Fedora has issued an advisory on February 14: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DUW4XXPI6XCI2G4X22EP3TKU2APLQ5XD/ The issues are fixed upstream in 4.2.1. They also upgraded radare2-cutter to 1.10.1: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YQTOWEDFXDTGTD6D4NHRB4FUURQSTTEN/ Mageia 7 is also affected.
CC: (none) => geiger.david68210Whiteboard: (none) => MGA7TOO
Fixed in Cauldron by David Geiger.
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)
Fixed now in mga7.
Advisory: ======================== Updated radare2 packages fix security vulnerabilities: A vulnerability was found in radare2 through 4.0, there is an integer overflow for the variable new_token_size in the function r_asm_massemble at libr/asm/asm.c. This integer overflow will result in a Use-After-Free for the buffer tokens, which can be filled with arbitrary malicious data after the free. This allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted input (CVE-2019-19590). radare2 through 4.0.0 lacks validation of the content variable in the function r_asm_pseudo_incbin at libr/asm/asm.c, ultimately leading to an arbitrary write. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted input (CVE-2019-19647). The radare2 package has been updated to version 4.2.1, fixing these issues and other bugs. Also, the radare2-cutter package has been updated to version 1.10.1. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19590 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19647 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DUW4XXPI6XCI2G4X22EP3TKU2APLQ5XD/ ======================== Updated packages in core/updates_testing: ======================== radare2-4.2.1-1.mga7 libradare2_4.2.1-4.2.1-1.mga7 libradare2-devel-4.2.1-1.mga7 radare2-cutter-1.10.1-1.mga7 from SRPMS: radare2-4.2.1-1.mga7.src.rpm radare2-cutter-1.10.1-1.mga7.src.rpm
Assignee: bugsquad => qa-bugs
mga7, x86_64 CVE-2019-19590 https://github.com/radareorg/radare2/issues/15543 Copied the PoC generator, poc.py. f = open("poc.r", "w") f.write("/a " + ";" * (2 ** 31 + 16)) f.close() $ python poc.py This ran for a while, creating the payload for the r2 command. $ file poc.r poc.r: ASCII text, with very long lines, with no line terminators $ ll poc.r -rw-r--r-- 1 lcl lcl 2147483667 Feb 22 19:32 poc.r $ r2 -i poc.r malloc://1024 Segmentation fault (core dumped) CVE-2019-19647 https://github.com/radareorg/radare2/issues/15545 $ r2 malloc://1024 -- It's not a bug, it's a work in progress [0x00000000]> No crash, so the problem may have been fixed already. Installed the updates and checked the PoC. CVE-2019-19590 $ r2 -i poc.r malloc://1024 [...] 0x000003fc 2 add byte [rax], al 0x000003fe 2 add byte [rax], al -- Yo dawg! [0x00000000]> exit Looks like it is fixed. CVE-2019-19647 $ r2 malloc://1024 -- what happens in #radare, stays in #radare [0x00000000]> exit No change from before - good result. Ran some of the commands: $ ragg2 -f python -a x86 /bin/tar import struct buf = struct.pack ("0B", *[ $ ragg2 -i exec -x sh-4.4$ r2 malloc://1024 -- Well this is embarrasing ... [0x00000000]> ms [/]> q [0x00000000]> ms UNKNOWN_ROOT Unknown root [0x00000000]> exit could not save history into /.cache/radare2 sh-4.4$ exit exit Don't know enough about this application to test all the commands: rahash2, rafind2, rabin2, radiff2, rasm2, rax2, rarun2 $ rafind2 -s "asteroid" /bin/stellarium | wc -l 17 $ rafind2 -s "Callisto" /bin/celestia | wc -l 19 $ r2 -a x86 /bin/cargo -- Polish reversers blame git [0x00064c20]> V That generated a full, coloured hexdump of the program which could be scrolled using the up and down arrows or the paging buttons like Home and PgDn. Not possible to cut&paste into this report. 'q' to return to prompt, then exit. These sparse tests should be enough.
CC: (none) => tarazed25Whiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0100.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED