radare2: CVE-2017-6415

Debian Bug report logs - #856572
radare2: CVE-2017-6415

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: radare2: CVE-2017-6415

Date: Thu, 02 Mar 2017 16:50:49 +0100

Source: radare2
Version: 1.1.0+dfsg-2
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/radare/radare2/issues/6872

Hi,

the following vulnerability was published for radare2.

CVE-2017-6415[0]:
| The dex_parse_debug_item function in libr/bin/p/bin_dex.c in radare2
| 1.2.1 allows remote attackers to cause a denial of service (NULL
| pointer dereference and application crash) via a crafted DEX file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-6415
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6415
[1] https://github.com/radare/radare2/issues/6872

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 856572-close@bugs.debian.org (full text, mbox, reply):

From: Sebastian Reichel <sre@debian.org>

To: 856572-close@bugs.debian.org

Subject: Bug#856572: fixed in radare2 1.1.0+dfsg-3

Date: Fri, 03 Mar 2017 05:48:53 +0000

Source: radare2
Source-Version: 1.1.0+dfsg-3

We believe that the bug you reported is fixed in the latest version of
radare2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 856572@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Reichel <sre@debian.org> (supplier of updated radare2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 03 Mar 2017 05:56:37 +0100
Source: radare2
Binary: radare2 libradare2-1.1 libradare2-dev libradare2-common
Architecture: source amd64 all
Version: 1.1.0+dfsg-3
Distribution: unstable
Urgency: high
Maintainer: Sebastian Reichel <sre@debian.org>
Changed-By: Sebastian Reichel <sre@debian.org>
Description:
 libradare2-1.1 - libraries from the radare2 suite
 libradare2-common - arch independent files from the radare2 suite
 libradare2-dev - devel files from the radare2 suite
 radare2    - free and advanced command line hexadecimal editor
Closes: 856329 856572 856574 856579
Changes:
 radare2 (1.1.0+dfsg-3) unstable; urgency=high
 .
   * Add upstream patches to fix security bugs
     - CVE-2017-6415 (Closes: #856572)
       The dex_parse_debug_item function in libr/bin/p/bin_dex.c in radare2
       1.2.1 allows remote attackers to cause a denial of service (NULL
       pointer dereference and application crash) via a crafted DEX file.
     - CVE-2017-6387 (Closes: #856574)
       The dex_loadcode function in libr/bin/p/bin_dex.c in radare2 1.2.1
       allows remote attackers to cause a denial of service (out-of-bounds
       read and application crash) via a crafted DEX file.
     - CVE-2017-6319 (Closes: #856579)
       The dex_parse_debug_item function in libr/bin/p/bin_dex.c in radare2
       1.2.1 allows remote attackers to cause a denial of service (buffer
       overflow and application crash) or possibly have unspecified other
       impact via a crafted DEX file.
   * Add small patch from Graham Inggs to fix FTBFS when
     linked with as-needed (Closes: #856329)
Checksums-Sha1:
 5208ac94ae508307c672e7f7d431f8274fe4663c 2234 radare2_1.1.0+dfsg-3.dsc
 ccdf5cb75d729b652bffb008a3ffe2d643efe9f6 22136 radare2_1.1.0+dfsg-3.debian.tar.xz
 4ec8d9f3ca6b6b3987b2eb4c11d1a18de83848d7 8646280 libradare2-1.1-dbgsym_1.1.0+dfsg-3_amd64.deb
 d6c69c235a927530b1ddaf3f657d0b33d5f197f6 2055308 libradare2-1.1_1.1.0+dfsg-3_amd64.deb
 307db6f7edf3827ac64a41097801d20b0beef7ea 521830 libradare2-common_1.1.0+dfsg-3_all.deb
 00275158435cd5ef1c7cba3f9a3c9f1398e61513 146504 libradare2-dev_1.1.0+dfsg-3_amd64.deb
 28e41af0a9e9a5c5fbcd9ceca27b650611bb4905 294944 radare2-dbgsym_1.1.0+dfsg-3_amd64.deb
 cc37ea5365b9f57ffc575cb24b6dbae5c8abe51b 8319 radare2_1.1.0+dfsg-3_amd64.buildinfo
 6c3b9af6e40f296775dbff44b8390ce5b13bce74 151500 radare2_1.1.0+dfsg-3_amd64.deb
Checksums-Sha256:
 99d1b32790aafcb25eb2160394fa2b7bf2e0de1401c943d32d1e0c1c240b4580 2234 radare2_1.1.0+dfsg-3.dsc
 1a4356760fa07e4dfac4a82bbc2a68dac179f5deb297664fc5b34500d474c764 22136 radare2_1.1.0+dfsg-3.debian.tar.xz
 0a70b4ca7e30565adb661cca09c94410d13e5f1ea6be87599b3dfe0412dbacef 8646280 libradare2-1.1-dbgsym_1.1.0+dfsg-3_amd64.deb
 f8a8de070de2e8f62088f701706f8f406f57419de22609ade6e37d6a6d633f91 2055308 libradare2-1.1_1.1.0+dfsg-3_amd64.deb
 1da8b467b7b305d05a2493a056b52e82238689e7dd386f10ab61e262f2f6bb48 521830 libradare2-common_1.1.0+dfsg-3_all.deb
 3f8dfad320a584e76e35e3f49a16f8ea2d73482cc63150e38bea3ef76b56ed32 146504 libradare2-dev_1.1.0+dfsg-3_amd64.deb
 ca64bf1f344384e1a87a23db6a0fb96d6ddebbe963fd848cae242d9e2fe68df7 294944 radare2-dbgsym_1.1.0+dfsg-3_amd64.deb
 720dc6a9256c0c3e99e7c72cf15f622639a20d155d29fdd885362ec670631b0f 8319 radare2_1.1.0+dfsg-3_amd64.buildinfo
 7d0635966e0b4020b90716623667c63b04b8a4619914253e4dd30ff5dfe9dda5 151500 radare2_1.1.0+dfsg-3_amd64.deb
Files:
 402d53d96d9bcc71213b6484bc677450 2234 devel extra radare2_1.1.0+dfsg-3.dsc
 3b4810720cb4f981e029d6c8de038bb1 22136 devel extra radare2_1.1.0+dfsg-3.debian.tar.xz
 b78af8d980501a71a7b184f522e92db2 8646280 debug extra libradare2-1.1-dbgsym_1.1.0+dfsg-3_amd64.deb
 39d8895d4cf176c878bd98db1b1530c6 2055308 libs extra libradare2-1.1_1.1.0+dfsg-3_amd64.deb
 b77d89db78dcd067d16df1dd0ee45165 521830 devel extra libradare2-common_1.1.0+dfsg-3_all.deb
 72fe501a22c4c18987372cbf4aaa8c4a 146504 libdevel extra libradare2-dev_1.1.0+dfsg-3_amd64.deb
 f234b38ee8bbf5b25ab550aa859eceff 294944 debug extra radare2-dbgsym_1.1.0+dfsg-3_amd64.deb
 ec0b5df8ae6d3ffc6f1638ff970c6700 8319 devel extra radare2_1.1.0+dfsg-3_amd64.buildinfo
 78fc7badef976a86a7374835335e2a89 151500 devel extra radare2_1.1.0+dfsg-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYuQEUAAoJENju1/PIO/qa0qcP/2Pyuvaucwff3B7U+tXm9JmP
Mf8Xce/gdzPt4W3MvMwJMFz6omX8stHy3lMziawd9FbALy/XiLmS81pHu68t4YY8
eafYKU5KIWNn8HXXPcHGRe1bR9wx8NwHUlKJf6kfiGwN9FXmJWnrI6ABdYgFJ1br
1Xej6y1qyOtclXLHymntfh9xCek6oiLiOWX+2HXu0QHI56juWZUXTCZ7Uk4TnpTR
IU3Hx/uZk+dAw9O5TavTBRma/yelzxVeALmhgECAwlzEZurrZPp1C4IjflrgxKKH
dV6y50pA8w1pSdfQCWH1IccciPR5Berwf8QS2PAI11r8H8t4sk4BzNcrJqCUGlPs
SnsZ4WLYsq2AqsNdOtUKIjqPTs+WCKv4cJPZ80oK+QbgxfHwM1SZN8KroErx7m9X
7hS5+hENmJRVqfjlr8QXBN/X+amqqU2zxbmybHwEr2eqpzAjiMElV5tUEdkdFKwx
nUR0wIbOIoer9fSQzwgQ+iW2rgK6zRpzeQgtX27bpKBqFYXrNmYH3SMUutSgMaks
gdjGTBk6o4WTR2sLyoNZHffGOaJZtpglL2fYi78oSiXo+D+8CSz9QZ07SKlLi9kZ
Psebt24i1eIXQh4w5DnI51bpiPME3lVNzsSng4wF29H8CYhp+M9EsLNzMBytqK3b
cuMz8j4Rsiqk/7tuERlG
=urXq
-----END PGP SIGNATURE-----

Message #15 received at 856572-close@bugs.debian.org (full text, mbox, reply):

From: Sebastian Reichel <sre@debian.org>

To: 856572-close@bugs.debian.org

Subject: Bug#856572: fixed in radare2 1.2.1+dfsg-5

Date: Fri, 03 Mar 2017 06:05:49 +0000

Source: radare2
Source-Version: 1.2.1+dfsg-5

We believe that the bug you reported is fixed in the latest version of
radare2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 856572@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Reichel <sre@debian.org> (supplier of updated radare2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 03 Mar 2017 06:24:35 +0100
Source: radare2
Binary: radare2 libradare2-1.2 libradare2-dev libradare2-common
Architecture: source amd64 all
Version: 1.2.1+dfsg-5
Distribution: experimental
Urgency: high
Maintainer: Sebastian Reichel <sre@debian.org>
Changed-By: Sebastian Reichel <sre@debian.org>
Description:
 libradare2-1.2 - libraries from the radare2 suite
 libradare2-common - arch independent files from the radare2 suite
 libradare2-dev - devel files from the radare2 suite
 radare2    - free and advanced command line hexadecimal editor
Closes: 856329 856572 856574 856579
Changes:
 radare2 (1.2.1+dfsg-5) experimental; urgency=high
 .
   * Add upstream patches to fix security bugs
     - CVE-2017-6415 (Closes: #856572)
       The dex_parse_debug_item function in libr/bin/p/bin_dex.c in radare2
       1.2.1 allows remote attackers to cause a denial of service (NULL
       pointer dereference and application crash) via a crafted DEX file.
     - CVE-2017-6387 (Closes: #856574)
       The dex_loadcode function in libr/bin/p/bin_dex.c in radare2 1.2.1
       allows remote attackers to cause a denial of service (out-of-bounds
       read and application crash) via a crafted DEX file.
     - CVE-2017-6319 (Closes: #856579)
       The dex_parse_debug_item function in libr/bin/p/bin_dex.c in radare2
       1.2.1 allows remote attackers to cause a denial of service (buffer
       overflow and application crash) or possibly have unspecified other
       impact via a crafted DEX file.
   * Add small patch from Graham Inggs to fix FTBFS when
     linked with as-needed (Closes: #856329)
Checksums-Sha1:
 9953b3aa2c47a834e2367e61dc9ee9da9fb37c4f 2234 radare2_1.2.1+dfsg-5.dsc
 41f0c1ea5010752b6d2dc50da7f79a6c267f9b79 23392 radare2_1.2.1+dfsg-5.debian.tar.xz
 065e9a0d41da77db97b67513bed4a1621273e2bd 8692644 libradare2-1.2-dbgsym_1.2.1+dfsg-5_amd64.deb
 d8759dd248a34065bc65744ac0241753f3c70c50 2066714 libradare2-1.2_1.2.1+dfsg-5_amd64.deb
 2303b9a2bf657780f500eb3c49e37c8822db15e1 524486 libradare2-common_1.2.1+dfsg-5_all.deb
 d800607a894da5a60cf2c532cde114bdde7456c8 148852 libradare2-dev_1.2.1+dfsg-5_amd64.deb
 71d0139641c1284c47073a8cabd91040e3ecf096 300118 radare2-dbgsym_1.2.1+dfsg-5_amd64.deb
 de1edb076be1d2c206e6269499adf6498598f9e1 7701 radare2_1.2.1+dfsg-5_amd64.buildinfo
 f0945df577345db8b2228d7a503110efa190c028 154470 radare2_1.2.1+dfsg-5_amd64.deb
Checksums-Sha256:
 c5f8fc1591e8b00db2c204b818308fca31ac0dd182d5e2b9537808f50ed38d67 2234 radare2_1.2.1+dfsg-5.dsc
 de6305a5d903d1e962f3a8286c32d7180a1aaa2452a56ce18700be7282090f43 23392 radare2_1.2.1+dfsg-5.debian.tar.xz
 a3e541b338121df8868018a514c46702f00c44e952c42cdfada771f00ee1cd3d 8692644 libradare2-1.2-dbgsym_1.2.1+dfsg-5_amd64.deb
 36dadf469d33fc1d013d0388d0c8f45ab24dafd1089ccf070e84010f2ad60672 2066714 libradare2-1.2_1.2.1+dfsg-5_amd64.deb
 0cc9e0476d42681cde7524c3fae882f34dbe104e5f694d05a9fc3be6c2a4b2f6 524486 libradare2-common_1.2.1+dfsg-5_all.deb
 81b6d6709a9d37a1502fadf4adb4502a0d802fbf33af6abf19c218badcf7e1b5 148852 libradare2-dev_1.2.1+dfsg-5_amd64.deb
 94484dd4215ab7f32405cc8cdd13f2abf866b24d40125fe3dc96913fd42cc5d8 300118 radare2-dbgsym_1.2.1+dfsg-5_amd64.deb
 5de6e54b7d1e304a095ef5d91468f5f0a5062c857273c56fd04bcc6796e53754 7701 radare2_1.2.1+dfsg-5_amd64.buildinfo
 54fbf7bab32343f5eda9f5dfd6c5b8159fbfef8158e78a835ee3a173b6b29f7e 154470 radare2_1.2.1+dfsg-5_amd64.deb
Files:
 a6ccbdcb15b623ec5b49b12747f16784 2234 devel extra radare2_1.2.1+dfsg-5.dsc
 faef9226beb8850cb1d4a9b8461f6683 23392 devel extra radare2_1.2.1+dfsg-5.debian.tar.xz
 233cab6cc287827306ec995612d2c363 8692644 debug extra libradare2-1.2-dbgsym_1.2.1+dfsg-5_amd64.deb
 330169318e1acd65111ae499786205b9 2066714 libs extra libradare2-1.2_1.2.1+dfsg-5_amd64.deb
 afa0311e976de5638c386c9d4ee7d314 524486 devel extra libradare2-common_1.2.1+dfsg-5_all.deb
 d14f1c92b0e63fbfac5ef60197e3b045 148852 libdevel extra libradare2-dev_1.2.1+dfsg-5_amd64.deb
 3846b414609264d25529180e6c2fa297 300118 debug extra radare2-dbgsym_1.2.1+dfsg-5_amd64.deb
 8e10cb5129875ca4216d9af30a76f671 7701 devel extra radare2_1.2.1+dfsg-5_amd64.buildinfo
 d458f1f9c1507c2be643df71cc21dc7b 154470 devel extra radare2_1.2.1+dfsg-5_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYuQG6AAoJENju1/PIO/qas+EP/1/e1v3dWtfXVg7IDYJIh/n1
AYARBa1SDEeAPA78D1M7wJwFa6iV1EOWsQPmR6RLOQkGClDELsCGDn3vbd7ajbY/
SRRYwU2rEJXIgbimhMn+ukZLbHX5BNogfKEBv5jJgzv772ie+BHUH2F0x7+uIAvc
xE42RjN7fi7otyAC0W3BV8Vn4ff6gpEm8G+nJg2b9Qg8mX8XA22gr4N8LA1O1cWb
Re23kWMdIq+L1F3WzM9W6IhNTtpmG3RPChpLHM+D93YnRx4nCMQT+hpPj+XDKokR
G88Jx9dYvsioK6cOSHOIyxYc7FWCnTXhD9tXBTbSlefrVaN9aZdEb+tSf9ytPy5W
vVeEs51XvZYMGJuoi3+YzKuS/zr004oTLfFOS8+YPCsmAmJdBF75wsISKehcroJT
sUv3ca8MhfquaUSz3yPW+wroYuoi2iAmBsBYqK6z+0dPaNkl5t2BlnMCU/4rGMwy
6Ba860L4z3NOeDaI3d6qfXzztGmgSrdGrVkiRRLttYL0lcG4d0nG/Nhr9QYgiMln
FqSG8qDLRxsQ93pRBEW1pxgcNrpvshp11rgdgKSNCLVPvsC7Ib0bloC0C5Rka/cO
3C1XeQ4YNH9BtMST80Ejmspb0oPLIFPwSPqobT1tL81FyhyKNbcvknmcsjJj2H3z
HcciCFZ9Y/HFCHZirh4y
=Iv+G
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.