TakeV/guix
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

gnu: upx: Update to 4.0.0.

Browse source 
* gnu/packages/compression.scm (upx): Update to 4.0.0.
[build-system]: Use cmake-build-system.
[arguments]: Remove all stale arguments.
* gnu/packages/patches/upx-CVE-2021-20285.patch: Delete.
* gnu/local.mk (dist_patch_DATA): Remove corresponding entry.

Signed-off-by: Christopher Baines <mail@cbaines.net>
This commit is contained in:
Zhu Zihao 2022-11-03 11:13:09 +08:00 committed by Christopher Baines
parent 440a3e8d33
commit 06d02b7a2c
No known key found for this signature in database
GPG key ID: 5E28A33B0B84F577
3 changed files with 11 additions and 111 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
gnu/local.mk
View file

@ -1954,7 +1954,6 @@ dist_patch_DATA = \
%D%/packages/patches/unzip-zipbomb-part2.patch \
%D%/packages/patches/unzip-zipbomb-part3.patch \
%D%/packages/patches/unzip-32bit-zipbomb-fix.patch \
%D%/packages/patches/upx-CVE-2021-20285.patch \
%D%/packages/patches/ustr-fix-build-with-gcc-5.patch \
%D%/packages/patches/util-linux-tests.patch \
%D%/packages/patches/util-linux-CVE-2021-3995.patch \

45
gnu/packages/compression.scm
View file

@ -35,6 +35,7 @@
;;; Copyright © 2021 Simon Tournier <zimon.toutoune@gmail.com>
;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2021 Ahmad Jarara <git@ajarara.io>
;;; Copyright © 2022 Zhu Zihao <all_but_last@163.com>
;;;
;;; This file is part of GNU Guix.
;;;
@ -2308,40 +2309,16 @@ (define-public ucl
(define-public upx
(package
(name "upx")
(version "3.96")
(source (origin
(method url-fetch)
(uri (string-append "https://github.com/upx/upx/releases/download/v"
version "/upx-" version "-src.tar.xz"))
(sha256
(base32
"051pk5jk8fcfg5mpgzj43z5p4cn7jy5jbyshyn78dwjqr7slsxs7"))
(patches (search-patches "upx-CVE-2021-20285.patch"))))
(build-system gnu-build-system)
(native-inputs
(list perl))
(inputs
(list ucl zlib))
(arguments
`(#:make-flags
(list "all")
#:phases
(modify-phases %standard-phases
(delete 'configure) ; no configure script
(delete 'check) ; no test suite
(add-before 'build 'patch-exec-bin-sh
(lambda _
(substitute* (list "Makefile"
"src/Makefile")
(("/bin/sh") (which "sh")))
#t))
(replace 'install
(lambda* (#:key outputs #:allow-other-keys)
(let* ((out (assoc-ref outputs "out"))
(bin (string-append out "/bin")))
(mkdir-p bin)
(copy-file "src/upx.out" (string-append bin "/upx")))
#t)))))
(version "4.0.0")
(source
(origin
(method url-fetch)
(uri (string-append "https://github.com/upx/upx/releases/download/v"
version "/upx-" version "-src.tar.xz"))
(sha256
(base32
"1sinky0rq40q2qqzly99c5hdd6ilz2bxlbqla9lg0rafhbw3iyga"))))
(build-system cmake-build-system)
(home-page "https://upx.github.io/")
(synopsis "Compression tool for executables")
(description

76
gnu/packages/patches/upx-CVE-2021-20285.patch
View file

@ -1,76 +0,0 @@
From 3781df9da23840e596d5e9e8493f22666802fe6c Mon Sep 17 00:00:00 2001
From: John Reiser <jreiser@BitWagon.com>
Date: Fri, 11 Dec 2020 13:38:18 -0800
Subject: [PATCH] Check DT_REL/DT_RELA, DT_RELSZ/DT_RELASZ
https://github.com/upx/upx/issues/421
modified: p_lx_elf.cpp
---
src/p_lx_elf.cpp | 34 +++++++++++++++++++++++++++++-----
1 file changed, 29 insertions(+), 5 deletions(-)
diff --git a/src/p_lx_elf.cpp b/src/p_lx_elf.cpp
index 182db192..3a4101cf 100644
--- a/src/p_lx_elf.cpp
+++ b/src/p_lx_elf.cpp
@@ -2222,8 +2222,20 @@ bool PackLinuxElf32::canPack()
int z_rsz = dt_table[Elf32_Dyn::DT_RELSZ];
if (z_rel && z_rsz) {
unsigned rel_off = get_te32(&dynseg[-1+ z_rel].d_val);
+ if ((unsigned)file_size <= rel_off) {
+ char msg[70]; snprintf(msg, sizeof(msg),
+ "bad Elf32_Dynamic[DT_REL] %#x\n",
+ rel_off);
+ throwCantPack(msg);
+ }
Elf32_Rel *rp = (Elf32_Rel *)&file_image[rel_off];
unsigned relsz = get_te32(&dynseg[-1+ z_rsz].d_val);
+ if ((unsigned)file_size <= relsz) {
+ char msg[70]; snprintf(msg, sizeof(msg),
+ "bad Elf32_Dynamic[DT_RELSZ] %#x\n",
+ relsz);
+ throwCantPack(msg);
+ }
Elf32_Rel *last = (Elf32_Rel *)(relsz + (char *)rp);
for (; rp < last; ++rp) {
unsigned r_va = get_te32(&rp->r_offset);
@@ -2562,14 +2574,26 @@ PackLinuxElf64::canPack()
int z_rel = dt_table[Elf64_Dyn::DT_RELA];
int z_rsz = dt_table[Elf64_Dyn::DT_RELASZ];
if (z_rel && z_rsz) {
- unsigned rel_off = get_te64(&dynseg[-1+ z_rel].d_val);
+ upx_uint64_t rel_off = get_te64(&dynseg[-1+ z_rel].d_val);
+ if ((u64_t)file_size <= rel_off) {
+ char msg[70]; snprintf(msg, sizeof(msg),
+ "bad Elf64_Dynamic[DT_RELA] %#llx\n",
+ rel_off);
+ throwCantPack(msg);
+ }
Elf64_Rela *rp = (Elf64_Rela *)&file_image[rel_off];
- unsigned relsz = get_te64(&dynseg[-1+ z_rsz].d_val);
+ upx_uint64_t relsz = get_te64(&dynseg[-1+ z_rsz].d_val);
+ if ((u64_t)file_size <= relsz) {
+ char msg[70]; snprintf(msg, sizeof(msg),
+ "bad Elf64_Dynamic[DT_RELASZ] %#llx\n",
+ relsz);
+ throwCantPack(msg);
+ }
Elf64_Rela *last = (Elf64_Rela *)(relsz + (char *)rp);
for (; rp < last; ++rp) {
- unsigned r_va = get_te64(&rp->r_offset);
+ upx_uint64_t r_va = get_te64(&rp->r_offset);
if (r_va == user_init_ava) { // found the Elf64_Rela
- unsigned r_info = get_te64(&rp->r_info);
+ upx_uint64_t r_info = get_te64(&rp->r_info);
unsigned r_type = ELF64_R_TYPE(r_info);
if (Elf64_Ehdr::EM_AARCH64 == e_machine
&& R_AARCH64_RELATIVE == r_type) {
@@ -2581,7 +2605,7 @@ PackLinuxElf64::canPack()
}
else {
char msg[50]; snprintf(msg, sizeof(msg),
- "bad relocation %#x DT_INIT_ARRAY[0]",
+ "bad relocation %#llx DT_INIT_ARRAY[0]",
r_info);
throwCantPack(msg);
}