916508 – (CVE-2023-4322, CVE-2023-46569, CVE-2023-46570, CVE-2023-5686) <dev-util/radare2-5.9.0: multiple vulnerabilities

Bug 916508 (CVE-2023-4322, CVE-2023-46569, CVE-2023-46570, CVE-2023-5686) - <dev-util/radare2-5.9.0: multiple vulnerabilities

Summary: <dev-util/radare2-5.9.0: multiple vulnerabilities

Status:	CONFIRMED

Alias:	CVE-2023-4322, CVE-2023-46569, CVE-2023-46570, CVE-2023-5686

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~3 [noglsa cleanup]
Keywords:

Depends on:
Blocks:

Reported:	2023-10-29 21:33 UTC by John Helmert III
Modified:	2024-04-15 05:59 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2023-10-29 21:33:38 UTC

CVE-2023-4322:

Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.9.0.

Unreleased patch: https://github.com/radareorg/radare2/commit/ba919adb74ac368bf76b150a00347ded78b572dd

CVE-2023-5686:

Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.9.0.

Unreleased patch: https://github.com/radareorg/radare2/commit/1bdda93e348c160c84e30da3637acef26d0348de

CVE-2023-46570 (https://github.com/radareorg/radare2/issues/22333):

An out-of-bounds read in radare2 v.5.8.9 and before exists in the print_insn32 function of libr/arch/p/nds32/nds32-dis.h.

Unreleased patch: https://github.com/radareorg/radare2/commit/3e406459f163eba7672b3421c8a84b2c0e4ac0f8

CVE-2023-46569 (https://github.com/radareorg/radare2/issues/22334):

An out-of-bounds read in radare2 v.5.8.9 and before exists in the print_insn32_fpu function of libr/arch/p/nds32/nds32-dis.h.

Unreleased Patch: https://github.com/radareorg/radare2/commit/2e2f2a9b1800d09be09461e7536ac03a301f97f2

Comment 1 Larry the Git Cow gentoo-dev

2024-04-14 16:09:01 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1de36cd6aec36d4d2b64ab3aaa05b77ecaeb12f2

commit 1de36cd6aec36d4d2b64ab3aaa05b77ecaeb12f2
Author:     David Roman <davidroman96@gmail.com>
AuthorDate: 2024-04-02 13:04:33 +0000
Commit:     Matthew Smith <matthew@gentoo.org>
CommitDate: 2024-04-14 16:06:28 +0000

    dev-util/radare2: add 5.9.0
    
    Bug: https://bugs.gentoo.org/916508
    Signed-off-by: David Roman <davidroman96@gmail.com>
    Signed-off-by: Matthew Smith <matthew@gentoo.org>

 dev-util/radare2/Manifest             |   4 ++
 dev-util/radare2/radare2-5.9.0.ebuild | 121 ++++++++++++++++++++++++++++++++++
 2 files changed, 125 insertions(+)