A floating-point exception was discovered in PackLinuxElf::elf_hash in p_lx_elf.cpp in UPX 3.95. The vulnerability causes an application crash, which leads to denial of service.
Weakness
The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Upx | Upx | 3.95 (including) | 3.95 (including) |
| Upx-ucl | Ubuntu | bionic | * |
| Upx-ucl | Ubuntu | disco | * |
| Upx-ucl | Ubuntu | eoan | * |
| Upx-ucl | Ubuntu | focal | * |
| Upx-ucl | Ubuntu | trusty | * |
| Upx-ucl | Ubuntu | xenial | * |
Potential Mitigations
- Use languages, libraries, or frameworks that make it easier to handle numbers without unexpected consequences.
- Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++).
- Use languages, libraries, or frameworks that make it easier to handle numbers without unexpected consequences.
- Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++).
Related Attack Patterns
References
- https://github.com/upx/upx/issues/313
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D7XU42G6MUQQXHWRP7DCF2JSIBOJ5GOO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EUTVSTXAFTD552NO2K2RIF6MDQEHP3BE/
- https://github.com/upx/upx/issues/313
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D7XU42G6MUQQXHWRP7DCF2JSIBOJ5GOO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EUTVSTXAFTD552NO2K2RIF6MDQEHP3BE/