CVE-2023-23456

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-23456
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-23456.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-23456
Downstream
Related
Published
2023-01-12T19:15:24Z
Modified
2025-10-16T09:30:01.310139Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

A heap-based buffer overflow issue was discovered in UPX in PackTmt::pack() in p_tmt.cpp file. The flow allows an attacker to cause a denial of service (abort) via a crafted file.

References

Affected packages

Git / github.com/upx/upx

Affected ranges

Type
GIT
Repo
https://github.com/upx/upx
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
510505a85cbe45e51fbd470f1aa8b02157c429d4

Affected versions

v1.*

v1.10
v1.11
v1.90
v1.91
v1.92
v1.93
v1.94
v1.95
v1.96

v2.*

v2.00
v2.01
v2.90
v2.91
v2.92
v2.93

v3.*

v3.00
v3.01
v3.02
v3.03
v3.04
v3.05
v3.06
v3.07
v3.08
v3.09
v3.91
v3.92
v3.93
v3.94
v3.95
v3.96
v3.99

v4.*

v4.0.0
v4.0.1

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://github.com/upx/upx/commit/510505a85cbe45e51fbd470f1aa8b02157c429d4",
        "signature_type": "Function",
        "digest": {
            "function_hash": "220717979257995067740235354140517022474",
            "length": 2463.0
        },
        "target": {
            "function": "PackTmt::pack",
            "file": "src/p_tmt.cpp"
        },
        "id": "CVE-2023-23456-30406e57"
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://github.com/upx/upx/commit/510505a85cbe45e51fbd470f1aa8b02157c429d4",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "270024483870746860115248023866527824226",
                "79830583490447665270709313112436993527",
                "291318213354037756716722800564369620775",
                "4740004736721467142620947638923731624",
                "120725108330954488452842994145145398294",
                "138298100867617654658183141083695253012",
                "194280349460958820897612452077813851344",
                "70290090431462953646166478681158878249",
                "215867728904584706182861124232248056731",
                "186605570923333482126481702737061720027",
                "58757993893416442914959371182918678569",
                "337992464289758136001726834326682586653"
            ]
        },
        "target": {
            "file": "src/p_tmt.cpp"
        },
        "id": "CVE-2023-23456-781d46cd"
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://github.com/upx/upx/commit/510505a85cbe45e51fbd470f1aa8b02157c429d4",
        "signature_type": "Function",
        "digest": {
            "function_hash": "117702628094271530305967185331654311313",
            "length": 1709.0
        },
        "target": {
            "function": "PackTmt::readFileHeader",
            "file": "src/p_tmt.cpp"
        },
        "id": "CVE-2023-23456-a8760a82"
    }
]