From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:45830)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1fTivr-0006vw-5M
	for guix-patches@gnu.org; Fri, 15 Jun 2018 03:14:04 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1fTivp-0005Fx-Ue
	for guix-patches@gnu.org; Fri, 15 Jun 2018 03:14:03 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:40904)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1fTivp-0005Fm-Qi
	for guix-patches@gnu.org; Fri, 15 Jun 2018 03:14:01 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1fTivp-0000me-Kt
	for guix-patches@gnu.org; Fri, 15 Jun 2018 03:14:01 -0400
Subject: [bug#31487] [PATCH] gnu: Add upx.
Resent-Message-ID: <handler.31487.B31487.15290467882939@debbugs.gnu.org>
From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=)
References: <20180517225109.12033-1-ambrevar@gmail.com>
	<87lgc6yy1t.fsf@gnu.org> <87muwli52v.fsf@gmail.com>
	<878t8443l6.fsf@gnu.org> <87d0xfvu77.fsf@gmail.com>
	<87po1ezj60.fsf@gnu.org>
Date: Fri, 15 Jun 2018 09:12:55 +0200
In-Reply-To: <87po1ezj60.fsf@gnu.org> ("Ludovic
	\=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\=
	\=\?utf-8\?Q\?s\?\= message of "Tue, 29 May 2018 15:27:19 +0200")
Message-ID: <87muvwwmiw.fsf@gnu.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Pierre Neidhardt <ambrevar@gmail.com>
Cc: 31487@debbugs.gnu.org

Ping!  :-)

ludo@gnu.org (Ludovic Court=C3=A8s) skribis:

> Pierre Neidhardt <ambrevar@gmail.com> skribis:
>
>> The relevant issues:
>>
>> - https://github.com/upx/upx/issues/146
>> - https://github.com/upx/upx/pull/190
>
> Hmm I see that:
>
>   https://github.com/upx/upx/issues/128
>   corresponds to:
>   https://nvd.nist.gov/vuln/detail?vulnId=3DCVE%2D%32%30%31%37%2D%31%35%3=
0%35%36
>
> and:
>
>   https://nvd.nist.gov/vuln/detail?vulnId=3DCVE%2D%32%30%31%37%2D%31%36%3=
8%36%39
>   corresponds to:
>   https://github.com/upx/upx/issues/146
>
> The latter (CVE-2017-16869) is marked as =E2=80=9Cdisputed=E2=80=9D above=
, and I would
> agree with the arguments of the UPX maintainers.
>
> The authors did not react to the former (CVE-2017-15056, crash when
> reading ELF files), other than by fixing it, but it does look similar in
> spirit.
>
> What about adding a patch for CVE-2017-15056 since it would at least fix
> a concrete bug?
>
> CVE-2017-16869 is also a bug but it concerns Mach-O files, which are
> much less of a concern for our users I suppose.  Patching it wouldn=E2=80=
=99t
> hurt either, but you could also add a =E2=80=98lint-hidden-cve=E2=80=99 p=
roperty for
> CVE-2017-16869 with a comment.
>
> TIA,
> Ludo=E2=80=99.