Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 634460 (CVE-2017-15368)

Summary: <dev-util/radare2-2.0.1: denial of service via a crafted WASM file
Product: Gentoo Security Reporter: Aleksandr Wagner (Kivak) <alwag>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: davidroman96, slyfox
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~3 [noglsa cve]
Package list:
Runtime testing required: ---

Description Aleksandr Wagner (Kivak) 2017-10-16 16:00:16 UTC 
CVE-2017-15368 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15368):

The wasm_dis function in libr/asm/arch/wasm/wasm.c in radare2 2.0.0 allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) or possibly have unspecified other impact via a crafted WASM file that triggers an incorrect r_hex_bin2str call. 

References:

https://github.com/radare/radare2/commit/52b1526443c1f433087928291d1c3d37a5600515
https://github.com/radare/radare2/issues/8673

@Maintainer(s): The fixed ebuild is in the tree, please clean the vulnerable ebuild from the tree.
Comment 1 Larry the Git Cow gentoo-dev 2017-10-16 16:23:51 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=948ac4ceef675ff449cec40f4fe6025c75453cb8

commit 948ac4ceef675ff449cec40f4fe6025c75453cb8
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2017-10-16 16:22:42 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2017-10-16 16:23:43 +0000

    dev-util/radare2: drop old ebuilds, bug #634460
    
    Bug: https://bugs.gentoo.org/634460
    Package-Manager: Portage-2.3.11, Repoman-2.3.3

 dev-util/radare2/Manifest                          |  6 ---
 .../files/radare2-1.1.0-openssl-1.1.0c.patch       | 31 -------------
 dev-util/radare2/radare2-1.1.0.ebuild              | 42 -----------------
 dev-util/radare2/radare2-1.2.0.ebuild              | 43 ------------------
 dev-util/radare2/radare2-1.3.0.ebuild              | 43 ------------------
 dev-util/radare2/radare2-1.4.0-r1.ebuild           | 45 ------------------
 dev-util/radare2/radare2-1.4.0.ebuild              | 45 ------------------
 dev-util/radare2/radare2-1.6.0.ebuild              | 45 ------------------
 dev-util/radare2/radare2-2.0.0.ebuild              | 53 ----------------------
 9 files changed, 353 deletions(-)}
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-16 22:54:50 UTC 
Thank you all.