CVE-2023-23456

Published: Jan 12, 2023Modified: Apr 11, 2025

5.5

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Exploitability: 1.8 / Impact: 3.6

Source: NVD

Description

A heap-based buffer overflow issue was discovered in UPX in PackTmt::pack() in p_tmt.cpp file. The flow allows an attacker to cause a denial of service (abort) via a crafted file.

Affected (3)

Products: Upx: Upx · Fedoraproject: Fedora

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Upx Upx	Before 2022-11-24

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 36
Fedoraproject Fedora	Version 37

Related CWEs

CWE-787

Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

References (11)

https://bugzilla.redhat.com/show_bug.cgi?id=2160381

Source: patrick@puiterwijk.org

Issue TrackingThird Party Advisory

https://github.com/upx/upx/commit/510505a85cbe45e51fbd470f1aa8b02157c429d4

Source: patrick@puiterwijk.org

PatchThird Party Advisory

https://github.com/upx/upx/issues/632

Source: patrick@puiterwijk.org

ExploitThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EL3BVKIGG3SH6I3KPOYQAWCBD4UMPOPI/

Source: patrick@puiterwijk.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TGEP3FBNRZXGLIA2B2ICMB32JVMPREFZ/

Source: patrick@puiterwijk.org

https://bugzilla.redhat.com/show_bug.cgi?id=2160381