CVE-2023-23456

CVSS V2 None CVSS V3 None

Description

A heap-based buffer overflow issue was discovered in UPX in PackTmt::pack() in p_tmt.cpp file. The flow allows an attacker to cause a denial of service (abort) via a crafted file.

Overview

CVE ID
CVE-2023-23456

Assigner
patrick@puiterwijk.org

Vulnerability Status
Analyzed

Published Version
2023-01-12T19:15:24

Last Modified Date
2023-01-23T15:21:39

Weakness Enumerations

CWE	URL
CWE-787	http://cwe.mitre.org/data/definitions/787.html
CWE-122	http://cwe.mitre.org/data/definitions/122.html

CPE Configuration (Product)

CPE	Vulnerable	Operator	Version Start	Version End
cpe:2.3:a:upx_project:upx::::::::	1	OR		2022-11-24
cpe:2.3:o:fedoraproject:fedora:36:::::::*	1	OR
cpe:2.3:o:fedoraproject:fedora:37:::::::*	1	OR

References

Reference URL	Reference Tags
https://bugzilla.redhat.com/show_bug.cgi?id=2160381
https://github.com/upx/upx/commit/510505a85cbe45e51fbd470f1aa8b02157c429d4
https://github.com/upx/upx/issues/632
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EL3BVKIGG3SH6I3KPOYQAWCBD4UMPOPI/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TGEP3FBNRZXGLIA2B2ICMB32JVMPREFZ/

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-23456
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23456

History

Created	Old Value	New Value	Data Type	Notes
2023-01-12 20:16:15				Added to TrackCVE
2023-01-12 20:16:16			Weakness Enumeration	new
2023-01-19 01:14:19	Awaiting Analysis	Undergoing Analysis	Vulnerability Status	updated
2023-01-22 04:16:07		2023-01-22T04:15:11	CVE Modified Date	updated
2023-01-22 04:16:09			References	updated
2023-01-23 16:14:25		2023-01-23T15:21:39	CVE Modified Date	updated
2023-01-23 16:14:25	Undergoing Analysis	Analyzed	Vulnerability Status	updated
2023-01-23 16:14:26			Weakness Enumeration	update
2023-01-23 16:14:26			CPE Information	updated