Bug 33534 - radare2 new security issue CVE-2023-47016
Summary: radare2 new security issue CVE-2023-47016
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lists.fedoraproject.org/archi...
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-09-06 10:21 CEST by Nicolas Salguero
Modified: 2024-09-13 19:16 CEST (History)
3 users (show)

See Also:
Source RPM: radare2-5.8.8-1.1.mga9.src.rpm
CVE: CVE-2023-47016
Status comment: Patch available from upstream

Attachments
Add an attachment (proposed patch, testcase, etc.)

Nicolas Salguero 2024-09-06 10:21:34 CEST

Status comment: (none) => Patch available from upstream
CVE: (none) => CVE-2023-47016
Source RPM: (none) => radare2-5.8.8-1.1.mga9.src.rpm

Comment 1 Marja Van Waes 2024-09-06 21:33:04 CEST 
Assigning to our registered radar2 maintainer.

Assignee: bugsquad => geiger.david68210
URL: (none) => https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZIWVQC4JNA2JCJ7L3XNZBGYJ52KSQWKC/
CC: (none) => marja11

Comment 2 David GEIGER 2024-09-11 17:11:58 CEST 
Assigning to QA,

Packages in 9/Core/Updates_testing:
======================
lib64radare2-devel-5.8.8-1.2.mga9
lib64radare2_5.8.8-5.8.8-1.2.mga9
libradare2-devel-5.8.8-1.2.mga9
libradare2_5.8.8-5.8.8-1.2.mga9
radare2-5.8.8-1.2.mga9

From SRPMS:
radare2-5.8.8-1.2.mga9.src.rpm

Assignee: geiger.david68210 => qa-bugs

katnatek 2024-09-11 18:25:57 CEST

Keywords: (none) => advisory

Comment 3 katnatek 2024-09-12 00:09:44 CEST 
RH x86_64

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing radare2-5.8.8-1.2.mga9.x86_64.rpm lib64radare2_5.8.8-5.8.8-1.2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: lib64radare2_5.8.8    ##################################################################################################
      2/2: radare2               ##################################################################################################
      1/2: removing radare2-5.8.8-1.1.mga9.x86_64
                                 ##################################################################################################
      2/2: removing lib64radare2_5.8.8-5.8.8-1.1.mga9.x86_64
                                 ##################################################################################################

Reference bug#32521 comment#7

rabin2 -I "/home/katnatek/windows/Program Files (x86)/K-Lite Codec Pack/MPC-HC64/mpc-hc64.exe"
arch     x86
baddr    0x140000000
binsz    9022976
bintype  pe
bits     64
canary   true
retguard false
class    PE32+
cmp.csum 0x008a22c3
compiled Thu Nov 29 16:00:08 2018
crypto   false
endian   little
havecode true
hdr.csum 0x008a22c3
laddr    0x0
lang     c
linenum  false
lsyms    false
machine  AMD 64
nx       true
os       windows
overlay  false
cc       ms
pic      true
relocs   false
signed   false
sanitize false
static   false
stripped false
subsys   Windows GUI
va       true

radare2 "/home/katnatek/windows/Program Files (x86)/K-Lite Codec Pack/MPC-HC64/mpc-hc64.exe"
[0x14050380c]> aa
INFO: Analyze all flags starting with sym. and entry0 (aa)
INFO: Analyze all functions arguments/locals (afva@@@F)
[0x14050380c]> s/ mpc
Searching 3 bytes in [0x1408ef400-0x1408f0000]
hits: 0
Searching 3 bytes in [0x1408d2000-0x1408ef400]
hits: 0
Searching 3 bytes in [0x1408d1c00-0x1408d2000]
hits: 0
Searching 3 bytes in [0x14084c000-0x1408d1c00]
[# ]0x140882d8f hit0_0 .       <!-- The mpchc_np id is used.
[0x140882d8f]> 

Reference  bug#29163 comment#18 / bug#32521 comment#8

rafind2 -s "text" /bin/kwrite | wc -l
1

r2 -a x86 /bin/oowriter
[0x00000000]>

V command output is the described
Looks like exist more commands the before p list some commands instead of produce a dump like described

[0x00000000]>p
Usage: p[=68abcdDfiImrstuxz] [arg|len] [@addr]
| p[b|B|xb] [len] ([S])   bindump N bits skipping S bytes
| p[iI][df] [len]         print N ops/bytes (f=func) (see pi? and pdi)
| p[kK] [len]             print key in randomart (K is for mosaic)
| p-[?][jh] [mode]        bar|json|histogram blocks (mode: e?search.in)
| p2 [len]                8x8 2bpp-tiles
| p3 [file]               print 3D stereogram image of current block
| p6[de] [len]            base64 decode/encode
| p8[?][j] [len]          8bit hexpair list of bytes
| p=[?][bep] [N] [L] [b]  show entropy/printable chars/chars bars
| pa[edD] [arg]           pa:assemble  pa[dD]:disasm or pae: esil from hex
| pA[n_ops]               show n_ops address and type
| pb[?] [n]               bitstream of N bits
| pB[?] [n]               bitstream of N bytes
| pc[?][p] [len]          output C (or python) format
| pC[aAcdDxw] [rows]      print disassembly in columns (see hex.cols and pdi)
| pd[?] [sz] [a] [b]      disassemble N opcodes (pd) or N bytes (pD)
| pf[?][.name] [fmt]      print formatted data (pf.name, pf.name $<expr>)
| pF[?][apx]              print asn1, pkcs7 or x509
| pg[?][x y w h] [cmd]    create new visual gadget or print it (see pg? for details)
| ph[?][=|hash] ([len])   calculate hash for a block
| pi[?][bdefrj] [num]     print instructions
| pI[?][iI][df] [len]     print N instructions/bytes (f=func)
| pj[?] [len]             print as indented JSON
| pk [len]                print key in randomart mosaic
| pK [len]                print key in randomart mosaic
| pm[?] [magic]           print libmagic data (see pm? and /m?)
| po[?] hex               print operation applied to block (see po?)
| pp[?][sz] [len]         print patterns, see pp? for more help
| pq[?][is] [len]         print QR code with the first Nbytes
| pr[?][glx] [len]        print N raw bytes (in lines or hexblocks, 'g'unzip)
| ps[?][pwz] [len]        print pascal/wide/zero-terminated strings
| pt[?][dn] [len]         print different timestamps
| pu[w] [len]             print N url encoded bytes (w=wide)
| pv[?][ejh] [mode]       show value of given size (1, 2, 4, 8)
| pwd                     display current working directory
| px[?][owq] [len]        hexdump of N bytes (o=octal, w=32bit, q=64bit)
| py([-:file]) [expr]     print clipboard (yp) run python script (py:file) oneliner `py print(1)` or stdin slurp `py-`
| pz[?] [len]             print zoom view (see pz? for help)
| pkill [process-name]    kill all processes with the given name
| pushd [dir]             cd to dir and push current directory to stack
| popd[-a][-h]            pop dir off top of stack and cd to it

 /usr/bin/cutter Look like works

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 4 Thomas Andrews 2024-09-12 03:20:07 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2024-09-13 19:16:31 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0298.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.