Fedora has issued an advisory today (June 21): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/V2UL4V4XKSFJVNNUMFV443UJXGDBYGS4/ The issue is fixed upstream in 5.3.1. Mageia 7 and Mageia 8 are also affected.
Whiteboard: (none) => MGA8TOO, MGA7TOOCC: (none) => geiger.david68210, mageiaStatus comment: (none) => Fixed upstream in 5.3.1
Assigning to NicolasL, who committed version 5.1.1 with CVE updates. DavidG is already CC'd.
CC: mageia => (none)Assignee: bugsquad => mageia
Removing Mageia 7 from whiteboard due to EOL: https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/
Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO
Fedora has issued an advisory on September 24: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JIARALLVVY2362AYFSFULTZKIW6QO5R5/ The issue is fixed upstream in 5.4.0.
Status comment: Fixed upstream in 5.3.1 => Fixed upstream in 5.4.0Summary: radare2 new security issue CVE-2021-32613 => radare2 new security issues CVE-2021-32613 and CVE-2021-3673
New version pushed in mga8 src: - rizin-0.3.1-1.mga8 - radare2-5.5.4-1.mga8 - radare2-cutter-2.0.4-1.mga8
Version: Cauldron => 8Status comment: Fixed upstream in 5.4.0 => (none)Whiteboard: MGA8TOO => (none)Assignee: mageia => qa-bugs
rizin-common-0.3.1-1.mga8 librizin-devel-0.3.1-1.mga8 rizin-0.3.1-1.mga8 librizin0-0.3.1-1.mga8 radare2-5.5.4-1.mga8 libradare2-devel-5.5.4-1.mga8 libradare2_5.5.4-5.5.4-1.mga8 radare2-cutter-devel-2.0.4-1.mga8 radare2-cutter-2.0.4-1.mga8
Mageia 8 X64 XFCE on Virtualbox No installation issues sudo urpmi --media "Core Updates Testing" radare2 Pour satisfaire les dépendances, les paquetages suivants vont être installés : Paquetage Version Révision Arch (média « Core Updates Testing ») lib64radare2_5.5.4 5.5.4 1.mga8 x86_64 radare2 5.5.4 1.mga8 x86_64 un espace additionnel de 27Mo sera utilisé. 5.3Mo de paquets seront récupérés. Procéder à l'installation des 2 paquetages ? (O/n) O $MIRRORLIST: media/core/updates_testing/lib64radare2_5.5.4-5.5.4-1.mga8.x86_64.rpm $MIRRORLIST: media/core/updates_testing/radare2-5.5.4-1.mga8.x86_64.rpm installation de radare2-5.5.4-1.mga8.x86_64.rpm lib64radare2_5.5.4-5.5.4-1.mga8.x86_64.rpm depuis /var/cache/urpmi/rpms Préparation... ############################################# 1/2: lib64radare2_5.5.4 ############################################# 2/2: radare2 ############################################# I found this site for explanation and documentation: https://rada.re/n/radare2.html I tried some cli command: $radare2 Usage: r2 [-ACdfLMnNqStuvwzX] [-P patch] [-p prj] [-a arch] [-b bits] [-i file] [-s addr] [-B baddr] [-m maddr] [-c cmd] [-e k=v] file|pid|-|--|= $rasm2 Usage: rasm2 [-ACdDehLBvw] [-a arch] [-b bits] [-o addr] [-s syntax] [-f file] [-F fil:ter] [-i skip] [-l len] 'code'|hex|- https://resources.infosecinstitute.com/topic/how-to-use-radare2-for-reverse-engineering/ $radare2 FileZilla_3.57.0_win64-setup.exe -- I could go up there about 11 at night, stay till 4 in the morning, and get all the computer runs I ever wanted. [0x004035d8]> I tried other options; it seems to work fine.
CC: (none) => hdetavernier
MGA8-64 Plasma on Lenovo B50 in Dutch Selecting all rpm's listed from Comment 5 in QARepo. Then in MCC - Software installattion I get: Sorry, the following package cannot be selected: - radare2-cutter-devel-2.0.4-1.mga8.x86_64 (because of unfulfilled radare2-cutter(x86-64)[== 2.0.4-1.mga8]) but it is there. Continuing anyway, using the howto Hugues indicated in Comment 6, copying file ATISetup from my Win10 installation $ rabin2 -I ATISetup.exe arch x86 baddr 0x140000000 binsz 589000 bintype pe bits 64 canary false retguard false class PE32+ cmp.csum 0x0009850e compiled Thu Jul 16 02:13:41 2015 crypto false dbg_file c:\workarea\15.20\install\Monet\Apps\Bin\Win64a\B_rel\ATISetup.pdb endian little havecode true hdr.csum 0x0009850e guid C3049A9A126E46D6B76EA677F9D58DCD1 laddr 0x0 lang msvc linenum false lsyms false machine AMD 64 nx true os windows overlay true cc ms pic true relocs false signed true sanitize false static false stripped false subsys Windows CUI va true $ rax2 0011000011111111d 12543 $ rasm2 ret c3 $ radare2 ATISetup.exe -- WARNING: r_list_length: assertion 'list' failed (line 55) [0x14003a440]> aa [x] Analyze all flags starting with sym. and entry0 (aa) [0x14003a440]> s/ ATI Searching 3 bytes in [0x140091400-0x140092000] hits: 0 Searching 3 bytes in [0x140090000-0x140091400] hits: 0 Searching 3 bytes in [0x14008fa00-0x140090000] hits: 0 Searching 3 bytes in [0x140078000-0x14008fa00] hits: 0 Searching 3 bytes in [0x140077600-0x140078000] hits: 0 Searching 3 bytes in [0x140072000-0x140077600] hits: 0 Searching 3 bytes in [0x140070c00-0x140072000] hits: 0 Searching 3 bytes in [0x14006c000-0x140070c00] [# ]0x14006e99c hit1_0 ..?AVATILogger@@.0 So seems to work. I'm not sure whether this can be OK'ed with the installation issue i found.
CC: (none) => herman.viaene
(In reply to Herman Viaene from comment #7) > MGA8-64 Plasma on Lenovo B50 in Dutch > Selecting all rpm's listed from Comment 5 in QARepo. > Then in MCC - Software installattion I get: > Sorry, the following package cannot be selected: > > - radare2-cutter-devel-2.0.4-1.mga8.x86_64 (because of unfulfilled > radare2-cutter(x86-64)[== 2.0.4-1.mga8]) > but it is there. Not exactly there, Herman. I confirmed the issue in VirtualBox. It looks like a naming issue to me. We ran into a similar issue with another update, not too long ago, as I recall. I think radare2-cutter-devel-2.0.4-1 is looking for radare2-cutter(x86-64)-2.0.4-1 and all it finds is radare2-cutter-2.0.4-1. Our package doesn't have the "(x86-64)" in its name.
CC: (none) => andrewsfarm
That would be something provided by the package, not in the actual name itself.
Oh. OK, Live and learn. The issue still needs to be fixed before we can let it go.
Tried a new tactic in Vbox, which failed yet again. I decided to try installing the current packages using MCC, then update. Right away I found there were no rizin packages there, at all. OK, a new dependency - I've seen it before. But when I went to install the radare2 packages, radare2-cutter-devel was also missing. So I installed what I could, enabled the local repo from qarepo, and updated. That drew in a rizin library, confirming the new dependency. Then I went back to install software, and selected the rest of the rizin packages. That went OK. But when I tried to select the new radare2-cutter-devel package, I got the same message: Sorry, the following package cannot be selected: - radare2-cutter-devel-2.0.4-1.mga8.x86_64 (due to unsatisfied radare2-cutter(x86-64)[== 2.0.4-1.mga8]) Except that radare2-cutter-2.0.4-1.mga8 IS ALREADY INSTALLED. I don't see how I could possibly approve putting a package in our repos that MCC refuses to select. I need guidance. I'm very confused about all this. What's going on?
Keywords: (none) => feedback
See Comment 9. Someone put an invalid explicit requires in the spec (likely copied from Fedora) that needs to be removed (or modified to remove the arch/isa part at the end that Fedora tends to do, which we don't).
Thank you for clarifying. Then it looks like this needs to go back to Nicolas L.
Assignee: qa-bugs => mageiaKeywords: feedback => (none)
Fedora has issued an advisory today (February 22): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IQIRJ72UALGMSWH6MYPVJQQLXFGZ23RS/ The issues are fixed upstream in 5.6.0.
Summary: radare2 new security issues CVE-2021-32613 and CVE-2021-3673 => radare2 new security issues CVE-2021-32613, CVE-2021-3673, CVE-2021-4021, CVE-2022-0173, CVE-2022-0419Whiteboard: (none) => MGA8TOOSource RPM: radare2-5.1.1-1.mga9.src.rpm => radare2-5.5.4-1.mga9.src.rpmVersion: 8 => CauldronStatus comment: (none) => Fixed upstream in 5.6.0
Fedora has issued an advisory today (March 11): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/E6YBRQ3UCFWJVSOYIKPVUDASZ544TFND/ The issues are fixed upstream in 5.6.4.
Summary: radare2 new security issues CVE-2021-32613, CVE-2021-3673, CVE-2021-4021, CVE-2022-0173, CVE-2022-0419 => radare2 new security issues CVE-2021-32613 CVE-2021-3673 CVE-2021-4021 CVE-2022-0173 CVE-2022-0419 CVE-2022-0476 CVE-2022-051[89] CVE-2022-052[0-3] CVE-2022-0559 CVE-2022-0676 CVE-2022-0695 CVE-2022-071[23]Status comment: Fixed upstream in 5.6.0 => Fixed upstream in 5.6.4
One of these issues and two others have been announced today (May 25): https://www.openwall.com/lists/oss-security/2022/05/25/1 https://census-labs.com/news/2022/05/24/multiple-vulnerabilities-in-radare2/ The issues are fixed upstream in 5.6.0.
Summary: radare2 new security issues CVE-2021-32613 CVE-2021-3673 CVE-2021-4021 CVE-2022-0173 CVE-2022-0419 CVE-2022-0476 CVE-2022-051[89] CVE-2022-052[0-3] CVE-2022-0559 CVE-2022-0676 CVE-2022-0695 CVE-2022-071[23] => radare2 new security issues CVE-2021-32613 CVE-2021-3673 CVE-2021-4021 CVE-2021-4497[45] CVE-2022-0173 CVE-2022-0419 CVE-2022-0476 CVE-2022-051[89] CVE-2022-052[0-3] CVE-2022-0559 CVE-2022-0676 CVE-2022-0695 CVE-2022-071[23]
Suggested advisory: ======================== The updated packages fix security vulnerabilities: In radare2 through 5.3.0 there is a double free vulnerability in the pyc parse via a crafted file which can lead to DoS. (CVE-2021-32613) A vulnerability was found in Radare2 in version 5.3.1. Improper input validation when reading a crafted LE binary can lead to resource exhaustion and DoS. (CVE-2021-3673) A vulnerability was found in Radare2 in versions prior to 5.6.2, 5.6.0, 5.5.4 and 5.5.2. Mapping a huge section filled with zeros of an ELF64 binary for MIPS architecture can lead to uncontrolled resource consumption and DoS. (CVE-2021-4021) adareorg radare2 version 5.5.2 is vulnerable to NULL Pointer Dereference via libr/bin/p/bin_symbols.c binary symbol parser. (CVE-2021-44974) radareorg radare2 5.5.2 is vulnerable to Buffer Overflow via /libr/core/anal_objc.c mach-o parser. (CVE-2021-44975) radare2 is vulnerable to Out-of-bounds Read. (CVE-2022-0173) NULL Pointer Dereference in GitHub repository radareorg/radare2 prior to 5.6.0. (CVE-2022-0419) Denial of Service in GitHub repository radareorg/radare2 prior to 5.6.4. (CVE-2022-0476) Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.6.2. (CVE-2022-0518) Buffer Access with Incorrect Length Value in GitHub repository radareorg/radare2 prior to 5.6.2. (CVE-2022-0519) Use After Free in NPM radare2.js prior to 5.6.2. (CVE-2022-0520) Access of Memory Location After End of Buffer in GitHub repository radareorg/radare2 prior to 5.6.2. (CVE-2022-0521) Access of Memory Location Before Start of Buffer in NPM radare2.js prior to 5.6.2. (CVE-2022-0522) Expired Pointer Dereference in GitHub repository radareorg/radare2 prior to 5.6.2. (CVE-2022-0523) Use After Free in GitHub repository radareorg/radare2 prior to 5.6.2. (CVE-2022-0559) Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.6.4. (CVE-2022-0676) Denial of Service in GitHub repository radareorg/radare2 prior to 5.6.4. (CVE-2022-0695) NULL Pointer Dereference in GitHub repository radareorg/radare2 prior to 5.6.4. (CVE-2022-0712) Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.6.4. (CVE-2022-0713) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32613 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3673 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4021 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44974 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44975 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0173 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0419 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0476 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0518 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0519 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0520 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0521 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0522 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0523 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0559 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0676 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0695 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0712 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0713 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/V2UL4V4XKSFJVNNUMFV443UJXGDBYGS4/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JIARALLVVY2362AYFSFULTZKIW6QO5R5/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IQIRJ72UALGMSWH6MYPVJQQLXFGZ23RS/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/E6YBRQ3UCFWJVSOYIKPVUDASZ544TFND/ https://www.openwall.com/lists/oss-security/2022/05/25/1 https://census-labs.com/news/2022/05/24/multiple-vulnerabilities-in-radare2/ ======================== Updated packages in core/updates_testing: ======================== lib(64)radare2_5.6.4-5.6.4-1.mga8 lib(64)radare2-devel-5.6.4-1.mga8 radare2-5.6.4-1.mga8 radare2-cutter-2.0.4-2.mga8 radare2-cutter-devel-2.0.4-2.mga8 lib(64)rizin0-0.3.1-1.mga8 lib(64)rizin-devel-0.3.1-1.mga8 rizin-0.3.1-1.mga8 rizin-common-0.3.1-1.mga8 from SRPMS: radare2-5.6.4-1.mga8.src.rpm radare2-cutter-2.0.4-2.mga8.src.rpm rizin-0.3.1-1.mga8.src.rpm
Status comment: Fixed upstream in 5.6.4 => (none)Assignee: mageia => qa-bugsStatus: NEW => ASSIGNEDWhiteboard: MGA8TOO => (none)CC: (none) => nicolas.salgueroVersion: Cauldron => 8
No installation issues in VirtualBox. The issue from Comment 7 is no longer a problem. Referenced https://bugs.mageia.org/show_bug.cgi?id=27060#c4 for testing: $ rafind2 -s "text" /bin/kwrite | wc -l 5 $ r2 -a x86 /bin/oowriter -- When in doubt, try 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; pd;' [0x00000000]> V As with Bug 27060, this produced a lengthy, and to me mostly incomprehensible multi-colored hexdump, but it seems to be what it is supposed to do. I also tried running the radare2-cutter gui. I moved around a bit, and again it was mostly incomprehensible, but seems to be the way it is supposed to be. With all these security fixes, this needs to move along if it doesn't crash, whether I understand it or not. Giving it an OK, and validating. Advisory in comment 17
Whiteboard: (none) => MGA8-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0440.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED