Assigning to NicolasL, who committed version 5.1.1 with CVE updates.
DavidG is already CC'd.

CC: mageia => (none)
Assignee: bugsquad => mageia

Removing Mageia 7 from whiteboard due to EOL:
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO

Fedora has issued an advisory on September 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JIARALLVVY2362AYFSFULTZKIW6QO5R5/

The issue is fixed upstream in 5.4.0.

Status comment: Fixed upstream in 5.3.1 => Fixed upstream in 5.4.0
Summary: radare2 new security issue CVE-2021-32613 => radare2 new security issues CVE-2021-32613 and CVE-2021-3673

New version pushed in mga8

src:
    - rizin-0.3.1-1.mga8
    - radare2-5.5.4-1.mga8
    - radare2-cutter-2.0.4-1.mga8

Version: Cauldron => 8
Status comment: Fixed upstream in 5.4.0 => (none)
Whiteboard: MGA8TOO => (none)
Assignee: mageia => qa-bugs

rizin-common-0.3.1-1.mga8
librizin-devel-0.3.1-1.mga8
rizin-0.3.1-1.mga8
librizin0-0.3.1-1.mga8
radare2-5.5.4-1.mga8
libradare2-devel-5.5.4-1.mga8
libradare2_5.5.4-5.5.4-1.mga8
radare2-cutter-devel-2.0.4-1.mga8
radare2-cutter-2.0.4-1.mga8

Mageia 8 X64 XFCE on Virtualbox
No installation issues

sudo urpmi --media "Core Updates Testing" radare2
Pour satisfaire les dépendances, les paquetages suivants vont être installés :
  Paquetage                      Version      Révision      Arch    
(média « Core Updates Testing »)
  lib64radare2_5.5.4             5.5.4        1.mga8        x86_64  
  radare2                        5.5.4        1.mga8        x86_64  
un espace additionnel de 27Mo sera utilisé.
5.3Mo de paquets seront récupérés.
Procéder à l'installation des 2 paquetages ? (O/n) O


    $MIRRORLIST: media/core/updates_testing/lib64radare2_5.5.4-5.5.4-1.mga8.x86_64.rpm
    $MIRRORLIST: media/core/updates_testing/radare2-5.5.4-1.mga8.x86_64.rpm    
installation de radare2-5.5.4-1.mga8.x86_64.rpm lib64radare2_5.5.4-5.5.4-1.mga8.x86_64.rpm depuis /var/cache/urpmi/rpms
Préparation...                   #############################################
      1/2: lib64radare2_5.5.4    #############################################
      2/2: radare2               #############################################

I found this site for explanation and documentation:
https://rada.re/n/radare2.html

I tried some cli command:

$radare2
Usage: r2 [-ACdfLMnNqStuvwzX] [-P patch] [-p prj] [-a arch] [-b bits] [-i file]
          [-s addr] [-B baddr] [-m maddr] [-c cmd] [-e k=v] file|pid|-|--|=
$rasm2
Usage: rasm2 [-ACdDehLBvw] [-a arch] [-b bits] [-o addr] [-s syntax]
             [-f file] [-F fil:ter] [-i skip] [-l len] 'code'|hex|-

https://resources.infosecinstitute.com/topic/how-to-use-radare2-for-reverse-engineering/

$radare2 FileZilla_3.57.0_win64-setup.exe 
 -- I could go up there about 11 at night, stay till 4 in the morning, and get all the computer runs I ever wanted.
[0x004035d8]> 

I tried other options; it seems to work fine.

CC: (none) => hdetavernier

MGA8-64 Plasma on Lenovo B50 in Dutch
Selecting all rpm's listed from Comment 5 in QARepo.
Then in MCC - Software installattion I get:
Sorry, the following package cannot be selected:

- radare2-cutter-devel-2.0.4-1.mga8.x86_64 (because of unfulfilled radare2-cutter(x86-64)[== 2.0.4-1.mga8])
but it is there.
Continuing anyway, using the howto Hugues indicated in Comment 6, copying file ATISetup from my Win10 installation

$ rabin2 -I ATISetup.exe 
arch     x86
baddr    0x140000000
binsz    589000
bintype  pe
bits     64
canary   false
retguard false
class    PE32+
cmp.csum 0x0009850e
compiled Thu Jul 16 02:13:41 2015
crypto   false
dbg_file c:\workarea\15.20\install\Monet\Apps\Bin\Win64a\B_rel\ATISetup.pdb
endian   little
havecode true
hdr.csum 0x0009850e
guid     C3049A9A126E46D6B76EA677F9D58DCD1
laddr    0x0
lang     msvc
linenum  false
lsyms    false
machine  AMD 64
nx       true
os       windows
overlay  true
cc       ms
pic      true
relocs   false
signed   true
sanitize false
static   false
stripped false
subsys   Windows CUI
va       true

$ rax2 0011000011111111d
12543

$ rasm2 ret
c3

$ radare2 ATISetup.exe 
 -- WARNING: r_list_length: assertion 'list' failed (line 55)
[0x14003a440]> aa
[x] Analyze all flags starting with sym. and entry0 (aa)
[0x14003a440]> s/ ATI
Searching 3 bytes in [0x140091400-0x140092000]
hits: 0
Searching 3 bytes in [0x140090000-0x140091400]
hits: 0
Searching 3 bytes in [0x14008fa00-0x140090000]
hits: 0
Searching 3 bytes in [0x140078000-0x14008fa00]
hits: 0
Searching 3 bytes in [0x140077600-0x140078000]
hits: 0
Searching 3 bytes in [0x140072000-0x140077600]
hits: 0
Searching 3 bytes in [0x140070c00-0x140072000]
hits: 0
Searching 3 bytes in [0x14006c000-0x140070c00]
[# ]0x14006e99c hit1_0 ..?AVATILogger@@.0   

So seems to work. I'm not sure whether this can be OK'ed with the installation issue i found.

CC: (none) => herman.viaene

(In reply to Herman Viaene from comment #7)
> MGA8-64 Plasma on Lenovo B50 in Dutch
> Selecting all rpm's listed from Comment 5 in QARepo.
> Then in MCC - Software installattion I get:
> Sorry, the following package cannot be selected:
> 
> - radare2-cutter-devel-2.0.4-1.mga8.x86_64 (because of unfulfilled
> radare2-cutter(x86-64)[== 2.0.4-1.mga8])
> but it is there.

Not exactly there, Herman. I confirmed the issue in VirtualBox. 

It looks like a naming issue to me. We ran into a similar issue with another update, not too long ago, as I recall.

I think radare2-cutter-devel-2.0.4-1 is looking for radare2-cutter(x86-64)-2.0.4-1 and all it finds is radare2-cutter-2.0.4-1. Our package doesn't have the "(x86-64)" in its name.

CC: (none) => andrewsfarm

That would be something provided by the package, not in the actual name itself.

Oh. 

OK, Live and learn. The issue still needs to be fixed before we can let it go.

Tried a new tactic in Vbox, which failed yet again.

I decided to try installing the current packages using MCC, then update. Right away I found there were no rizin packages there, at all. OK, a new dependency - I've seen it before. But when I went to install the radare2 packages, radare2-cutter-devel was also missing.

So I installed what I could, enabled the local repo from qarepo, and updated. That drew in a rizin library, confirming the new dependency. Then I went back to install software, and selected the rest of the rizin packages. That went OK. But when I tried to select the new radare2-cutter-devel package, I got the same message: 

Sorry, the following package cannot be selected:

- radare2-cutter-devel-2.0.4-1.mga8.x86_64 (due to unsatisfied radare2-cutter(x86-64)[== 2.0.4-1.mga8])

Except that radare2-cutter-2.0.4-1.mga8 IS ALREADY INSTALLED.

I don't see how I could possibly approve putting a package in our repos that MCC refuses to select. I need guidance.

I'm very confused about all this. What's going on?

Keywords: (none) => feedback

See Comment 9.  Someone put an invalid explicit requires in the spec (likely copied from Fedora) that needs to be removed (or modified to remove the arch/isa part at the end that Fedora tends to do, which we don't).

Thank you for clarifying. Then it looks like this needs to go back to Nicolas L.

Assignee: qa-bugs => mageia
Keywords: feedback => (none)

Fedora has issued an advisory today (February 22):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IQIRJ72UALGMSWH6MYPVJQQLXFGZ23RS/

The issues are fixed upstream in 5.6.0.

Summary: radare2 new security issues CVE-2021-32613 and CVE-2021-3673 => radare2 new security issues CVE-2021-32613, CVE-2021-3673, CVE-2021-4021, CVE-2022-0173, CVE-2022-0419
Whiteboard: (none) => MGA8TOO
Source RPM: radare2-5.1.1-1.mga9.src.rpm => radare2-5.5.4-1.mga9.src.rpm
Version: 8 => Cauldron
Status comment: (none) => Fixed upstream in 5.6.0

Fedora has issued an advisory today (March 11):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/E6YBRQ3UCFWJVSOYIKPVUDASZ544TFND/

The issues are fixed upstream in 5.6.4.

Summary: radare2 new security issues CVE-2021-32613, CVE-2021-3673, CVE-2021-4021, CVE-2022-0173, CVE-2022-0419 => radare2 new security issues CVE-2021-32613 CVE-2021-3673 CVE-2021-4021 CVE-2022-0173 CVE-2022-0419 CVE-2022-0476 CVE-2022-051[89] CVE-2022-052[0-3] CVE-2022-0559 CVE-2022-0676 CVE-2022-0695 CVE-2022-071[23]
Status comment: Fixed upstream in 5.6.0 => Fixed upstream in 5.6.4

One of these issues and two others have been announced today (May 25):
https://www.openwall.com/lists/oss-security/2022/05/25/1
https://census-labs.com/news/2022/05/24/multiple-vulnerabilities-in-radare2/

The issues are fixed upstream in 5.6.0.

Summary: radare2 new security issues CVE-2021-32613 CVE-2021-3673 CVE-2021-4021 CVE-2022-0173 CVE-2022-0419 CVE-2022-0476 CVE-2022-051[89] CVE-2022-052[0-3] CVE-2022-0559 CVE-2022-0676 CVE-2022-0695 CVE-2022-071[23] => radare2 new security issues CVE-2021-32613 CVE-2021-3673 CVE-2021-4021 CVE-2021-4497[45] CVE-2022-0173 CVE-2022-0419 CVE-2022-0476 CVE-2022-051[89] CVE-2022-052[0-3] CVE-2022-0559 CVE-2022-0676 CVE-2022-0695 CVE-2022-071[23]

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

In radare2 through 5.3.0 there is a double free vulnerability in the pyc parse via a crafted file which can lead to DoS. (CVE-2021-32613)

A vulnerability was found in Radare2 in version 5.3.1. Improper input validation when reading a crafted LE binary can lead to resource exhaustion and DoS. (CVE-2021-3673)

A vulnerability was found in Radare2 in versions prior to 5.6.2, 5.6.0, 5.5.4 and 5.5.2. Mapping a huge section filled with zeros of an ELF64 binary for MIPS architecture can lead to uncontrolled resource consumption and DoS. (CVE-2021-4021)

adareorg radare2 version 5.5.2 is vulnerable to NULL Pointer Dereference via libr/bin/p/bin_symbols.c binary symbol parser. (CVE-2021-44974)

radareorg radare2 5.5.2 is vulnerable to Buffer Overflow via /libr/core/anal_objc.c mach-o parser. (CVE-2021-44975)

radare2 is vulnerable to Out-of-bounds Read. (CVE-2022-0173)

NULL Pointer Dereference in GitHub repository radareorg/radare2 prior to 5.6.0. (CVE-2022-0419)

Denial of Service in GitHub repository radareorg/radare2 prior to 5.6.4. (CVE-2022-0476)

Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.6.2. (CVE-2022-0518)

Buffer Access with Incorrect Length Value in GitHub repository radareorg/radare2 prior to 5.6.2. (CVE-2022-0519)

Use After Free in NPM radare2.js prior to 5.6.2. (CVE-2022-0520)

Access of Memory Location After End of Buffer in GitHub repository radareorg/radare2 prior to 5.6.2. (CVE-2022-0521)

Access of Memory Location Before Start of Buffer in NPM radare2.js prior to 5.6.2. (CVE-2022-0522)

Expired Pointer Dereference in GitHub repository radareorg/radare2 prior to 5.6.2. (CVE-2022-0523)

Use After Free in GitHub repository radareorg/radare2 prior to 5.6.2. (CVE-2022-0559)

Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.6.4. (CVE-2022-0676)

Denial of Service in GitHub repository radareorg/radare2 prior to 5.6.4. (CVE-2022-0695)

NULL Pointer Dereference in GitHub repository radareorg/radare2 prior to 5.6.4. (CVE-2022-0712)

Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.6.4. (CVE-2022-0713)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32613
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3673
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4021
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44974
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44975
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0173
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0419
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0476
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0518
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0519
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0520
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0521
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0522
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0523
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0559
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0676
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0695
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0712
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0713
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/V2UL4V4XKSFJVNNUMFV443UJXGDBYGS4/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JIARALLVVY2362AYFSFULTZKIW6QO5R5/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IQIRJ72UALGMSWH6MYPVJQQLXFGZ23RS/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/E6YBRQ3UCFWJVSOYIKPVUDASZ544TFND/
https://www.openwall.com/lists/oss-security/2022/05/25/1
https://census-labs.com/news/2022/05/24/multiple-vulnerabilities-in-radare2/
========================

Updated packages in core/updates_testing:
========================
lib(64)radare2_5.6.4-5.6.4-1.mga8
lib(64)radare2-devel-5.6.4-1.mga8
radare2-5.6.4-1.mga8

radare2-cutter-2.0.4-2.mga8
radare2-cutter-devel-2.0.4-2.mga8

lib(64)rizin0-0.3.1-1.mga8
lib(64)rizin-devel-0.3.1-1.mga8
rizin-0.3.1-1.mga8
rizin-common-0.3.1-1.mga8

from SRPMS:
radare2-5.6.4-1.mga8.src.rpm
radare2-cutter-2.0.4-2.mga8.src.rpm
rizin-0.3.1-1.mga8.src.rpm

Status comment: Fixed upstream in 5.6.4 => (none)
Assignee: mageia => qa-bugs
Status: NEW => ASSIGNED
Whiteboard: MGA8TOO => (none)
CC: (none) => nicolas.salguero
Version: Cauldron => 8

No installation issues in VirtualBox. The issue from Comment 7 is no longer a problem.

Referenced https://bugs.mageia.org/show_bug.cgi?id=27060#c4 for testing:

$ rafind2 -s "text" /bin/kwrite | wc -l
5
$ r2 -a x86 /bin/oowriter
 -- When in doubt, try 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; pd;'
[0x00000000]> V

As with Bug 27060, this produced a lengthy, and to me mostly incomprehensible multi-colored hexdump, but it seems to be what it is supposed to do.

I also tried running the radare2-cutter gui. I moved around a bit, and again it was mostly incomprehensible, but seems to be the way it is supposed to be. 

With all these security fixes, this needs to move along if it doesn't crash, whether I understand it or not. 

Giving it an OK, and validating. Advisory in comment 17

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0440.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED