upx-3.96-3.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11486-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z upx-3.96-3.2 on GA media These are all security issues fixed in the upx-3.96-3.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11486 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-16869/ SUSE CVE CVE-2017-16869 page https://www.suse.com/security/cve/CVE-2018-11243/ SUSE CVE CVE-2018-11243 page https://www.suse.com/security/cve/CVE-2019-1010048/ SUSE CVE CVE-2019-1010048 page https://www.suse.com/security/cve/CVE-2019-14296/ SUSE CVE CVE-2019-14296 page https://www.suse.com/security/cve/CVE-2019-20021/ SUSE CVE CVE-2019-20021 page https://www.suse.com/security/cve/CVE-2019-20053/ SUSE CVE CVE-2019-20053 page https://www.suse.com/security/cve/CVE-2020-24119/ SUSE CVE CVE-2020-24119 page openSUSE Tumbleweed upx-3.96-3.2 upx-3.96-3.2 as a component of openSUSE Tumbleweed ** DISPUTED ** p_mach.cpp in UPX 3.94 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via a crafted Mach-O file, related to canPack and unpack functions. NOTE: the vendor has stated "there is no security implication whatsoever." CVE-2017-16869 openSUSE Tumbleweed:upx-3.96-3.2 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-16869.html CVE-2017-16869 https://bugzilla.suse.com/1068681 SUSE Bug 1068681 PackLinuxElf64::unpack in p_lx_elf.cpp in UPX 3.95 allows remote attackers to cause a denial of service (double free), limit the ability of a malware scanner to operate on the entire original data, or possibly have unspecified other impact via a crafted file. CVE-2018-11243 openSUSE Tumbleweed:upx-3.96-3.2 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-11243.html CVE-2018-11243 https://bugzilla.suse.com/1094138 SUSE Bug 1094138 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. CVE-2019-1010048 openSUSE Tumbleweed:upx-3.96-3.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-1010048.html CVE-2019-1010048 https://bugzilla.suse.com/1141777 SUSE Bug 1141777 canUnpack in p_vmlinx.cpp in UPX 3.95 allows remote attackers to cause a denial of service (SEGV or buffer overflow, and application crash) or possibly have unspecified other impact via a crafted UPX packed file. CVE-2019-14296 openSUSE Tumbleweed:upx-3.96-3.2 low 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-14296.html CVE-2019-14296 https://bugzilla.suse.com/1143839 SUSE Bug 1143839 A heap-based buffer over-read was discovered in canUnpack in p_mach.cpp in UPX 3.95 via a crafted Mach-O file. CVE-2019-20021 openSUSE Tumbleweed:upx-3.96-3.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-20021.html CVE-2019-20021 https://bugzilla.suse.com/1159833 SUSE Bug 1159833 An invalid memory address dereference was discovered in the canUnpack function in p_mach.cpp in UPX 3.95 via a crafted Mach-O file. CVE-2019-20053 openSUSE Tumbleweed:upx-3.96-3.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-20053.html CVE-2019-20053 https://bugzilla.suse.com/1159920 SUSE Bug 1159920 A heap buffer overflow read was discovered in upx 4.0.0, because the check in p_lx_elf.cpp is not perfect. CVE-2020-24119 openSUSE Tumbleweed:upx-3.96-3.2 important 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-24119.html CVE-2020-24119 https://bugzilla.suse.com/1186238 SUSE Bug 1186238