fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software. If you wish to join, contact us for an invite.

Administered by:

Server stats:

10K
active users

#upx

1 post1 participant0 posts today
Replied in thread

@RL_Dane Oh, compressing executables still makes sense in *some* scenarios (relevant size reduction, not using a filesystem with transparent compression, "slow" storage media ...).

But then, #gzexe doesn't really cut it. It needs temporary files for decompression (spoiling most possible speed gains), and compression rates are mediocre. So *if* you have a use case for compressed executables, you'd better have a look at #upx, which achieves better rates and decompresses in-memory, in-place.

Heap Buffer Overflow in UPX Identified

Date: March 26, 2024
CVE: To be assigned
Vulnerability Type: Buffer Errors
CWE: [[CWE-122]]
Sources: NIST VULNDB VULNDB Submit

Issue Summary

A heap buffer overflow vulnerability was identified in the [[UPX|Ultimate Packer for eXecutables]] (UPX), specifically in the commit 06b0de9c77551cd4e856d453e094d8a0b6ef0d6d. This issue occurs during the handling of certain data structures, leading to potential memory corruption. The vulnerability was discovered through fuzzing techniques using the Google OSS-Fuzz project.

Technical Key findings

The vulnerability is caused by improper handling of input data, resulting in a heap buffer overflow. This overflow occurs in the handling of packed files during decompression, where the bounds of allocated heap memory are not properly checked.

Vulnerable products

  • [[UPX]] version identified by commit 06b0de9c77551cd4e856d453e094d8a0b6ef0d6d.

Impact assessment

An attacker could exploit this vulnerability to execute arbitrary code on the target system or cause a denial of service through application crash, potentially compromising the system's integrity and availability.

Patches or workaround

No specific patches or workarounds were mentioned at the time of reporting. Users are advised to monitor the official [[UPX]] GitHub repository for updates.

Tags

nvd.nist.govNVD - CVE-2024-3209
Continued thread

One of the most impressive exp. with this web service is it’s final size: in default release build it’s 12MB, with LTO it goes down to 8MB, after stripping symbols it’s 5.4MB and finally compresses it down to 2.2MB. Compare this to the prev. version: 25MB runtime incl.