Fedora has issued an advisory on July 16: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SX4TLTE75VYUGSPYEKMYFPUZMRDIR7O2/ The issues are fixed upstream in 2.6.0.
Fedora has issued an advisory on July 30: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ED2UIZ5J7YYFFA2MPSMJ543U3DPEREVZ/ This adds another CVE, also fixed in 3.6.0. They also updated radare2-cutter to 1.8.3: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IEXZWAMVKGZKHALV4IVWQS2ORJKRH57U/
Summary: radare2 new security issues CVE-2019-12790 and CVE-2019-12802 => radare2 new security issues CVE-2019-12790, CVE-2019-12802, CVE-2019-12865
Update in progress by David (waiting on the cutter). Anton, please help test this update. Updated so far: radare2-3.6.0-1.mga7 libradare2_3.6.0-3.6.0-1.mga7 libradare2-devel-3.6.0-1.mga7 from radare2-3.6.0-1.mga7.src.rpm
CC: (none) => anton.kochkov
Done for mga7!
Advisory: ======================== Updated radare2 packages fix security vulnerabilities: In radare2 through 3.5.1, there is a heap-based buffer over-read in the r_egg_lang_parsechar function of egg_lang.c. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact because of missing length validation in libr/egg/egg.c (CVE-2019-12790). In radare2 through 3.5.1, the rcc_context function of libr/egg/egg_lang.c mishandles changing context. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact (invalid memory access in r_egg_lang_parsechar; invalid free in rcc_pusharg) (CVE-2019-12802). In radare2 through 3.5.1, cmd_mount in libr/core/cmd_mount.c has a double free for the ms command (CVE-2019-12865). The radare2 package has been updated to version 3.6.0, fixing these issues and other bugs. Also, the radare2-cutter package has been updated to version 1.8.3. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12790 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12802 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12865 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ED2UIZ5J7YYFFA2MPSMJ543U3DPEREVZ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IEXZWAMVKGZKHALV4IVWQS2ORJKRH57U/ ======================== Updated packages in core/updates_testing: ======================== radare2-3.6.0-1.mga7 libradare2_3.6.0-3.6.0-1.mga7 libradare2-devel-3.6.0-1.mga7 radare2-cutter-1.8.3-1.mga7 from SRPMS: radare2-3.6.0-1.mga7.src.rpm radare2-cutter-1.8.3-1.mga7.src.rpm
CC: (none) => geiger.david68210Assignee: geiger.david68210 => qa-bugs
Fedora has issued an advisory on October 8: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RQO7V37RGQEKZDLY2JYKDZTLNN2YUBC5/ The issue is fixed upstream in 3.7.0. Fedora updated to 3.9.0. They also updated the cutter to 1.9.0: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PXQ6KYP4UMNSCJYHFT4TBIXLR2325SNS/
Assignee: qa-bugs => geiger.david68210Summary: radare2 new security issues CVE-2019-12790, CVE-2019-12802, CVE-2019-12865 => radare2 new security issues CVE-2019-12790, CVE-2019-12802, CVE-2019-12865, CVE-2019-14745CC: (none) => qa-bugs
Done for mga7! radare2 3.8.0 and cutter 1.9.0
Advisory: ======================== Updated radare2 packages fix security vulnerabilities: In radare2 through 3.5.1, there is a heap-based buffer over-read in the r_egg_lang_parsechar function of egg_lang.c. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact because of missing length validation in libr/egg/egg.c (CVE-2019-12790). In radare2 through 3.5.1, the rcc_context function of libr/egg/egg_lang.c mishandles changing context. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact (invalid memory access in r_egg_lang_parsechar; invalid free in rcc_pusharg) (CVE-2019-12802). In radare2 through 3.5.1, cmd_mount in libr/core/cmd_mount.c has a double free for the ms command (CVE-2019-12865). By using a crafted executable file, it's possible to execute arbitrary shell commands with the permissions of the victim. This vulnerability is due to improper handling of symbol names embedded in executables (CVE-2019-14745). The radare2 package has been updated to version 3.8.0, fixing these issues and other bugs. Also, the radare2-cutter package has been updated to version 1.9.0. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12790 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12802 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12865 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14745 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ED2UIZ5J7YYFFA2MPSMJ543U3DPEREVZ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IEXZWAMVKGZKHALV4IVWQS2ORJKRH57U/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RQO7V37RGQEKZDLY2JYKDZTLNN2YUBC5/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PXQ6KYP4UMNSCJYHFT4TBIXLR2325SNS/ ======================== Updated packages in core/updates_testing: ======================== radare2-3.8.0-1.mga7 libradare2_3.8.0-3.8.0-1.mga7 libradare2-devel-3.8.0-1.mga7 radare2-cutter-1.9.0-1.mga7 from SRPMS: radare2-3.8.0-1.mga7.src.rpm radare2-cutter-1.9.0-1.mga7.src.rpm
CC: qa-bugs => (none)Assignee: geiger.david68210 => qa-bugs
Taking this one on for Mageia7, x86_64. radare2 is a framework for reverse engineering and reading binaries. There is at least one reproducer, for the first CVE listed.
CC: (none) => tarazed25
Installed radare2 packages. Before the update checked the man page and made an attempt to use radare2 on a system binary. The following presents a prompt, and the V command switches to visual mode, which displays a series of 4-character lines then a coloured hexdump. Used down-arrow to scan this. $ r2 -a x86 -b 64 /bin/bash -- Come here, we are relatively friendly [0x00420180]> V [...] [0x00420180 [Xadvc] 13% 1400 /bin/bash]> xc @ entry0 - offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF comment 0x00420180 31ed 4989 d15e 4889 e248 83e4 f050 5449 1.I..^H..H...PTI ; rip 0x00420190 c7c0 0055 4900 48c7 c1a0 5449 0048 c7c7 ...UI.H...TI.H.. 0x004201a0 a0ed 4100 ff15 469e 0a00 f40f 1f44 0000 ..A...F......D.. 0x004201b0 b8e8 2c4d 0048 3de8 2c4d 0074 13b8 0000 ..,M.H=.,M.t.... 0x004201c0 0000 4885 c074 09bf e82c 4d00 ffe0 6690 ..H..t...,M...f. [...] 0x0042084c 13f4 0100 89df e889 e3ff ff50 e883 e3 ...........P... ; sym.sh_exit 0x0042085b ffff 5389 fb48 8b3d 9924 0b00 e884 df ..S..H.=.$..... ; sym.subshell_exit 0x0042086a ffff 488b 3d0d 250b 00e8 78df ffff 31 ..H.=.%...x...1 0x00420879 ffe8 29e0 0200 85c0 7407 e878 d902 00 ..).....t..x... 0x00420888 89c3 89df e84f e3ff ff53 8b1d e43c 0b .....O...S...<. ; sym.shell_is_restricted < typed q to get back to the prompt > [0x00420e4a]> exit Not probing this any further. It works anyway. CVE-2019-12790 https://github.com/radareorg/radare2/issues/14211 $ ragg2 -a x86 -b 64 hello.r Segmentation fault (core dumped) CVE-2019-12802 https://github.com/radareorg/radare2/issues/14296 $ ragg2 invalid_memory_access.r Segmentation fault (core dumped) $ ragg2 invalid_free.r free(): invalid pointer Aborted (core dumped) CVE-2019-12865 https://github.com/radareorg/radare2/issues/14334 $ r2 malloc://1024 -- To debug a program, you can call r2 with 'dbg://<path-to-program>' or '-d <path..>' [0x00000000]> ms [/]> q [0x00000000]> ms UNKNOWN_ROOT Unknown root free(): double free detected in tcache 2 Aborted (core dumped) Updated the four packages. Ran the PoC tests again. CVE-2019-12790 $ ragg2 -a x86 -b 64 hello.r ERROR: elem too large. <good result> CVE-2019-12802 $ ragg2 invalid_memory_access.r Sinking before overflow <good> $ ragg2 invalid_free.r free(): invalid pointer Aborted (core dumped) So, issue detected but not completely fixed. Before update, the upstream notes read: munmap_chunk(): invalid pointer Aborted (core dumped) <and valgrind reports: Invalid free() / delete / delete[] / realloc()> CVE-2019-12865 $ r2 malloc://1024 -- Get a free shell with 'ragg2 -i exec -x' [0x00000000]> ms [/]> q [0x00000000]> ms UNKNOWN_ROOT Unknown root [0x00000000]> exit <good result> $ r2 -a x86 -b 64 /bin/cargo -- Ilo ni li pona li pali e lipu. mi wile e ni: sina kama jo e musi [0x00063c20]> ms [/]> help Commands: !cmd ; escape to system :cmd ; escape to the r2 repl ls [path] ; list current directory cd path ; change current directory cat file ; print contents of file get file ; dump file to disk mount ; list mount points q/exit ; leave prompt mode ?/help ; show this help [/]> :V [...] [0x00063c20 [Xadvc]0 3% 1536 /bin/cargo]> xc @ entry0 - offset - [...] <hexdump> [...] [/]> q [0x00063c20]> exit As far as I can tell it is working fine. Anybody know what language the quote uses? Maybe it is a Caesar cypher. Reserving the OK in case somebody wants to investigate the PoC failure in CVE-2019-12802. Feedback for the time being.
Keywords: (none) => feedback
Maybe we need to update to 3.9.0.
radare2 3.9.0 now available and radare2-cutter rebuilded against it.
Keywords: feedback => (none)
Updated the packages as listed. CVE-2019-12802$ ragg2 invalid_memory_access.r Sinking before overflow lcl@difda:radare2 $ ragg2 invalid_free.r free(): invalid pointer Aborted (core dumped) No change there. Experimented with commands: $ ragg2 -f python -a x86 /bin/tar import struct buf = struct.pack ("0B", *[ $ ragg2 -i exec -x sh-4.4$ r2 malloc://1024 -- There's a branch for that. [0x00000000]> ms [/]> q [0x00000000]> ms UNKNOWN_ROOT Unknown root [0x00000000]> exit could not save history into /.cache/radare2 sh-4.4$ exit exit Other commands are rahash2, rafind2, rabin2, radiff2, rasm2, rax2 rarun2. One needs a bit of background knowledge to use these - pass. The help option does not explain what the commands are used for but lists all the options. Tinkering: $ strings /bin/stellarium | grep asteroid | wc -l 15 $ rafind2 -s "asteroid" /bin/stellarium | wc -l 17 $ strings /bin/stellarium | grep Asteroid | wc -l 1 $ strings /bin/ruby | grep lib /lib64/ld-linux-x86-64.so.2 libruby.so.2.5 libc.so.6 __libc_start_main __libc_csu_fini __libc_csu_init lcl@difda:radare2 $ rafind2 -s lib /bin/ruby | wc -l 6 $ r2 -a x86 /bin/cargo -- 255 shades of (truecolor) grey [0x00063c20]> V <full hexdump of the program - type q to return to prompt> [0x00063c20]> exit Giving this an OK.
Whiteboard: (none) => MGA7-64-OK
Sounds like the second part of the issue wasn't fixed upstream. Does someone have a github account that can comment on: https://github.com/radareorg/radare2/issues/14296
Anyway, updated advisory for the moment... Advisory: ======================== Updated radare2 packages fix security vulnerabilities: In radare2 through 3.5.1, there is a heap-based buffer over-read in the r_egg_lang_parsechar function of egg_lang.c. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact because of missing length validation in libr/egg/egg.c (CVE-2019-12790). In radare2 through 3.5.1, the rcc_context function of libr/egg/egg_lang.c mishandles changing context. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact (invalid memory access in r_egg_lang_parsechar; invalid free in rcc_pusharg) (CVE-2019-12802). In radare2 through 3.5.1, cmd_mount in libr/core/cmd_mount.c has a double free for the ms command (CVE-2019-12865). By using a crafted executable file, it's possible to execute arbitrary shell commands with the permissions of the victim. This vulnerability is due to improper handling of symbol names embedded in executables (CVE-2019-14745). The radare2 package has been updated to version 3.9.0, fixing these issues and other bugs. Also, the radare2-cutter package has been updated to version 1.9.0. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12790 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12802 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12865 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14745 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ED2UIZ5J7YYFFA2MPSMJ543U3DPEREVZ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IEXZWAMVKGZKHALV4IVWQS2ORJKRH57U/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RQO7V37RGQEKZDLY2JYKDZTLNN2YUBC5/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PXQ6KYP4UMNSCJYHFT4TBIXLR2325SNS/ ======================== Updated packages in core/updates_testing: ======================== radare2-3.9.0-1.mga7 libradare2_3.9.0-3.9.0-1.mga7 libradare2-devel-3.9.0-1.mga7 radare2-cutter-1.9.0-1.1.mga7 from SRPMS: radare2-3.9.0-1.mga7.src.rpm radare2-cutter-1.9.0-1.1.mga7.src.rpm
Validating this one, then, while we wait for upstream. Advisory in Comment 14.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0024.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED