From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id E932B15ACFB for ; Fri, 21 Apr 2023 16:15:00 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C5B27E0943; Fri, 21 Apr 2023 16:14:59 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 5A4C2E0942 for ; Fri, 21 Apr 2023 16:14:59 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 299E93411C7 for ; Fri, 21 Apr 2023 16:14:58 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 7BEF3141 for ; Fri, 21 Apr 2023 16:14:56 +0000 (UTC) From: "David Seifert" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "David Seifert" Message-ID: <1682093684.b0b2e526e852b58f2e863b2341eb464462873f20.soap@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: app-arch/upx/, app-arch/upx/files/ X-VCS-Repository: repo/gentoo X-VCS-Files: app-arch/upx/Manifest app-arch/upx/files/upx-4.0.1-CVE-2023-23456.patch app-arch/upx/files/upx-4.0.1-CVE-2023-23457.patch app-arch/upx/upx-4.0.1-r1.ebuild X-VCS-Directories: app-arch/upx/files/ app-arch/upx/ X-VCS-Committer: soap X-VCS-Committer-Name: David Seifert X-VCS-Revision: b0b2e526e852b58f2e863b2341eb464462873f20 X-VCS-Branch: master Date: Fri, 21 Apr 2023 16:14:56 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 2162e675-ac4a-4799-8d23-8a831329ec5a X-Archives-Hash: af31adb54cc9b91a8fef8ea7f706b1b8 commit: b0b2e526e852b58f2e863b2341eb464462873f20 Author: Azamat H. Hackimov gmail com> AuthorDate: Fri Apr 21 16:14:44 2023 +0000 Commit: David Seifert gentoo org> CommitDate: Fri Apr 21 16:14:44 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0b2e526 app-arch/upx: drop 4.0.1-r1 Signed-off-by: Azamat H. Hackimov gmail.com> Signed-off-by: David Seifert gentoo.org> app-arch/upx/Manifest | 1 - app-arch/upx/files/upx-4.0.1-CVE-2023-23456.patch | 61 ----------------------- app-arch/upx/files/upx-4.0.1-CVE-2023-23457.patch | 45 ----------------- app-arch/upx/upx-4.0.1-r1.ebuild | 35 ------------- 4 files changed, 142 deletions(-) diff --git a/app-arch/upx/Manifest b/app-arch/upx/Manifest index c06784b73e2c..cdaf5d2019f0 100644 --- a/app-arch/upx/Manifest +++ b/app-arch/upx/Manifest @@ -1,2 +1 @@ -DIST upx-4.0.1-src.tar.xz 1154032 BLAKE2B 0da23cedf73506e06e5dcf19ab0d194d8e578188bb4d75e760fe3f7dc7f24a9d42ff4b75fd9514162f48ae7cfad347b5bd65789805071354a74129960807843b SHA512 f2e42c83fd4a0d273a20c8b0f0d1eb201edcd1f10c779d2a6e8ac0812741c3af0c887382e54894190ecc4c7002a910524b2ed79ae7a7b595b8392598ad2e1235 DIST upx-4.0.2-src.tar.xz 1191960 BLAKE2B d1b111d886498628174653e2184bb648862986c6b65441a31ccbbd5360d9fd04d2d8b6cb276111cf4726f38aba0a3cd2c42b6fd62caba69a7996a4e59a5471ca SHA512 0aafbaf97a25e9cd1866d03358f5eceab2c0ba4b2f3acdd58178b41c32af58335b6cb843d83f3398d4ceedc238bfcd95f86a20c38a11d5e4e8af6a28c7e8b82e diff --git a/app-arch/upx/files/upx-4.0.1-CVE-2023-23456.patch b/app-arch/upx/files/upx-4.0.1-CVE-2023-23456.patch deleted file mode 100644 index 779800a08e40..000000000000 --- a/app-arch/upx/files/upx-4.0.1-CVE-2023-23456.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 1d291ff0db8a056600ebdebb9c3c62d700eaa842 Mon Sep 17 00:00:00 2001 -From: John Reiser -Date: Thu, 24 Nov 2022 10:28:03 -0800 -Subject: [PATCH] p_tmt: more sanity of input, cleanup MemBuffer usage - -https://github.com/upx/upx/issues/632 - modified: src/p_tmt.cpp ---- - src/p_tmt.cpp | 23 +++++++++++------------ - 1 file changed, 11 insertions(+), 12 deletions(-) - -diff --git a/src/p_tmt.cpp b/src/p_tmt.cpp -index 7dc72888..592809a9 100644 ---- a/src/p_tmt.cpp -+++ b/src/p_tmt.cpp -@@ -173,15 +173,13 @@ int PackTmt::readFileHeader() - fi->seek(adam_offset,SEEK_SET); - fi->readx(&ih,sizeof(ih)); - // FIXME: should add more checks for the values in 'ih' -- unsigned const imagesize = get_le32(&ih.imagesize); -- unsigned const entry = get_le32(&ih.entry); -- unsigned const relocsize = get_le32(&ih.relocsize); -- if (!imagesize -- || file_size <= imagesize -- || file_size <= entry -- || file_size <= relocsize) { -- printWarn(getName(), "bad header; imagesize=%#x entry=%#x relocsize=%#x", -- imagesize, entry, relocsize); -+ unsigned const imagesize = ih.imagesize; -+ unsigned const entry = ih.entry; -+ unsigned const relocsize = ih.relocsize; -+ if (imagesize < sizeof(ih) || entry < sizeof(ih) || file_size <= imagesize || -+ file_size <= entry || file_size <= relocsize) { -+ printWarn(getName(), "bad header; imagesize=%#x entry=%#x relocsize=%#x", imagesize, -+ entry, relocsize); - return 0; - } - -@@ -215,15 +213,16 @@ void PackTmt::pack(OutputFile *fo) - ibuf.alloc(usize+rsize+128); - obuf.allocForCompression(usize+rsize+128); - -- MemBuffer wrkmem; -- wrkmem.alloc(rsize+EXTRA_INFO); // relocations -+ MemBuffer mb_wrkmem; -+ mb_wrkmem.alloc(rsize + EXTRA_INFO + 4); // relocations + original entry point + relocsize -+ SPAN_S_VAR(upx_byte, wrkmem, mb_wrkmem); - - fi->seek(adam_offset+sizeof(ih),SEEK_SET); - fi->readx(ibuf,usize); - fi->readx(wrkmem+4,rsize); - const unsigned overlay = file_size - fi->tell(); - -- if (find_le32(ibuf,128,get_le32("UPX ")) >= 0) -+ if (find_le32(ibuf, UPX_MIN(128u, usize), get_le32("UPX ")) >= 0) - throwAlreadyPacked(); - if (rsize == 0) - throwCantPack("file is already compressed with another packer"); --- -2.38.2 - diff --git a/app-arch/upx/files/upx-4.0.1-CVE-2023-23457.patch b/app-arch/upx/files/upx-4.0.1-CVE-2023-23457.patch deleted file mode 100644 index 8cb8455b4eab..000000000000 --- a/app-arch/upx/files/upx-4.0.1-CVE-2023-23457.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 779b648c5f6aa9b33f4728f79dd4d0efec0bf860 Mon Sep 17 00:00:00 2001 -From: John Reiser -Date: Wed, 23 Nov 2022 19:49:28 -0800 -Subject: [PATCH] invert_pt_dynamic: fix thinko; PackLinuxElf64help1 insist on - ELF - -https://github.com/upx/upx/issues/631 - modified: src/p_lx_elf.cpp ---- - src/p_lx_elf.cpp | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/src/p_lx_elf.cpp b/src/p_lx_elf.cpp -index fa55470f7..b698ee0a2 100644 ---- a/src/p_lx_elf.cpp -+++ b/src/p_lx_elf.cpp -@@ -256,7 +256,8 @@ PackLinuxElf32::PackLinuxElf32help1(InputFile *f) - e_phnum = get_te16(&ehdri.e_phnum); - e_shnum = get_te16(&ehdri.e_shnum); - unsigned const e_phentsize = get_te16(&ehdri.e_phentsize); -- if (ehdri.e_ident[Elf32_Ehdr::EI_CLASS]!=Elf32_Ehdr::ELFCLASS32 -+ if (memcmp((char const *)&ehdri, "\x7f\x45\x4c\x46", 4) // "\177ELF" -+ || ehdri.e_ident[Elf32_Ehdr::EI_CLASS]!=Elf32_Ehdr::ELFCLASS32 - || sizeof(Elf32_Phdr) != e_phentsize - || (Elf32_Ehdr::ELFDATA2MSB == ehdri.e_ident[Elf32_Ehdr::EI_DATA] - && &N_BELE_RTP::be_policy != bele) -@@ -761,7 +762,8 @@ PackLinuxElf64::PackLinuxElf64help1(InputFile *f) - e_phnum = get_te16(&ehdri.e_phnum); - e_shnum = get_te16(&ehdri.e_shnum); - unsigned const e_phentsize = get_te16(&ehdri.e_phentsize); -- if (ehdri.e_ident[Elf64_Ehdr::EI_CLASS]!=Elf64_Ehdr::ELFCLASS64 -+ if (memcmp((char const *)&ehdri, "\x7f\x45\x4c\x46", 4) // "\177ELF" -+ || ehdri.e_ident[Elf64_Ehdr::EI_CLASS]!=Elf64_Ehdr::ELFCLASS64 - || sizeof(Elf64_Phdr) != e_phentsize - || (Elf64_Ehdr::ELFDATA2MSB == ehdri.e_ident[Elf64_Ehdr::EI_DATA] - && &N_BELE_RTP::be_policy != bele) -@@ -5780,7 +5782,7 @@ PackLinuxElf64::invert_pt_dynamic(Elf64_Dyn const *dynp, upx_uint64_t headway) - } - if (file_size <= dt_offsets[n_off]) { - char msg[60]; snprintf(msg, sizeof(msg), "bad DT_{%#x} = %#x (beyond EOF)", -- dt_names[k], dt_offsets[n_off]); -+ k, dt_offsets[n_off]); - throwCantPack(msg); - } - n_off += !!dt_offsets[n_off]; diff --git a/app-arch/upx/upx-4.0.1-r1.ebuild b/app-arch/upx/upx-4.0.1-r1.ebuild deleted file mode 100644 index 16adb6cdbc4e..000000000000 --- a/app-arch/upx/upx-4.0.1-r1.ebuild +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright 1999-2023 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -inherit cmake - -DESCRIPTION="Ultimate Packer for eXecutables (free version using UCL compression and not NRV)" -HOMEPAGE="https://upx.github.io/" -SRC_URI="https://github.com/upx/upx/releases/download/v${PV}/${P}-src.tar.xz" -S="${WORKDIR}/${P}-src" - -LICENSE="GPL-2+ UPX-exception" # Read the exception before applying any patches -SLOT="0" -KEYWORDS="amd64 ~arm ~arm64 ~ppc ~ppc64 ~sparc x86" - -RDEPEND="!app-arch/upx-bin" -BDEPEND="app-arch/xz-utils[extra-filters]" - -PATCHES=( - "${FILESDIR}/${P}-CVE-2023-23456.patch" - "${FILESDIR}/${P}-CVE-2023-23457.patch" -) - -src_configure() { - local mycmakeargs=( - -DUPX_CONFIG_DISABLE_WERROR=ON - ) - cmake_src_configure -} - -src_test() { - # Don't run tests in parallel, #878977 - cmake_src_test -j1 -}