Bugzilla – Bug 1209765
VUL-0: CVE-2021-43311: upx: Heap-based buffer overflow in PackLinuxElf32:elf_lookup() at p_lx_elf.cpp
Last modified: 2024-06-07 13:56:10 UTC
CVE-2021-43311 A heap-based buffer overflow was discovered in upx, during the generic pointer 'p' points to an inaccessible address in func get_le32(). The problem is essentially caused in PackLinuxElf32::elf_lookup() at p_lx_elf.cpp:5382. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-43311 https://www.cve.org/CVERecord?id=CVE-2021-43311 https://github.com/upx/upx/issues/380
Affected: - openSUSE:Backports:SLE-15-SP4/upx 3.96 - openSUSE:Factory/upx 4.0.2
openSUSE-SU-2023:0088-1: An update that fixes 12 vulnerabilities is now available. Category: security (important) Bug References: 1183510,1184701,1184702,1207121,1207122,1209765,1209766,1209767,1209768,1209769,1209770,1209771 CVE References: CVE-2021-20285,CVE-2021-30500,CVE-2021-30501,CVE-2021-43311,CVE-2021-43312,CVE-2021-43313,CVE-2021-43314,CVE-2021-43315,CVE-2021-43316,CVE-2021-43317,CVE-2023-23456,CVE-2023-23457 JIRA References: Sources used: openSUSE Backports SLE-15-SP4 (src): upx-4.0.2-bp154.4.6.1
As per a comment [0] in the upstream issue related to this vulnerability [1], the reported problem is not present in version 4.0.2 of upx. All currently supported codestreams are at version 4.0.2 or higher, meaning they are not affected by this issue. [0] https://github.com/upx/upx/issues/380#issuecomment-1511845513 [1] https://github.com/upx/upx/issues/380