Bug 31375

Summary: binwalk new security issues CVE-2021-4287 and CVE-2022-4510
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, geiger.david68210, herman.viaene, mageia, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: binwalk-2.2.0-2.mga8.src.rpm CVE:
Status comment:

Description David Walser 2023-01-05 20:19:54 CET 
Fedora has issued an advisory today (January 5):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/M2TTCIDC6ZNFMU5XFFFDFZEBHO2CU5NG/

The issue is fixed upstream in 2.3.3.
David Walser 2023-01-05 20:20:06 CET

Status comment: (none) => Fixed upstream in 2.3.3

Comment 1 David Walser 2023-02-24 20:08:47 CET 
Debian-LTS has issued an advisory on February 23:
https://www.debian.org/lts/security/2023/dla-3339

The issue is fixed upstream in 2.3.4.

Mageia 8 is also affected.

Whiteboard: (none) => MGA8TOO
Status comment: Fixed upstream in 2.3.3 => Fixed upstream in 2.3.4
Version: 8 => Cauldron
Summary: binwalk new security issue CVE-2021-4287 => binwalk new security issues CVE-2021-4287 and CVE-2022-4510

Comment 2 David GEIGER 2023-02-26 19:31:21 CET 
Done for both mga8 and Cauldron!

Freeze_move requested for Cauldron.

CC: (none) => geiger.david68210

Comment 3 David Walser 2023-02-26 19:56:57 CET 
binwalk-2.3.4-1.mga8

from binwalk-2.3.4-1.mga8.src.rpm

Status comment: Fixed upstream in 2.3.4 => (none)

Comment 4 David Walser 2023-02-27 14:36:22 CET 
Cauldron package moved to core/release.

CC: (none) => mageia
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Assignee: mageia => qa-bugs

Comment 5 Herman Viaene 2023-03-01 10:26:21 CET 
MGA8-64 MATE on Acer Aspire 5253.
No installation issues.
No wiki, no previous updates, found https://allabouttesting.org/short-tutorial-firmware-analysis-tool-binwalk/
so
$ binwalk -h

Binwalk v2.3.4
Craig Heffner, ReFirmLabs
https://github.com/ReFirmLabs/binwalk

Usage: binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] ...

Signature Scan Options:
    -B, --signature              Scan target file(s) for common file signatures
    -R, --raw=<str>              Scan target file(s) for the specified sequence of bytes
    -A, --opcodes                Scan target file(s) for common executable opcode signatures
    -m, --magic=<file>           Specify a custom magic file to use
    -b, --dumb                   Disable smart signature keywords
    -I, --invalid                Show results marked as invalid
    -x, --exclude=<str>          Exclude results that match <str>
    -y, --include=<str>          Only show results that match <str>

Extraction Options:
    -e, --extract                Automatically extract known file types
and a lot more .....
Xent chasing for firmware files, found loads of them installed, but only
$ binwalk  /lib/firmware/3com/typhoon.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
23711         0x5C9F          Copyright string: "Copyright (c) 2001 3Com Corporation"
 this one returned something more than just the headers (tried some 30 of them)
Giving the OK on seeing the command is not giving nay kind of error.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 6 Thomas Andrews 2023-03-01 17:19:55 CET 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-03-01 17:41:07 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2023-03-01 22:15:54 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0074.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED