Fosstodon @fosstodon

1 post1 participant0 posts today

**marius** @mariusor@metalhead.club · 3d

marius @mariusor@metalhead.club

Low energy morning, so instead of fixing bugs I'll just add UPX packing on my docker images' binaries.

#golang #go #upx

**Patryk Krawaczyński** @agresor@infosec.exchange · Feb 19

Feb 19

Patryk Krawaczyński @agresor@infosec.exchange

Upakowane ELFy – czerwona flaga dla pliku binarnego w Linuksie ( https://nfsec.pl/security/6600 ) #linux #malware #upx #packer #security #twittermigration

https://www.youtube.com/watch?v=1M4ADcMn3dA

nfsec.plNF.sec – Bezpieczeństwo systemu Linux - Upakowane ELFy – czerwona flaga dla pliku binarnego w LinuksieU ltimate Packer for Executables (UPX) to program pakujący dla kilku formatów wykonywalnych, takich jak biblioteki DLL systemu Windows, aplikacji macOS oraz Linux ELF. Jak możemy przeczytać na oficjalnej stronie programu UPX: “potrafi zazwyczaj zmniejszyć rozmiar plików programów i bibliotek DDL o około 50% – 70%, redukując w ten sposób miejsce na dysku, czas ładowania […]

Replied in thread

**Felix Palmen** @zirias@bsd.cafe · Jun 21, 2024

Jun 21, 2024

Felix Palmen @zirias@bsd.cafe

@RL_Dane Oh, compressing executables still makes sense in *some* scenarios (relevant size reduction, not using a filesystem with transparent compression, "slow" storage media ...).

But then, #gzexe doesn't really cut it. It needs temporary files for decompression (spoiling most possible speed gains), and compression rates are mediocre. So *if* you have a use case for compressed executables, you'd better have a look at #upx, which achieves better rates and decompresses in-memory, in-place.

**H3lium@infosec.exchange/:~# ** @H3liumb0y@infosec.exchange · Apr 3, 2024

Apr 3, 2024

H3lium@infosec.exchange/:~#  @H3liumb0y@infosec.exchange

Heap Buffer Overflow in UPX Identified

Date: March 26, 2024
CVE: To be assigned
Vulnerability Type: Buffer Errors
CWE: [[CWE-122]]
Sources: NIST VULNDB VULNDB Submit

Issue Summary

A heap buffer overflow vulnerability was identified in the [[UPX|Ultimate Packer for eXecutables]] (UPX), specifically in the commit 06b0de9c77551cd4e856d453e094d8a0b6ef0d6d. This issue occurs during the handling of certain data structures, leading to potential memory corruption. The vulnerability was discovered through fuzzing techniques using the Google OSS-Fuzz project.

Technical Key findings

The vulnerability is caused by improper handling of input data, resulting in a heap buffer overflow. This overflow occurs in the handling of packed files during decompression, where the bounds of allocated heap memory are not properly checked.

Vulnerable products

[[UPX]] version identified by commit 06b0de9c77551cd4e856d453e094d8a0b6ef0d6d.

Impact assessment

An attacker could exploit this vulnerability to execute arbitrary code on the target system or cause a denial of service through application crash, potentially compromising the system's integrity and availability.

Patches or workaround

No specific patches or workarounds were mentioned at the time of reporting. Users are advised to monitor the official [[UPX]] GitHub repository for updates.

Tags

nvd.nist.govNVD - CVE-2024-3209

#UPX #BufferOverflow #HeapOverflow

**Júlio Gardona** @jcbritobr@mastodon.social · Jan 11, 2024

Jan 11, 2024

Júlio Gardona @jcbritobr@mastodon.social

A perda no arranque da aplicação que foi compactada pelo #upx é muito pequena. Ferramenta fantástica. :)

**Andrew Hunter** @rexbron@mstdn.ca · Aug 3, 2023

Aug 3, 2023

Andrew Hunter @rexbron@mstdn.ca

It seems so silly that the #UPX has all those #presto readers in the station but makes people queue before boarding.

**City Techie** @citytechie@mstdn.ca · Feb 11, 2023 *

Feb 11, 2023 *

City Techie @citytechie@mstdn.ca

Yikes! "80 per cent [14 of 18 train cars] of the fleet grounded, it’s certainly possible that those four units are impacted." #Toronto #Transit #UPX #Metrolinx #Trains

https://toronto.ctvnews.ca/14-of-18-up-express-train-cars-condemned-after-thermal-cracks-found-in-brake-discs-union-1.6269375

Most UP Express train cars 'condemned' after thermal cracks found in brake discs: union

Video: UP Express down to only 2 working trains: sources. Sources tell CTV News Toronto that 14 of 18 UP Express trains are out of service after thermal cracks were found in vehicle brake discs.

**⇐∗∗⇒ Jean-Luc - POI I7FI** @datenhalde@toot.bike · Dec 19, 2022

Dec 19, 2022

⇐∗∗⇒ Jean-Luc - POI I7FI @datenhalde@toot.bike

Meine Firma verbietet mir implizit den Einsatz von #UPX, weil sie auf einen neuen Virenscanner umgestellt haben, der darauf anschlägt.

Kennt jemand eine Alternative?

**DaShaun** @dashaun@mastodon.online · Dec 13, 2022

Dec 13, 2022

DaShaun @dashaun@mastodon.online

#springboot 3 #native #graalvm #upx #arm64 AND #amd64 #multiarchitecture #buildpack #NewArticle #CheckItOut #TeamworkMakesTheDreamWork

https://dashaun.com/posts/teamwork-makes-the-dream-work-for-multiarch-builder/

dashaun.comTeamwork makes the dream work for this multi-architecture builder.New multi-architecture builder: dashaun/builder:tiny

Continued thread

**Andreas Gerlach** @appelgriebsch · Dec 8, 2021

Dec 8, 2021

Andreas Gerlach @appelgriebsch

One of the most impressive exp. with this #Rust web service is it’s final size: in default release build it’s 12MB, with LTO it goes down to 8MB, after stripping symbols it’s 5.4MB and finally #upx compresses it down to 2.2MB. Compare this to the prev. version: 25MB runtime incl.

Recent searches

Search options

Administered by:

Server stats:

#upx