Bug 26232 - radare2 new security issues CVE-2019-19590 and CVE-2019-19647
Summary: radare2 new security issues CVE-2019-19590 and CVE-2019-19647
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-02-20 22:46 CET by David Walser
Modified: 2020-02-24 22:46 CET (History)
5 users (show)

See Also:
Source RPM: radare2-4.1.1-2.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-02-20 22:46:39 CET
Fedora has issued an advisory on February 14:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DUW4XXPI6XCI2G4X22EP3TKU2APLQ5XD/

The issues are fixed upstream in 4.2.1.

They also upgraded radare2-cutter to 1.10.1:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YQTOWEDFXDTGTD6D4NHRB4FUURQSTTEN/

Mageia 7 is also affected.
David Walser 2020-02-20 22:46:56 CET

CC: (none) => geiger.david68210
Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2020-02-21 05:04:18 CET
Fixed in Cauldron by David Geiger.

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 2 David GEIGER 2020-02-21 13:21:14 CET
Fixed now in mga7.
Comment 3 David Walser 2020-02-21 14:06:04 CET
Advisory:
========================

Updated radare2 packages fix security vulnerabilities:

A vulnerability was found in radare2 through 4.0, there is an integer overflow
for the variable new_token_size in the function r_asm_massemble at
libr/asm/asm.c. This integer overflow will result in a Use-After-Free for the
buffer tokens, which can be filled with arbitrary malicious data after the
free. This allows remote attackers to cause a denial of service (application
crash) or possibly execute arbitrary code via crafted input (CVE-2019-19590).

radare2 through 4.0.0 lacks validation of the content variable in the function
r_asm_pseudo_incbin at libr/asm/asm.c, ultimately leading to an arbitrary
write. This allows remote attackers to cause a denial of service (application
crash) or possibly have unspecified other impact via crafted input
(CVE-2019-19647).

The radare2 package has been updated to version 4.2.1, fixing these issues and
other bugs.

Also, the radare2-cutter package has been updated to version 1.10.1.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19590
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19647
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DUW4XXPI6XCI2G4X22EP3TKU2APLQ5XD/
========================

Updated packages in core/updates_testing:
========================
radare2-4.2.1-1.mga7
libradare2_4.2.1-4.2.1-1.mga7
libradare2-devel-4.2.1-1.mga7
radare2-cutter-1.10.1-1.mga7

from SRPMS:
radare2-4.2.1-1.mga7.src.rpm
radare2-cutter-1.10.1-1.mga7.src.rpm

Assignee: bugsquad => qa-bugs

Comment 4 Len Lawrence 2020-02-22 21:17:58 CET
mga7, x86_64

CVE-2019-19590
https://github.com/radareorg/radare2/issues/15543

Copied the PoC generator, poc.py.
f = open("poc.r", "w")
f.write("/a " + ";" * (2 ** 31 + 16))
f.close()

$ python poc.py
This ran for a while, creating the payload for the  r2 command.
$ file poc.r
poc.r: ASCII text, with very long lines, with no line terminators
$ ll poc.r
-rw-r--r-- 1 lcl lcl 2147483667 Feb 22 19:32 poc.r
$ r2 -i poc.r malloc://1024
Segmentation fault (core dumped)

CVE-2019-19647
https://github.com/radareorg/radare2/issues/15545
$ r2 malloc://1024
 -- It's not a bug, it's a work in progress
[0x00000000]> 

No crash, so the problem may have been fixed already.

Installed the updates and checked the PoC.

CVE-2019-19590
$ r2 -i poc.r malloc://1024
[...]
0x000003fc 2 add byte [rax], al
0x000003fe 2 add byte [rax], al
 -- Yo dawg!
[0x00000000]> exit
Looks like it is fixed.

CVE-2019-19647
$ r2 malloc://1024
 -- what happens in #radare, stays in #radare
[0x00000000]> exit
No change from before - good result.

Ran some of the commands:
$ ragg2 -f python -a x86 /bin/tar
import struct
buf = struct.pack ("0B", *[
$ ragg2 -i exec -x
sh-4.4$ r2 malloc://1024
 -- Well this is embarrasing ...
[0x00000000]> ms
[/]> q
[0x00000000]> ms UNKNOWN_ROOT
Unknown root
[0x00000000]> exit
could not save history into /.cache/radare2
sh-4.4$ exit
exit

Don't know enough about this application to test all the commands:
rahash2, rafind2, rabin2, radiff2, rasm2, rax2, rarun2
$ rafind2 -s "asteroid" /bin/stellarium | wc -l
17
$ rafind2 -s "Callisto" /bin/celestia | wc -l
19
$ r2 -a x86 /bin/cargo
 -- Polish reversers blame git
[0x00064c20]> V

That generated a full, coloured hexdump of the program which could be scrolled using the up and down arrows or the paging buttons like Home and PgDn.
Not possible to cut&paste into this report.
'q' to return to prompt, then exit.

These sparse tests should be enough.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 5 Thomas Andrews 2020-02-23 16:13:01 CET
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-02-24 22:08:03 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 6 Mageia Robot 2020-02-24 22:46:06 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0100.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.