Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 836002 - <dev-util/rizin-0.4.0: multiple vulnerabilities
Summary: <dev-util/rizin-0.4.0: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks: CVE-2022-1061, CVE-2022-1240, CVE-2022-1244
  Show dependency tree
 
Reported: 2022-03-25 14:20 UTC by John Helmert III
Modified: 2022-07-04 20:04 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-25 14:20:59 UTC
CVE-2022-1061:

Heap Buffer Overflow in parseDragons in GitHub repository radareorg/radare2 prior to 5.6.8.

Reproduction instructions same as radare2.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-25 14:30:26 UTC
huntr.dev report: https://huntr.dev/bounties/a7546dae-01c5-4fb0-8a8e-c04ea4e9bac7
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-12 16:22:50 UTC
https://github.com/rizinorg/rizin/issues/2448

CVE-2022-1240 and CVE-2022-1244 are fixed with this:

https://github.com/rizinorg/rizin/pull/2532
Comment 4 Larry the Git Cow gentoo-dev 2022-07-04 20:01:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fd3f25f53be1a5dc7d81cdf498a0128b52eaf2c2

commit fd3f25f53be1a5dc7d81cdf498a0128b52eaf2c2
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-07-04 20:00:06 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-07-04 20:01:22 +0000

    dev-util/rizin: drop 0.3.4, 0.3.4-r1
    
    Bug: https://bugs.gentoo.org/836002
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 dev-util/rizin/Manifest              |   2 -
 dev-util/rizin/rizin-0.3.4-r1.ebuild | 103 -----------------------------------
 dev-util/rizin/rizin-0.3.4.ebuild    | 103 -----------------------------------
 3 files changed, 208 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=da3042f37243689df0970cdad468e05387da141c

commit da3042f37243689df0970cdad468e05387da141c
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-07-04 19:57:11 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-07-04 20:01:12 +0000

    dev-util/rizin: stabilize 0.4.0 for amd64
    
    Bug: https://bugs.gentoo.org/836002
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 dev-util/rizin/rizin-0.4.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-04 20:04:11 UTC
These are buffer overreads rather than buffer overflows, so impact only appears to be DoS. No GLSA, all done!