Fedora has issued an advisory on February 24: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/45SGGCWFIIV7N2X2QZRREHOW7ODT3IH7/ The issues are fixed upstream in 5.1.1. Mageia 7 and Mageia 8 are also affected.
Whiteboard: (none) => MGA8TOO, MGA7TOOStatus comment: (none) => Fixed upstream in 5.1.1
fixed in cauldron
CC: (none) => mageiaVersion: Cauldron => 8Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
new radare2 rpm pushed in mga7/8 + a rebuild of radare2-cutter src: -7: - radare2-5.1.1-1.mga7 - radare2-cutter-1.11.0-1.1.mga7 -8: - radare2-5.1.1-1.mga8 - radare2-cutter-1.12.0-1.1.mga8
Assignee: geiger.david68210 => qa-bugsStatus comment: Fixed upstream in 5.1.1 => (none)
the build of the rebuild fails. I will take a look
Assignee: qa-bugs => mageia
Built so far: radare2-5.1.1-1.mga7 libradare2_5.1.1-5.1.1-1.mga7 libradare2-devel-5.1.1-1.mga7 radare2-5.1.1-1.mga8 libradare2-devel-5.1.1-1.mga8 libradare2_5.1.1-5.1.1-1.mga8
Status comment: (none) => radare2-cutter fails to build against updated radare2
(In reply to Nicolas Lécureuil from comment #3) > the build of the rebuild fails. I will take a look Apparently we should switch to a forked r2cutter: https://github.com/radareorg/r2cutter
CC: (none) => geiger.david68210
i switched in cauldron and it builds well.
New pacakges pushed in mga7/8: src: - radare2-cutter-0.1.1-1.mga7 - radare2-cutter-0.1.1-1.mga8
Assignee: mageia => qa-bugs
Status comment: radare2-cutter fails to build against updated radare2 => (none)
Packages list: radare2-5.1.1-1.mga7 libradare2_5.1.1-5.1.1-1.mga7 libradare2-devel-5.1.1-1.mga7 radare2-cutter-0.1.1-1.mga7 radare2-5.1.1-1.mga8 libradare2-devel-5.1.1-1.mga8 libradare2_5.1.1-5.1.1-1.mga8 radare2-cutter-0.1.1-1.mga8
Advisory: ======================== Updated radare2 packages fix security vulnerabilities: radare2 4.5.0 misparses DWARF information in executable files, causing a segmentation fault in parse_typedef in type_dwarf.c via a malformed DW_AT_name in the .debug_info section (CVE-2020-16269). radare2 4.5.0 misparses signature information in PE files, causing a segmentation fault in r_x509_parse_algorithmidentifier in libr/util/x509.c. This is due to a malformed object identifier in IMAGE_DIRECTORY_ENTRY_SECURITY (CVE-2020-17487). Also, the radare2-cutter package has been switched to a new upstream that uses a different versioning scheme. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16269 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17487 https://github.com/rizinorg/cutter/releases/tag/v1.12.0 https://github.com/radareorg/r2cutter/releases/tag/0.1.0 https://github.com/radareorg/r2cutter/releases/tag/0.1.1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/45SGGCWFIIV7N2X2QZRREHOW7ODT3IH7/
Query about installation in mga7. Have just installed the files from core updates and see this for radare2-cutter : media/core/updates/radare2-cutter-1.11.0-1.mga7.x86_64.rpm The package list shows radare2-cutter-0.1.1-1.mga7 for testing. Is that a step backwards or is there something I have missed?
CC: (none) => tarazed25
Apologies. I just saw the note about the change to versioning.
Created attachment 12537 [details] Test file for CVE-2020-16269 $ radare2 ./test_crash <quip of the day> r2 shell> r2 test_crash <segmentation fault before bugfix> > quit
Created attachment 12538 [details] Python script to generate a faulty exe file from a PE file Sample session using wine: $ wine signature.exe $ r2 signature.exe # generate output.exe $ python signtest.py signature.exe # generate PoC file $ wine output.exe $ r2 output.exe # this is the file supplied from upstream
mga7, x64 CVE-2020-16269 https://github.com/radareorg/radare2/issues/17383 Copied the test_crash script from the site. $ radare2 ./test_crash -- Quantum dissasemble: it's there as long as you don't observe it [0x00000000]> r2 test_crash -- Segmentation fault (core dumped) [0x00000000]> quit CVE-2020-17487 https://github.com/radareorg/radare2/issues/17431 Copied the conversion script from the site - attached. This converts any PE file into a binary which makes radare2 crash. Don't know what a PE file is but upstream has provided a test file in a zip file which contains output.exe. $ r2 output.exe Segmentation fault (core dumped) Updated the four packages. Ran the poc tests. CVE-2020-16269 $ radare2 ./test_crash -- What is the most complex r2 command? q - then you have to deal with real life /o\ [0x00000000]> r2 test_crash -- It's the year of radare2 on the desktop [0x00000000]> quit <Good result> CVE-2020-17487 $ r2 output.exe -- Insert coin to continue ... [0x140018090]> quit <Good result> Tried a command which worked fine in bug 25933: $ r2 -a x86 -b 64 /bin/bash -- A C program is like a fast dance on a newly waxed dance floor by people carrying razors - Waldi Ravens [0x00420190]> quit No V mode and no hexdump. $ r2 -V -a x86 -b 64 /bin/bash 5.1.1 r2 5.1.1 r_anal 5.1.1 r_lib 5.1.1 r_egg 5.1.1 r_asm ....... $ r2 -a x86 -b 64 /bin/cargo Warning: run r2 with -e io.cache=true to fix relocations in disassembly -- Don't trust what can't be compiled [0x0008fbf0]> quit lcl@difda:pocs $ r2 -a x86 -b 64 -e io.cache=true /bin/cargo -- The Hard ROP Cafe [0x0008fbf0]> ms [/]> help Usage: [command (arguments)]([~grep-expression]) !cmd ; escape to system :cmd ; escape to the r2 repl ls [path] ; list current directory cd path ; change current directory cat file ; print contents of file get file ; dump file to disk mount ; list mount points q/exit ; leave prompt mode ?/help ; show this help [/]> :V [0x0008fbf0 [Xadvc]0 5% 384 /bin/cargo]> xc @ entry0 ........... That showed a hexdump offset table with ASCII and a comments column, as in previous tests. Cut and paste fails. Used "q" to exit from that mode. $ ragg2 -f python -a x86 /bin/tar import struct buf = struct.pack ("0B", *[ $ ragg2 -i exec -x sh-4.4$ r2 malloc://1024 -- Hold on, this should never happen! [0x00000000]> ms UNKNOWN_ROOT Unknown root [0x00000000]> exit could not save history into //.cache/radare2 sh-4.4$ exit exit $ rafind2 -s "asteroid" /bin/stellarium | wc -l 17 For comparison: $ strings /bin/stellarium | grep asteroid | wc -l 15 The bugs appear to have been squashed and simple tests work OK.
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
mga8, x64 CVE-2020-16269 https://github.com/radareorg/radare2/issues/17383 $ radare2 ./test_crash -- This shell has been seized by the Internet's Police. [0x00000000]> r2 test_crash -- Use 'rabin2 -ris' to get the import/export symbols of any binary. [0x00000000]> q CVE-2020-17487 https://github.com/radareorg/radare2/issues/17431 $ unzip output.zip $ r2 output.exe -- Trust no one, nor a zero. Both lie. [0x140018090]> No segfaults. Updated the four packages. Ran the poc tests. CVE-2020-16269 $ radare2 ./test_crash -- Remember that word: C H A I R [0x00000000]> r2 test_crash -- radare2 0.9.7 is so old, my grandfarther was using it with his enigma in WWII [0x00000000]> quit CVE-2020-17487 $ r2 output.exe -- You see it, you fix it! [0x140018090]> <Good result> $ r2 -a x86 -b 64 /bin/bash ............... ...> V [0x00422c0 [Xadvc]0 13% 384 /bin/bash]> xc @ entry0 <offset table in twinhex and ASCII with comments - PgDn or arrow keys to traverse> ........... $ r2 -V -a x86 -b 64 /bin/bash 5.1.1 r2 5.1.1 r_anal 5.1.1 r_lib 5.1.1 r_egg 5.1.1 r_asm ....... 5.1.1 r_util $ r2 -a x86 -b 64 /bin/cargo Warning: run r2 with -e io.cache=true to fix relocations in disassembly -- Don't trust what can't be compiled [0x0008fbf0]> quit $ r2 -a x86 -b 64 -e io.cache=true /bin/cargo -- Radare2 is like violence. If it doesn't solve your problem, you aren't using enough. [0x00096100]> ms [/]> help ......... [0x00096100]> q Tried ragg2 and rafind2 which seemed to work. Not enough knowledge to continue with them. The poc tests show that the earlier issues no longer apply. Giving this the all clear.
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Validating. Advisory in Comment 9.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCVE: (none) => CVE-2020-16269, CVE-2020-17487CC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0160.html
Status: NEW => RESOLVEDResolution: (none) => FIXED