Bugzilla – Bug 1209769
VUL-0: CVE-2021-43315: upx: Heap-based buffer overflows in PackLinuxElf32:elf_lookup() at p_lx_elf.cp
Last modified: 2024-06-07 13:59:31 UTC
CVE-2021-43315 A heap-based buffer overflows was discovered in upx, during the generic pointer 'p' points to an inaccessible address in func get_le32(). The problem is essentially caused in PackLinuxElf32::elf_lookup() at p_lx_elf.cpp:5349 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-43315 https://www.cve.org/CVERecord?id=CVE-2021-43315 https://github.com/upx/upx/issues/380
Affected: - openSUSE:Backports:SLE-15-SP4/upx 3.96 Not Affected: - openSUSE:Factory/upx 4.0.2
openSUSE-SU-2023:0088-1: An update that fixes 12 vulnerabilities is now available. Category: security (important) Bug References: 1183510,1184701,1184702,1207121,1207122,1209765,1209766,1209767,1209768,1209769,1209770,1209771 CVE References: CVE-2021-20285,CVE-2021-30500,CVE-2021-30501,CVE-2021-43311,CVE-2021-43312,CVE-2021-43313,CVE-2021-43314,CVE-2021-43315,CVE-2021-43316,CVE-2021-43317,CVE-2023-23456,CVE-2023-23457 JIRA References: Sources used: openSUSE Backports SLE-15-SP4 (src): upx-4.0.2-bp154.4.6.1
As per a comment [0] in the upstream issue related to this vulnerability [1], the reported problem is not present in version 4.0.2 of upx (the fix for the issue is present in version 4.0.2). All currently supported codestreams are at version 4.0.2 or higher, meaning they are not affected by this issue. [0] https://github.com/upx/upx/issues/380#issuecomment-1511845513 [1] https://github.com/upx/upx/issues/380