From: ludo@gnu.org (Ludovic Courtès)
To: Pierre Neidhardt <ambrevar@gmail.com>
Cc: 31487@debbugs.gnu.org
Subject: [bug#31487] [PATCH] gnu: Add upx.
Date: Fri, 15 Jun 2018 09:12:55 +0200 [thread overview]
Message-ID: <87muvwwmiw.fsf@gnu.org> (raw)
In-Reply-To: <87po1ezj60.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Tue, 29 May 2018 15:27:19 +0200")
Ping! :-)
ludo@gnu.org (Ludovic Courtès) skribis:
> Pierre Neidhardt <ambrevar@gmail.com> skribis:
>
>> The relevant issues:
>>
>> - https://github.com/upx/upx/issues/146
>> - https://github.com/upx/upx/pull/190
>
> Hmm I see that:
>
> https://github.com/upx/upx/issues/128
> corresponds to:
> https://nvd.nist.gov/vuln/detail?vulnId=CVE%2D%32%30%31%37%2D%31%35%30%35%36
>
> and:
>
> https://nvd.nist.gov/vuln/detail?vulnId=CVE%2D%32%30%31%37%2D%31%36%38%36%39
> corresponds to:
> https://github.com/upx/upx/issues/146
>
> The latter (CVE-2017-16869) is marked as “disputed” above, and I would
> agree with the arguments of the UPX maintainers.
>
> The authors did not react to the former (CVE-2017-15056, crash when
> reading ELF files), other than by fixing it, but it does look similar in
> spirit.
>
> What about adding a patch for CVE-2017-15056 since it would at least fix
> a concrete bug?
>
> CVE-2017-16869 is also a bug but it concerns Mach-O files, which are
> much less of a concern for our users I suppose. Patching it wouldn’t
> hurt either, but you could also add a ‘lint-hidden-cve’ property for
> CVE-2017-16869 with a comment.
>
> TIA,
> Ludo’.
next prev parent reply other threads:[~2018-06-15 7:14 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-17 22:51 [bug#31487] [PATCH] gnu: Add upx Pierre Neidhardt
2018-05-18 6:46 ` Pierre Neidhardt
2018-05-26 20:14 ` Ludovic Courtès
2018-05-27 13:46 ` Pierre Neidhardt
2018-05-28 7:55 ` Ludovic Courtès
2018-05-29 6:42 ` Pierre Neidhardt
2018-05-29 13:27 ` Ludovic Courtès
2018-06-15 7:12 ` Ludovic Courtès [this message]
2018-06-16 14:58 ` Pierre Neidhardt
2018-06-16 19:15 ` Pierre Neidhardt
2018-06-16 14:54 ` [bug#31487] [PATCH] gnu: upx: Fix CVE-2017-15056 Pierre Neidhardt
2018-06-16 21:57 ` bug#31487: " Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87muvwwmiw.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=31487@debbugs.gnu.org \
--cc=ambrevar@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.