gnu: upx: Fix CVE-2017-15056.

* gnu/packages/patches/upx-protect-against-bad-crafted-input.patch: New file. * gnu/packages/compression.scm (upx)[source]: Use it. * gnu/local.mk (dist_patch_DATA): Add it. Signed-off-by: Ludovic Courtès <ludo@gnu.org>
2025-10-02 02:15:12 +00:00 · 2018-06-16 16:54:53 +02:00 · 2018-06-16 16:54:53 +02:00 · a14de83213
commit a14de83213
parent ed2ae0dc7f
3 changed files with 104 additions and 1 deletions
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@ -2209,7 +2209,8 @@ decompression is a little bit slower.")
                                 version "/" name "-" version "-src.tar.xz"))
             (sha256
              (base32
-               "08anybdliqsbsl6x835iwzljahnm9i7v26icdjkcv33xmk6p5vw1"))))
+               "08anybdliqsbsl6x835iwzljahnm9i7v26icdjkcv33xmk6p5vw1"))
+             (patches (search-patches "upx-fix-CVE-2017-15056.patch"))))
    (build-system gnu-build-system)
    (native-inputs `(("perl" ,perl)
                     ("ucl" ,ucl)))
@ -2241,6 +2242,11 @@ decompression is a little bit slower.")
             #t))
         )))
    (home-page "https://upx.github.io/")
+    ;; CVE-2017-16869 is about Mach-O files which is not of a big concern for Guix.
+    ;; See https://github.com/upx/upx/issues/146 and
+    ;; https://nvd.nist.gov/vuln/detail?vulnId=CVE-2017-16869.
+    ;; The issue will be fixed after version 3.94.
+    (properties `((lint-hidden-cve . ("CVE-2017-16869"))))
    (synopsis "Compression tool for executables")
    (description
     "The Ultimate Packer for eXecutables (UPX) is an executable file