[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] multiple vulnerabilities in radare2
From:       Dimitrios Glynos <dimitris () census-labs ! com>
Date:       2022-05-25 10:46:21
Message-ID: 060f9c47-1f5d-d2f2-1bb6-6cc8ec0afc6a () census-labs ! com
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]


Hello all,

Angelos T. Kalaitzidis of CENSUS had identified three vulnerabilities in radare2:
- A null pointer dereference bug (CVE-2022-0419, fixed in version 5.6.0)
- A heap buffer overflow bug (CVE-2021-44975, fixed in version 5.6.0)
- A null pointer dereference bug (CVE-2021-44974, fixed in version 5.5.4)

They're all triggerable by having radare2 process a crafted binary.

There's more information about these issues here:
https://census-labs.com/news/2022/05/24/multiple-vulnerabilities-in-radare2/

We're mostly sending this for CVE-to-patch coordination purposes for distros, 
as the issues have been addressed some time ago (back in February)
by the upstream project.

Kind regards,

Dimitris


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]