Bug 28476 - radare2 new security issues CVE-2020-16269 and CVE-2020-17487
Summary: radare2 new security issues CVE-2020-16269 and CVE-2020-17487
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-02-27 20:21 CET by David Walser
Modified: 2021-03-30 22:11 CEST (History)
6 users (show)

See Also:
Source RPM: radare2-4.5.1-1.mga8.src.rpm
CVE: CVE-2020-16269, CVE-2020-17487
Status comment:


Attachments
Test file for CVE-2020-16269 (2.69 KB, text/x-python3)
2021-03-28 15:42 CEST, Len Lawrence
Details
Python script to generate a faulty exe file from a PE file (2.70 KB, text/x-python3)
2021-03-28 16:24 CEST, Len Lawrence
Details

Description David Walser 2021-02-27 20:21:15 CET
Fedora has issued an advisory on February 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/45SGGCWFIIV7N2X2QZRREHOW7ODT3IH7/

The issues are fixed upstream in 5.1.1.

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-02-27 20:21:27 CET

Whiteboard: (none) => MGA8TOO, MGA7TOO
Status comment: (none) => Fixed upstream in 5.1.1

Comment 1 Nicolas Lécureuil 2021-03-05 15:17:57 CET
fixed in cauldron

CC: (none) => mageia
Version: Cauldron => 8
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO

Comment 2 Nicolas Lécureuil 2021-03-05 16:15:28 CET
new radare2 rpm pushed in mga7/8  + a rebuild of radare2-cutter

src:
    -7: 
       - radare2-5.1.1-1.mga7
       - radare2-cutter-1.11.0-1.1.mga7
    -8:
       - radare2-5.1.1-1.mga8
       - radare2-cutter-1.12.0-1.1.mga8

Assignee: geiger.david68210 => qa-bugs
Status comment: Fixed upstream in 5.1.1 => (none)

Comment 3 Nicolas Lécureuil 2021-03-05 16:16:02 CET
the build of the rebuild fails. I will take a look

Assignee: qa-bugs => mageia

Comment 4 David Walser 2021-03-05 18:26:40 CET
Built so far:
radare2-5.1.1-1.mga7
libradare2_5.1.1-5.1.1-1.mga7
libradare2-devel-5.1.1-1.mga7
radare2-5.1.1-1.mga8
libradare2-devel-5.1.1-1.mga8
libradare2_5.1.1-5.1.1-1.mga8

Status comment: (none) => radare2-cutter fails to build against updated radare2

Comment 5 David GEIGER 2021-03-07 08:14:07 CET
(In reply to Nicolas Lécureuil from comment #3)
> the build of the rebuild fails. I will take a look

Apparently we should switch to a forked r2cutter:

https://github.com/radareorg/r2cutter

CC: (none) => geiger.david68210

Comment 6 Nicolas Lécureuil 2021-03-24 23:17:34 CET
i switched in cauldron and it builds well.
Comment 7 Nicolas Lécureuil 2021-03-24 23:29:49 CET
New pacakges pushed in mga7/8:

src:
    - radare2-cutter-0.1.1-1.mga7
    - radare2-cutter-0.1.1-1.mga8

Assignee: mageia => qa-bugs

Nicolas Lécureuil 2021-03-24 23:29:54 CET

Status comment: radare2-cutter fails to build against updated radare2 => (none)

Comment 8 David Walser 2021-03-26 20:54:14 CET
Packages list:
radare2-5.1.1-1.mga7
libradare2_5.1.1-5.1.1-1.mga7
libradare2-devel-5.1.1-1.mga7
radare2-cutter-0.1.1-1.mga7
radare2-5.1.1-1.mga8
libradare2-devel-5.1.1-1.mga8
libradare2_5.1.1-5.1.1-1.mga8
radare2-cutter-0.1.1-1.mga8
Comment 9 David Walser 2021-03-26 21:05:46 CET
Advisory:
========================

Updated radare2 packages fix security vulnerabilities:

radare2 4.5.0 misparses DWARF information in executable files, causing a
segmentation fault in parse_typedef in type_dwarf.c via a malformed DW_AT_name
in the .debug_info section (CVE-2020-16269).

radare2 4.5.0 misparses signature information in PE files, causing a
segmentation fault in r_x509_parse_algorithmidentifier in libr/util/x509.c.
This is due to a malformed object identifier in IMAGE_DIRECTORY_ENTRY_SECURITY
(CVE-2020-17487).

Also, the radare2-cutter package has been switched to a new upstream that uses
a different versioning scheme.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16269
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17487
https://github.com/rizinorg/cutter/releases/tag/v1.12.0
https://github.com/radareorg/r2cutter/releases/tag/0.1.0
https://github.com/radareorg/r2cutter/releases/tag/0.1.1
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/45SGGCWFIIV7N2X2QZRREHOW7ODT3IH7/
Comment 10 Len Lawrence 2021-03-28 13:31:42 CEST
Query about installation in mga7.  Have just installed the files from core updates and see this for radare2-cutter : 
media/core/updates/radare2-cutter-1.11.0-1.mga7.x86_64.rpm

The package list shows radare2-cutter-0.1.1-1.mga7 for testing.
Is that a step backwards or is there something I have missed?

CC: (none) => tarazed25

Comment 11 Len Lawrence 2021-03-28 15:19:09 CEST
Apologies.  I just saw the note about the change to versioning.
Comment 12 Len Lawrence 2021-03-28 15:42:30 CEST
Created attachment 12537 [details]
Test file for CVE-2020-16269

$ radare2 ./test_crash
<quip of the day>
r2 shell> r2 test_crash
<segmentation fault before bugfix>
> quit
Comment 13 Len Lawrence 2021-03-28 16:24:56 CEST
Created attachment 12538 [details]
Python script to generate a faulty exe file from a PE file

Sample session using wine:
$ wine signature.exe
$ r2 signature.exe
# generate output.exe
$ python signtest.py signature.exe
# generate PoC file
$ wine output.exe
$ r2 output.exe    # this is the file supplied from upstream
Comment 14 Len Lawrence 2021-03-28 17:16:17 CEST
mga7, x64

CVE-2020-16269
https://github.com/radareorg/radare2/issues/17383
Copied the test_crash script from the site.
$ radare2 ./test_crash
 -- Quantum dissasemble: it's there as long as you don't observe it
[0x00000000]> r2 test_crash
 -- Segmentation fault (core dumped)
[0x00000000]> quit

CVE-2020-17487
https://github.com/radareorg/radare2/issues/17431
Copied the conversion script from the site - attached.
This converts any PE file into a binary which makes radare2 crash.
Don't know what a PE file is but upstream has provided a test file in a zip file which contains output.exe.
$ r2 output.exe
Segmentation fault (core dumped)

Updated the four packages.
Ran the poc tests.
CVE-2020-16269
$ radare2 ./test_crash
 -- What is the most complex r2 command? q - then you have to deal with real life /o\
[0x00000000]> r2 test_crash
 -- It's the year of radare2 on the desktop
[0x00000000]> quit
<Good result>
CVE-2020-17487
$ r2 output.exe
 -- Insert coin to continue ...
[0x140018090]> quit
<Good result>

Tried a command which worked fine in bug 25933:
$ r2 -a x86 -b 64 /bin/bash
 -- A C program is like a fast dance on a newly waxed dance floor by people carrying razors - Waldi Ravens
[0x00420190]> quit

No V mode and no hexdump.

$ r2 -V -a x86 -b 64 /bin/bash
5.1.1  r2
5.1.1  r_anal
5.1.1  r_lib
5.1.1  r_egg
5.1.1  r_asm
.......

$ r2 -a x86 -b 64 /bin/cargo
Warning: run r2 with -e io.cache=true to fix relocations in disassembly
 -- Don't trust what can't be compiled
[0x0008fbf0]> quit
lcl@difda:pocs $ r2 -a x86 -b 64 -e io.cache=true /bin/cargo
 -- The Hard ROP Cafe
[0x0008fbf0]> ms
[/]> help
Usage: [command (arguments)]([~grep-expression])
 !cmd        ; escape to system
 :cmd        ; escape to the r2 repl
 ls [path]   ; list current directory
 cd path     ; change current directory
 cat file    ; print contents of file
 get file    ; dump file to disk
 mount       ; list mount points
 q/exit      ; leave prompt mode
 ?/help      ; show this help
[/]> :V
[0x0008fbf0 [Xadvc]0 5% 384 /bin/cargo]> xc @ entry0
...........

That showed a hexdump offset table with ASCII and a comments column, as in previous tests.  Cut and paste fails.  Used "q" to exit from that mode.
$ ragg2 -f python -a x86 /bin/tar
import struct
buf = struct.pack ("0B", *[
$ ragg2 -i exec -x
sh-4.4$ r2 malloc://1024
 -- Hold on, this should never happen!
[0x00000000]> ms UNKNOWN_ROOT
Unknown root
[0x00000000]> exit
could not save history into //.cache/radare2
sh-4.4$ exit
exit

$ rafind2 -s "asteroid" /bin/stellarium | wc -l
17
For comparison:
$ strings /bin/stellarium | grep asteroid | wc -l
15

The bugs appear to have been squashed and simple tests work OK.

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

Comment 15 Len Lawrence 2021-03-28 19:36:00 CEST
mga8, x64

CVE-2020-16269
https://github.com/radareorg/radare2/issues/17383
$ radare2 ./test_crash
 -- This shell has been seized by the Internet's Police.
[0x00000000]> r2 test_crash
-- Use 'rabin2 -ris' to get the import/export symbols of any binary.
[0x00000000]> q

CVE-2020-17487
https://github.com/radareorg/radare2/issues/17431
$ unzip output.zip
$ r2 output.exe
 -- Trust no one, nor a zero. Both lie.
[0x140018090]> 

No segfaults.

Updated the four packages.
Ran the poc tests.
CVE-2020-16269
$ radare2 ./test_crash
 -- Remember that word: C H A I R
[0x00000000]> r2 test_crash
-- radare2 0.9.7 is so old, my grandfarther was using it with his enigma in WWII
[0x00000000]> quit

CVE-2020-17487
$ r2 output.exe
 -- You see it, you fix it!
[0x140018090]> 
<Good result>

$ r2 -a x86 -b 64 /bin/bash
...............
...> V
[0x00422c0 [Xadvc]0 13% 384 /bin/bash]> xc @ entry0
<offset table in twinhex and ASCII with comments - PgDn or arrow keys to traverse>
...........

$ r2 -V -a x86 -b 64 /bin/bash
5.1.1  r2
5.1.1  r_anal
5.1.1  r_lib
5.1.1  r_egg
5.1.1  r_asm
.......
5.1.1  r_util

$ r2 -a x86 -b 64 /bin/cargo
Warning: run r2 with -e io.cache=true to fix relocations in disassembly
 -- Don't trust what can't be compiled
[0x0008fbf0]> quit
$ r2 -a x86 -b 64 -e io.cache=true /bin/cargo
-- Radare2 is like violence. If it doesn't solve your problem, you aren't using enough.
[0x00096100]> ms
[/]> help
.........
[0x00096100]> q

Tried ragg2 and rafind2 which seemed to work.  Not enough knowledge to continue with them.
The poc tests show that the earlier issues no longer apply.
Giving this the all clear.

Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 16 Thomas Andrews 2021-03-28 21:11:24 CEST
Validating. Advisory in Comment 9.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Aurelien Oudelet 2021-03-30 15:56:22 CEST

Keywords: (none) => advisory
CVE: (none) => CVE-2020-16269, CVE-2020-17487
CC: (none) => ouaurelien

Comment 17 Mageia Robot 2021-03-30 22:11:04 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0160.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.