Bug 27060

Summary: radare2 new security issue CVE-2020-15121
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, geiger.david68210, herman.viaene, sysadmin-bugs, zombie_ryushu
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: radare2-4.2.1-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-08-07 19:16:26 CEST 
Fedora has issued an advisory today (August 7):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7OFOJ23B5CP5XDVYTW6TTN7OFZPAIVY4/

The issue is fixed upstream in 4.5.0.

They also upgraded radare2-cutter to 1.11.0:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MWC7KNBETYE5MK6VIUU26LUIISIFGSBZ/

Mageia 7 is also affected.
David Walser 2020-08-07 19:16:50 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 David GEIGER 2020-08-07 19:34:15 CEST 
Already done on Cauldron.
David Walser 2020-08-07 19:36:49 CEST

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
Source RPM: radare2-4.4.0-1.mga8.src.rpm => radare2-4.2.1-1.mga7.src.rpm

Comment 2 David GEIGER 2020-08-12 18:01:06 CEST 
Done for mga7!
Comment 3 David Walser 2020-08-12 18:03:06 CEST 
Advisory:
========================

Updated radare2 packages fix security vulnerability:

In radare2 before version 4.5.0, malformed PDB file names in the PDB server
path cause shell injection. To trigger the problem it's required to open the
executable in radare2 and run idpd to trigger the download. The shell code will
execute, and will create a file called pwned in the current directory
(CVE-2020-15121).

The radare2 package has been updated to version 4.5.0, fixing these issues and
other bugs.

Also, the radare2-cutter package has been updated to version 1.11.0.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15121
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7OFOJ23B5CP5XDVYTW6TTN7OFZPAIVY4/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MWC7KNBETYE5MK6VIUU26LUIISIFGSBZ/
========================

Updated packages in core/updates_testing:
========================
radare2-4.5.0-1.mga7
libradare2_4.5.0-4.5.0-1.mga7
libradare2-devel-4.5.0-1.mga7
radare2-cutter-1.11.0-1.mga7

from SRPMS:
radare2-4.5.0-1.mga7.src.rpm
radare2-cutter-1.11.0-1.mga7.src.rpm

CC: (none) => geiger.david68210
QA Contact: (none) => security
Component: RPM Packages => Security
Assignee: geiger.david68210 => qa-bugs

Comment 4 Herman Viaene 2020-08-14 13:51:01 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 26232 for test.
$ rafind2 -s "text" /bin/kwrite | wc -l
5

$ r2 -a x86 /bin/oowriter
 -- In soviet Afghanistan, you debug radare2!
>V
as described in bug 26232 "a full, coloured hexdump of the program which could be scrolled using the up and down arrows or the paging buttons like Home and PgDn.
Not possible to cut&paste into this report.
'q' to return to prompt, then exit."

So,looks OK

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

David Walser 2020-08-16 16:07:16 CEST

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 David Walser 2020-08-16 16:18:41 CEST 
Advisory and package list in Comment 3.
Dave Hodgins 2020-08-18 18:38:00 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2020-08-18 19:43:17 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0329.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 7 David Walser 2020-12-05 15:45:25 CET 
*** Bug 27751 has been marked as a duplicate of this bug. ***

CC: (none) => zombie_ryushu