From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:51337)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1fNefV-0008Bs-94
	for guix-patches@gnu.org; Tue, 29 May 2018 09:28:09 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1fNefU-0001r8-Bh
	for guix-patches@gnu.org; Tue, 29 May 2018 09:28:05 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:45396)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1fNefU-0001r0-8N
	for guix-patches@gnu.org; Tue, 29 May 2018 09:28:04 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1fNefS-0004yn-Bj
	for guix-patches@gnu.org; Tue, 29 May 2018 09:28:04 -0400
Subject: [bug#31487] [PATCH] gnu: Add upx.
Resent-Message-ID: <handler.31487.B31487.152760045119101@debbugs.gnu.org>
From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=)
References: <20180517225109.12033-1-ambrevar@gmail.com>
	<87lgc6yy1t.fsf@gnu.org> <87muwli52v.fsf@gmail.com>
	<878t8443l6.fsf@gnu.org> <87d0xfvu77.fsf@gmail.com>
Date: Tue, 29 May 2018 15:27:19 +0200
In-Reply-To: <87d0xfvu77.fsf@gmail.com> (Pierre Neidhardt's message of "Tue,
	29 May 2018 08:42:36 +0200")
Message-ID: <87po1ezj60.fsf@gnu.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Pierre Neidhardt <ambrevar@gmail.com>
Cc: 31487@debbugs.gnu.org

Pierre Neidhardt <ambrevar@gmail.com> skribis:

> The relevant issues:
>
> - https://github.com/upx/upx/issues/146
> - https://github.com/upx/upx/pull/190

Hmm I see that:

  https://github.com/upx/upx/issues/128
  corresponds to:
  https://nvd.nist.gov/vuln/detail?vulnId=3DCVE%2D%32%30%31%37%2D%31%35%30%=
35%36

and:

  https://nvd.nist.gov/vuln/detail?vulnId=3DCVE%2D%32%30%31%37%2D%31%36%38%=
36%39
  corresponds to:
  https://github.com/upx/upx/issues/146

The latter (CVE-2017-16869) is marked as =E2=80=9Cdisputed=E2=80=9D above, =
and I would
agree with the arguments of the UPX maintainers.

The authors did not react to the former (CVE-2017-15056, crash when
reading ELF files), other than by fixing it, but it does look similar in
spirit.

What about adding a patch for CVE-2017-15056 since it would at least fix
a concrete bug?

CVE-2017-16869 is also a bug but it concerns Mach-O files, which are
much less of a concern for our users I suppose.  Patching it wouldn=E2=80=
=99t
hurt either, but you could also add a =E2=80=98lint-hidden-cve=E2=80=99 pro=
perty for
CVE-2017-16869 with a comment.

TIA,
Ludo=E2=80=99.