update to 4.0.0.
Previous Next
Reported by: Zhu Zihao <all_but_last <at> 163.com>
Date: Thu, 3 Nov 2022 03:14:01 UTC
Severity: normal
Tags: patch
Done: Christopher Baines <mail <at> cbaines.net>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 58977 in the body.
You can then email your comments to 58977 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#58977; Package
guix-patches.
(Thu, 03 Nov 2022 03:14:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Zhu Zihao <all_but_last <at> 163.com>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Thu, 03 Nov 2022 03:14:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/compression.scm (upx): Update to 4.0.0.
[build-system]: Use cmake-build-system.
[arguments]: Remove all stale arguments.
* gnu/packages/patches/upx-CVE-2021-20285.patch: Delete.
* gnu/local.mk (dist_patch_DATA): Remove corresponding entry.
---
gnu/local.mk | 1 -
gnu/packages/compression.scm | 45 +++--------
gnu/packages/patches/upx-CVE-2021-20285.patch | 76 -------------------
3 files changed, 11 insertions(+), 111 deletions(-)
delete mode 100644 gnu/packages/patches/upx-CVE-2021-20285.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 57f20b7314..eb6ac3df58 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1954,7 +1954,6 @@ dist_patch_DATA = \
%D%/packages/patches/unzip-zipbomb-part2.patch \
%D%/packages/patches/unzip-zipbomb-part3.patch \
%D%/packages/patches/unzip-32bit-zipbomb-fix.patch \
- %D%/packages/patches/upx-CVE-2021-20285.patch \
%D%/packages/patches/ustr-fix-build-with-gcc-5.patch \
%D%/packages/patches/util-linux-tests.patch \
%D%/packages/patches/util-linux-CVE-2021-3995.patch \
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 857722ef4a..7b8977c8ce 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -35,6 +35,7 @@
;;; Copyright © 2021 Simon Tournier <zimon.toutoune <at> gmail.com>
;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
;;; Copyright © 2021 Ahmad Jarara <git <at> ajarara.io>
+;;; Copyright © 2022 Zhu Zihao <all_but_last <at> 163.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -2293,40 +2294,16 @@ (define-public ucl
(define-public upx
(package
(name "upx")
- (version "3.96")
- (source (origin
- (method url-fetch)
- (uri (string-append "https://github.com/upx/upx/releases/download/v"
- version "/upx-" version "-src.tar.xz"))
- (sha256
- (base32
- "051pk5jk8fcfg5mpgzj43z5p4cn7jy5jbyshyn78dwjqr7slsxs7"))
- (patches (search-patches "upx-CVE-2021-20285.patch"))))
- (build-system gnu-build-system)
- (native-inputs
- (list perl))
- (inputs
- (list ucl zlib))
- (arguments
- `(#:make-flags
- (list "all")
- #:phases
- (modify-phases %standard-phases
- (delete 'configure) ; no configure script
- (delete 'check) ; no test suite
- (add-before 'build 'patch-exec-bin-sh
- (lambda _
- (substitute* (list "Makefile"
- "src/Makefile")
- (("/bin/sh") (which "sh")))
- #t))
- (replace 'install
- (lambda* (#:key outputs #:allow-other-keys)
- (let* ((out (assoc-ref outputs "out"))
- (bin (string-append out "/bin")))
- (mkdir-p bin)
- (copy-file "src/upx.out" (string-append bin "/upx")))
- #t)))))
+ (version "4.0.0")
+ (source
+ (origin
+ (method url-fetch)
+ (uri (string-append "https://github.com/upx/upx/releases/download/v"
+ version "/upx-" version "-src.tar.xz"))
+ (sha256
+ (base32
+ "1sinky0rq40q2qqzly99c5hdd6ilz2bxlbqla9lg0rafhbw3iyga"))))
+ (build-system cmake-build-system)
(home-page "https://upx.github.io/")
(synopsis "Compression tool for executables")
(description
diff --git a/gnu/packages/patches/upx-CVE-2021-20285.patch b/gnu/packages/patches/upx-CVE-2021-20285.patch
deleted file mode 100644
index 1d47b2a8bb..0000000000
--- a/gnu/packages/patches/upx-CVE-2021-20285.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From 3781df9da23840e596d5e9e8493f22666802fe6c Mon Sep 17 00:00:00 2001
-From: John Reiser <jreiser <at> BitWagon.com>
-Date: Fri, 11 Dec 2020 13:38:18 -0800
-Subject: [PATCH] Check DT_REL/DT_RELA, DT_RELSZ/DT_RELASZ
-
-https://github.com/upx/upx/issues/421
- modified: p_lx_elf.cpp
----
- src/p_lx_elf.cpp | 34 +++++++++++++++++++++++++++++-----
- 1 file changed, 29 insertions(+), 5 deletions(-)
-
-diff --git a/src/p_lx_elf.cpp b/src/p_lx_elf.cpp
-index 182db192..3a4101cf 100644
---- a/src/p_lx_elf.cpp
-+++ b/src/p_lx_elf.cpp
-@@ -2222,8 +2222,20 @@ bool PackLinuxElf32::canPack()
- int z_rsz = dt_table[Elf32_Dyn::DT_RELSZ];
- if (z_rel && z_rsz) {
- unsigned rel_off = get_te32(&dynseg[-1+ z_rel].d_val);
-+ if ((unsigned)file_size <= rel_off) {
-+ char msg[70]; snprintf(msg, sizeof(msg),
-+ "bad Elf32_Dynamic[DT_REL] %#x\n",
-+ rel_off);
-+ throwCantPack(msg);
-+ }
- Elf32_Rel *rp = (Elf32_Rel *)&file_image[rel_off];
- unsigned relsz = get_te32(&dynseg[-1+ z_rsz].d_val);
-+ if ((unsigned)file_size <= relsz) {
-+ char msg[70]; snprintf(msg, sizeof(msg),
-+ "bad Elf32_Dynamic[DT_RELSZ] %#x\n",
-+ relsz);
-+ throwCantPack(msg);
-+ }
- Elf32_Rel *last = (Elf32_Rel *)(relsz + (char *)rp);
- for (; rp < last; ++rp) {
- unsigned r_va = get_te32(&rp->r_offset);
-@@ -2562,14 +2574,26 @@ PackLinuxElf64::canPack()
- int z_rel = dt_table[Elf64_Dyn::DT_RELA];
- int z_rsz = dt_table[Elf64_Dyn::DT_RELASZ];
- if (z_rel && z_rsz) {
-- unsigned rel_off = get_te64(&dynseg[-1+ z_rel].d_val);
-+ upx_uint64_t rel_off = get_te64(&dynseg[-1+ z_rel].d_val);
-+ if ((u64_t)file_size <= rel_off) {
-+ char msg[70]; snprintf(msg, sizeof(msg),
-+ "bad Elf64_Dynamic[DT_RELA] %#llx\n",
-+ rel_off);
-+ throwCantPack(msg);
-+ }
- Elf64_Rela *rp = (Elf64_Rela *)&file_image[rel_off];
-- unsigned relsz = get_te64(&dynseg[-1+ z_rsz].d_val);
-+ upx_uint64_t relsz = get_te64(&dynseg[-1+ z_rsz].d_val);
-+ if ((u64_t)file_size <= relsz) {
-+ char msg[70]; snprintf(msg, sizeof(msg),
-+ "bad Elf64_Dynamic[DT_RELASZ] %#llx\n",
-+ relsz);
-+ throwCantPack(msg);
-+ }
- Elf64_Rela *last = (Elf64_Rela *)(relsz + (char *)rp);
- for (; rp < last; ++rp) {
-- unsigned r_va = get_te64(&rp->r_offset);
-+ upx_uint64_t r_va = get_te64(&rp->r_offset);
- if (r_va == user_init_ava) { // found the Elf64_Rela
-- unsigned r_info = get_te64(&rp->r_info);
-+ upx_uint64_t r_info = get_te64(&rp->r_info);
- unsigned r_type = ELF64_R_TYPE(r_info);
- if (Elf64_Ehdr::EM_AARCH64 == e_machine
- && R_AARCH64_RELATIVE == r_type) {
-@@ -2581,7 +2605,7 @@ PackLinuxElf64::canPack()
- }
- else {
- char msg[50]; snprintf(msg, sizeof(msg),
-- "bad relocation %#x DT_INIT_ARRAY[0]",
-+ "bad relocation %#llx DT_INIT_ARRAY[0]",
- r_info);
- throwCantPack(msg);
- }
--
2.38.0
Reply sent
to
Christopher Baines <mail <at> cbaines.net>:
You have taken responsibility.
(Thu, 03 Nov 2022 17:55:03 GMT)
Full text and
rfc822 format available.
Notification sent
to
Zhu Zihao <all_but_last <at> 163.com>:
bug acknowledged by developer.
(Thu, 03 Nov 2022 17:55:04 GMT)
Full text and
rfc822 format available.
Message #10 received at 58977-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Zhu Zihao <all_but_last <at> 163.com> writes:
> * gnu/packages/compression.scm (upx): Update to 4.0.0.
> [build-system]: Use cmake-build-system.
> [arguments]: Remove all stale arguments.
> * gnu/packages/patches/upx-CVE-2021-20285.patch: Delete.
> * gnu/local.mk (dist_patch_DATA): Remove corresponding entry.
> ---
> gnu/local.mk | 1 -
> gnu/packages/compression.scm | 45 +++--------
> gnu/packages/patches/upx-CVE-2021-20285.patch | 76 -------------------
> 3 files changed, 11 insertions(+), 111 deletions(-)
> delete mode 100644 gnu/packages/patches/upx-CVE-2021-20285.patch
Looks good :) Pushed to master as
06d02b7a2c059cafff9ea53da8208be6193f2335.
Thanks,
Chris
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#58977; Package
guix-patches.
(Thu, 03 Nov 2022 17:55:04 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Fri, 02 Dec 2022 12:24:15 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 279 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.