Bug#1101500: upx-ucl: CVE-2025-2849

Discussion:

Add Reply

Moritz Mühlenhoff

2025-03-28 14:50:01 UTC

Source: upx-ucl
X-Debbugs-CC: ***@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for upx-ucl.

CVE-2025-2849[0]:
| A vulnerability, which was classified as problematic, was found in
| UPX up to 5.0.0. Affected is the function PackLinuxElf64::un_DT_INIT
| of the file src/p_lx_elf.cpp. The manipulation leads to heap-based
| buffer overflow. It is possible to launch the attack on the local
| host. The exploit has been disclosed to the public and may be used.
| The patch is identified as e0b6ff192412f5bb5364c1948f4f6b27a0cd5ea2.
| It is recommended to apply a patch to fix this issue.

https://github.com/upx/upx/issues/898
https://github.com/upx/upx/commit/e0b6ff192412f5bb5364c1948f4f6b27a0cd5ea2

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-2849
https://www.cve.org/CVERecord?id=CVE-2025-2849

Please adjust the affected versions in the BTS as needed.

Matheus Polkorny

2025-04-06 04:10:01 UTC

Permalink

user debian-***@lists.debian.org
usertags 1101500 + bsp-2025-04-brazil
thanks

I have imported and refreshed the upstream patch to address CVE-2025-2849.

More details can be found in the following merge request:
https://salsa.debian.org/debian/upx-ucl/-/merge_requests/3

Carlos Henrique Lima Melara

2025-04-14 00:40:01 UTC

Permalink

Hi maintainers,

Post by Matheus Polkorny
usertags 1101500 + bsp-2025-04-brazil
thanks
I have imported and refreshed the upstream patch to address CVE-2025-2849.
https://salsa.debian.org/debian/upx-ucl/-/merge_requests/3

I will upload the prepared nmu shortly with a 2 days delay. If you
prefer to do it yourself or need more time to review the changes, please
let me know so I can postpone or cancel the upload.

Cheers,
Charles