Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-46179: Assertion `(unsigned)len <= buf->getSize()' failed in file.cpp:275 · Issue #545 · upx/upx

Reachable Assertion vulnerability in upx before 4.0.0 allows attackers to cause a denial of service via crafted file passed to the the readx function.

CVE
#vulnerability#mac#ubuntu#linux#dos#git#amd

What’s the problem (or question)?

Assertion `(unsigned)len <= buf->getSize()' failed in file.cpp:275

upx.out: file.cpp:275: virtual int InputFile::readx(MemBuffer*, int): Assertion `(unsigned)len <= buf->getSize()' failed. Program received signal SIGABRT, Aborted.

pwndbg> bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7bcc859 in __GI_abort () at abort.c:79
#2  0x00007ffff7bcc729 in __assert_fail_base (fmt=0x7ffff7d62588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x5555555f5618 "(unsigned)len <= buf->getSize()", file=0x5555557067b1 "file.cpp", line=275, function=<optimized out>) at assert.c:92
#3  0x00007ffff7bddf36 in __GI___assert_fail (assertion=0x5555555f5618 "(unsigned)len <= buf->getSize()", file=0x5555557067b1 "file.cpp", line=275, function=0x5555555f5638 "virtual int InputFile::readx(MemBuffer*, int)") at assert.c:101
#4  0x000055555558a280 in InputFile::readx(MemBuffer*, int) ()
#5  0x00005555555c5969 in PackUnix::packExtent(PackUnix::Extent const&, Filter*, OutputFile*, unsigned int, unsigned int) ()
#6  0x00005555555b4fb2 in PackMachBase<N_Mach::MachClass_64<N_BELE_CTP::LEPolicy> >::pack2(OutputFile*, Filter&) ()
#7  0x00005555555c4d98 in PackUnix::pack(OutputFile*) ()
#8  0x00005555555d6028 in Packer::doPack(OutputFile*) ()
#9  0x00005555555eacd3 in do_one_file(char const*, char*) ()
#10 0x00005555555eaf8f in do_files(int, int, char**) ()
#11 0x00005555555973c7 in upx_main(int, char**) ()
#12 0x000055555557c4e2 in main ()
#13 0x00007ffff7bce0b3 in __libc_start_main (main=0x55555557c3e0 <main>, argc=2, argv=0x7fffffffe208, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1f8) at ../csu/libc-start.c:308
#14 0x000055555557c5fe in _start ()

What should have happened?

No crash.

Do you have an idea for a solution?

No.

How can we reproduce the issue?

1.make
2…/src/upx.out ./poc
poc.zip

Please tell us details about your environment.

  • ./upx.out --version
    upx 4.0.0-git-5d1347a359bb
    UCL data compression library 1.03
    zlib data compression library 1.2.11
    LZMA SDK version 4.43
  • Host Operating System and version: Ubuntu 20.04 focal
  • Host CPU architecture: AMD E
    poc.zip
    PYC 7742 64-Core @ 16x 2.25GHz
  • Target Operating System and version: Ubuntu 20.04 focal
  • Target CPU architecture: AMD EPYC 7742 64-Core @ 16x 2.25GHz

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907