Bug 31375 - binwalk new security issues CVE-2021-4287 and CVE-2022-4510
Summary: binwalk new security issues CVE-2021-4287 and CVE-2022-4510
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-01-05 20:19 CET by David Walser
Modified: 2023-03-01 22:15 CET (History)
6 users (show)

See Also:
Source RPM: binwalk-2.2.0-2.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2023-01-05 20:19:54 CET
Fedora has issued an advisory today (January 5):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/M2TTCIDC6ZNFMU5XFFFDFZEBHO2CU5NG/

The issue is fixed upstream in 2.3.3.
David Walser 2023-01-05 20:20:06 CET

Status comment: (none) => Fixed upstream in 2.3.3

Comment 1 David Walser 2023-02-24 20:08:47 CET
Debian-LTS has issued an advisory on February 23:
https://www.debian.org/lts/security/2023/dla-3339

The issue is fixed upstream in 2.3.4.

Mageia 8 is also affected.

Whiteboard: (none) => MGA8TOO
Status comment: Fixed upstream in 2.3.3 => Fixed upstream in 2.3.4
Version: 8 => Cauldron
Summary: binwalk new security issue CVE-2021-4287 => binwalk new security issues CVE-2021-4287 and CVE-2022-4510

Comment 2 David GEIGER 2023-02-26 19:31:21 CET
Done for both mga8 and Cauldron!

Freeze_move requested for Cauldron.

CC: (none) => geiger.david68210

Comment 3 David Walser 2023-02-26 19:56:57 CET
binwalk-2.3.4-1.mga8

from binwalk-2.3.4-1.mga8.src.rpm

Status comment: Fixed upstream in 2.3.4 => (none)

Comment 4 David Walser 2023-02-27 14:36:22 CET
Cauldron package moved to core/release.

CC: (none) => mageia
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Assignee: mageia => qa-bugs

Comment 5 Herman Viaene 2023-03-01 10:26:21 CET
MGA8-64 MATE on Acer Aspire 5253.
No installation issues.
No wiki, no previous updates, found https://allabouttesting.org/short-tutorial-firmware-analysis-tool-binwalk/
so
$ binwalk -h

Binwalk v2.3.4
Craig Heffner, ReFirmLabs
https://github.com/ReFirmLabs/binwalk

Usage: binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] ...

Signature Scan Options:
    -B, --signature              Scan target file(s) for common file signatures
    -R, --raw=<str>              Scan target file(s) for the specified sequence of bytes
    -A, --opcodes                Scan target file(s) for common executable opcode signatures
    -m, --magic=<file>           Specify a custom magic file to use
    -b, --dumb                   Disable smart signature keywords
    -I, --invalid                Show results marked as invalid
    -x, --exclude=<str>          Exclude results that match <str>
    -y, --include=<str>          Only show results that match <str>

Extraction Options:
    -e, --extract                Automatically extract known file types
and a lot more .....
Xent chasing for firmware files, found loads of them installed, but only
$ binwalk  /lib/firmware/3com/typhoon.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
23711         0x5C9F          Copyright string: "Copyright (c) 2001 3Com Corporation"
 this one returned something more than just the headers (tried some 30 of them)
Giving the OK on seeing the command is not giving nay kind of error.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 6 Thomas Andrews 2023-03-01 17:19:55 CET
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-03-01 17:41:07 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2023-03-01 22:15:54 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0074.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.