Main Vulnerability Database SB2020012913

SB2020012913 - Integer overflow in UPX

Published: January 29, 2020 Updated: November 17, 2022

Security Bulletin ID SB2020012913

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Integer overflow (CVE-ID: CVE-2019-14295)

The vulnerability allows an attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow in getElfSections() function in p_vmlinx.cpp via a skewed offset larger than the size of the PE section in a UPX packed executable. An attacker can create a specially crafted file, trigger integer overflow and trigger an allocation of excessive memory.

Remediation

Install update from vendor's website.

References

https://github.com/upx/upx/issues/286
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MOCJ43HTM45GZCAQ2FLEBDNBM76V22RG/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T52JATXV6NTPTMGXCRGT37H6KXERYNZN/