889026 – (CVE-2022-4843, CVE-2023-0302) <dev-util/radare2-5.8.2: multiple vulnerabilities

Bug 889026 (CVE-2022-4843, CVE-2023-0302) - <dev-util/radare2-5.8.2: multiple vulnerabilities

Summary: <dev-util/radare2-5.8.2: multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2022-4843, CVE-2023-0302

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial
Assignee:	Gentoo Security

URL:
Whiteboard:	~3 [noglsa]
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2022-12-30 22:26 UTC by John Helmert III
Modified:	2023-01-23 04:33 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/29223
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-12-30 22:26:39 UTC

CVE-2022-4843 (https://huntr.dev/bounties/075b2760-66a0-4d38-b3b5-e9934956ab7f):

NULL Pointer Dereference in GitHub repository radareorg/radare2 prior to 5.8.2.

Unreleased patch: https://github.com/radareorg/radare2/commit/842f809d4ec6a12af2906f948657281c9ebc8a24

Comment 1 filip ambroz 2023-01-15 13:43:58 UTC

CVE-2023-0302 (https://huntr.dev/bounties/583133af-7ae6-4a21-beef-a4b0182cf82e/)

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in GitHub repository radareorg/radare2 prior to 5.8.2.

Patch: https://github.com/radareorg/radare2/commit/961f0e723903011d4f54c2396e44efa91fcc74ce

Comment 2 John Helmert III archtester

2023-01-23 02:27:33 UTC

These patches are in 5.8.2.

Comment 3 Larry the Git Cow gentoo-dev

2023-01-23 04:32:45 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f6b02f1030e87d04391b24bdb861bd6406bf2beb

commit f6b02f1030e87d04391b24bdb861bd6406bf2beb
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2023-01-23 04:32:22 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-01-23 04:32:34 +0000

    dev-util/radare2: drop 5.7.4, 5.7.6, 5.7.8
    
    Bug: https://bugs.gentoo.org/885395
    Bug: https://bugs.gentoo.org/889026
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 dev-util/radare2/Manifest                          |  11 --
 .../radare2/files/radare2-5.7.0-vector35.patch     |  22 ----
 dev-util/radare2/radare2-5.7.4.ebuild              | 119 ---------------------
 dev-util/radare2/radare2-5.7.6.ebuild              | 119 ---------------------
 dev-util/radare2/radare2-5.7.8.ebuild              | 119 ---------------------
 5 files changed, 390 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=309640e8da12494bdc227e238bdbd7435cb415f9

commit 309640e8da12494bdc227e238bdbd7435cb415f9
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2023-01-23 03:38:19 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-01-23 04:32:34 +0000

    dev-util/radare2: add 5.8.2
    
    Unbundle capstone to avoid upstream requirement of capstone-5 patches
    which are not shipped in Gentoo's capstone package.
    
    Bug: https://bugs.gentoo.org/885395
    Bug: https://bugs.gentoo.org/889026
    Bug: https://bugs.gentoo.org/891805
    Closes: https://github.com/gentoo/gentoo/pull/29223
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 dev-util/radare2/Manifest                          |   5 +
 .../files/radare2-5.8.2-bundled-capstone.patch     |  21 ++++
 .../radare2/files/radare2-5.8.2-vector35.patch     |  24 ++++
 dev-util/radare2/radare2-5.8.2.ebuild              | 125 +++++++++++++++++++++
 4 files changed, 175 insertions(+)