Debian Bug report logs -
#869426
radare2: CVE-2017-9762
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sebastian Reichel <sre@debian.org>:
Bug#869426; Package src:radare2.
(Sun, 23 Jul 2017 12:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sebastian Reichel <sre@debian.org>.
(Sun, 23 Jul 2017 12:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: radare2
Version: 1.1.0+dfsg-5
Severity: important
Tags: upstream security
Forwarded: https://github.com/radare/radare2/issues/7726
Hi,
the following vulnerability was published for radare2, filling for
tracking purposes.
CVE-2017-9762[0]:
| The cmd_info function in libr/core/cmd_info.c in radare2 1.5.0 allows
| remote attackers to cause a denial of service (use-after-free and
| application crash) via a crafted binary file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-9762
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9762
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Thu, 27 Jul 2017 17:33:16 GMT) (full text, mbox, link).
Reply sent
to Sebastian Reichel <sre@debian.org>:
You have taken responsibility.
(Mon, 16 Oct 2017 13:03:30 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 16 Oct 2017 13:03:30 GMT) (full text, mbox, link).
Message #12 received at 869426-close@bugs.debian.org (full text, mbox, reply):
Source: radare2
Source-Version: 2.0.0+dfsg-1
We believe that the bug you reported is fixed in the latest version of
radare2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 869426@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Reichel <sre@debian.org> (supplier of updated radare2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 11 Oct 2017 16:20:18 +0200
Source: radare2
Binary: radare2 libradare2-2.0 libradare2-dev libradare2-common
Architecture: source amd64 all
Version: 2.0.0+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Sebastian Reichel <sre@debian.org>
Changed-By: Sebastian Reichel <sre@debian.org>
Description:
libradare2-2.0 - libraries from the radare2 suite
libradare2-common - arch independent files from the radare2 suite
libradare2-dev - devel files from the radare2 suite
radare2 - free and advanced command line hexadecimal editor
Closes: 869423 869426 869428 874524
Changes:
radare2 (2.0.0+dfsg-1) unstable; urgency=medium
.
* New upstream release
- Fix for CVE-2017-9761 (Closes: #869428)
The find_eoq function in libr/core/cmd.c in radare2 1.5.0 allows remote
attackers to cause a denial of service (heap-based out-of-bounds read
and application crash) via a crafted binary file.
- Fix for CVE-2017-9762 (Closes: #869426)
The cmd_info function in libr/core/cmd_info.c in radare2 1.5.0 allows
remote attackers to cause a denial of service (use-after-free and
application crash) via a crafted binary file.
- Fix for CVE-2017-9763 (Closes: #869423)
The grub_ext2_read_block function in fs/ext2.c in GNU GRUB before
2013-11-12, as used in shlr/grub/fs/ext2.c in radare2 1.5.0, allows
remote attackers to cause a denial of service (excessive stack use and
application crash) via a crafted binary file, related to use of a
variable-size stack array.
* remove broken r2-indent symlink (Closes: #874524)
* install upstream's zsh completion files
Checksums-Sha1:
20abea134d4967ac0c049fb324d0dbd59fa54003 2269 radare2_2.0.0+dfsg-1.dsc
48ff509b07bfa7efcca730195fa2828c1ee2b6fd 3542424 radare2_2.0.0+dfsg.orig.tar.xz
5583db0c67e05aeece9e4f812cbff7cf32eca0c5 13228 radare2_2.0.0+dfsg-1.debian.tar.xz
c651370467cc44244af41ceef56ad14b62d0dd39 10146024 libradare2-2.0-dbgsym_2.0.0+dfsg-1_amd64.deb
1b3e7292fd735b9daf5ecc899dea567b73aa131e 2389344 libradare2-2.0_2.0.0+dfsg-1_amd64.deb
007624fbe77661df78a68a81c6028bd1ec8f56cf 542476 libradare2-common_2.0.0+dfsg-1_all.deb
12e8a67d139da9b8ba9a77b62875e166186c7b49 154172 libradare2-dev_2.0.0+dfsg-1_amd64.deb
6a27c9a687a07e1c98108d17f5a1074b2538f1bd 329444 radare2-dbgsym_2.0.0+dfsg-1_amd64.deb
5ef2f1af7445f19742fff27a9586fd46ad06663f 8747 radare2_2.0.0+dfsg-1_amd64.buildinfo
f0bb0e10460c3828d082f2f860428b2f27a001e4 162652 radare2_2.0.0+dfsg-1_amd64.deb
Checksums-Sha256:
16d8798ed5edbf3a9b40e741017a2bd7a2067c28fbb3dc56278446264b0e8512 2269 radare2_2.0.0+dfsg-1.dsc
e7965eea1fd60fb473f3e4562b0b4ff3d3250fb93eea7da6efd573d7159fe025 3542424 radare2_2.0.0+dfsg.orig.tar.xz
4ade450b448e5005124a2a0e43b04f39535f061d05c754044a4ca84332a17d3a 13228 radare2_2.0.0+dfsg-1.debian.tar.xz
2ba96bfdc3048fb72e3574dd1566e975f0d9a5ae5ade85b3c731b7fd7307ce57 10146024 libradare2-2.0-dbgsym_2.0.0+dfsg-1_amd64.deb
0a440fc33dc30eb68d75943bb347e0566f0b487908018c3ce7563e4b53c35e4c 2389344 libradare2-2.0_2.0.0+dfsg-1_amd64.deb
13bb6016c9e81d37ed9f666de018e69ccd941d23b71ad77c9cf816d7ee796f22 542476 libradare2-common_2.0.0+dfsg-1_all.deb
198039a6c391e0ffa616bca04cf064db8a42bf6f42ab6f3bdb39ff4d9562b3e4 154172 libradare2-dev_2.0.0+dfsg-1_amd64.deb
f9fcb44e66c221701f387dc2734255b5633c999106debd6bf19d77b91873aad2 329444 radare2-dbgsym_2.0.0+dfsg-1_amd64.deb
22ee6a6378bf38e28090d3b4a154909f5917246cae86e8e5710dcf04565041fe 8747 radare2_2.0.0+dfsg-1_amd64.buildinfo
bea2943d6717de0abbd0d45571ef0fb8b90a13b49316ab844d50d5a82888229c 162652 radare2_2.0.0+dfsg-1_amd64.deb
Files:
290fb4a813a482c1a85e74a04f3232be 2269 devel extra radare2_2.0.0+dfsg-1.dsc
91d17359155603db012dbd979e82c51e 3542424 devel extra radare2_2.0.0+dfsg.orig.tar.xz
227be6f5060df606ad79dbdb0b1b207c 13228 devel extra radare2_2.0.0+dfsg-1.debian.tar.xz
4868bd5f579ccbfeaf715ea320b7a521 10146024 debug optional libradare2-2.0-dbgsym_2.0.0+dfsg-1_amd64.deb
8710f2746a89dc3516ba5389bfdf8e79 2389344 libs extra libradare2-2.0_2.0.0+dfsg-1_amd64.deb
cfc7ae61fa5cd2ba56073e99072deac2 542476 devel extra libradare2-common_2.0.0+dfsg-1_all.deb
ca9e03f740345327a5d226e9df1b0bc2 154172 libdevel extra libradare2-dev_2.0.0+dfsg-1_amd64.deb
23222742db6f46955428ca4b1a36cd5e 329444 debug optional radare2-dbgsym_2.0.0+dfsg-1_amd64.deb
34fc8536223b6e69f14a5901972b0369 8747 devel extra radare2_2.0.0+dfsg-1_amd64.buildinfo
308ec254a8aab3d40af6ed59ee1dcb9b 162652 devel extra radare2_2.0.0+dfsg-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJDBAEBCAAtFiEE72YNB0Y/i3JqeVQT2O7X88g7+poFAlneSZAPHHNyZUBkZWJp
YW4ub3JnAAoJENju1/PIO/qa3TgP/jAFtQ175CVSKzRrCtGKfUYoOFWShtV5rHD9
ENiXpeuBbyNYDLB9u+D8j8gEKWmI0jls5GGnfz71TwIRiRBuMOjXbhaOOy0YcpK9
hPEKCkrHt9Pz8Fw/uOhnDaBHZqYVlUkUd+mkX1SW86KxmSGYJG2tMKyau5i8xiwP
UrCIlwR3M3WAmmJ3dh7rhkkQEkFdc8qQbUCubhcP5cQwwNwgyoX4qn6d43fb8dEL
YqYX+Ua3gSJLzDhncOMYjpQi+QhvOHU0TS6btgn10CCHxzM8Ev9bWhtdm3Q8mxWu
yqL0elIN0HgoQnYdJZ/h7eJeJ8tJC0bGwNTNEdckukcvui/YMIPSGfrBBWmrSmkn
GNiylvjNNiKELSaAjBo/pRpsay05olNj3eMH75k5yrdky5a1wQ0FU+2ApiSQIu6t
Jqr2ryIFP4THVVIOTBXksehUiVAzXXE6PUpEDwimh6Q1+wAFY9sWAmYpcmNGVzne
RknxhtSRe/tWSHD1oVaxkH+O5vVb3Z9w1M2zgemNrMejMAhJIvhshaJ74Tz4BEMy
NFDG9NO/MBLeNXUgIsf0dYmrF2ivv/fDwPihpYB8tUV5jV46llEhTUFvq2f6p3HR
XceYq3iXtYdQC/k1l+Jo+zrVCng83Oij5niK6+1+yfC1vBv0c4TT97tKgf/EqaKJ
s1PiwZFb
=TI77
-----END PGP SIGNATURE-----
Marked as fixed in versions radare2/1.6.0+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 16 Oct 2017 13:12:11 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 14 Nov 2017 07:26:27 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:25:26 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon