Fedora has issued an advisory today (August 7): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7OFOJ23B5CP5XDVYTW6TTN7OFZPAIVY4/ The issue is fixed upstream in 4.5.0. They also upgraded radare2-cutter to 1.11.0: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MWC7KNBETYE5MK6VIUU26LUIISIFGSBZ/ Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Already done on Cauldron.
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7Source RPM: radare2-4.4.0-1.mga8.src.rpm => radare2-4.2.1-1.mga7.src.rpm
Done for mga7!
Advisory: ======================== Updated radare2 packages fix security vulnerability: In radare2 before version 4.5.0, malformed PDB file names in the PDB server path cause shell injection. To trigger the problem it's required to open the executable in radare2 and run idpd to trigger the download. The shell code will execute, and will create a file called pwned in the current directory (CVE-2020-15121). The radare2 package has been updated to version 4.5.0, fixing these issues and other bugs. Also, the radare2-cutter package has been updated to version 1.11.0. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15121 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7OFOJ23B5CP5XDVYTW6TTN7OFZPAIVY4/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MWC7KNBETYE5MK6VIUU26LUIISIFGSBZ/ ======================== Updated packages in core/updates_testing: ======================== radare2-4.5.0-1.mga7 libradare2_4.5.0-4.5.0-1.mga7 libradare2-devel-4.5.0-1.mga7 radare2-cutter-1.11.0-1.mga7 from SRPMS: radare2-4.5.0-1.mga7.src.rpm radare2-cutter-1.11.0-1.mga7.src.rpm
CC: (none) => geiger.david68210QA Contact: (none) => securityComponent: RPM Packages => SecurityAssignee: geiger.david68210 => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref bug 26232 for test. $ rafind2 -s "text" /bin/kwrite | wc -l 5 $ r2 -a x86 /bin/oowriter -- In soviet Afghanistan, you debug radare2! >V as described in bug 26232 "a full, coloured hexdump of the program which could be scrolled using the up and down arrows or the paging buttons like Home and PgDn. Not possible to cut&paste into this report. 'q' to return to prompt, then exit." So,looks OK
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
Advisory and package list in Comment 3.
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0329.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
*** Bug 27751 has been marked as a duplicate of this bug. ***
CC: (none) => zombie_ryushu