Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 688336 (CVE-2019-12865)

Summary: <dev-util/radare2-3.5.1-r1: double-Free in cmd_mount.c
Product: Gentoo Security Reporter: D'juan McDonald (domhnall) <flopwiki>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: davidroman96, slyfox
Priority: Low    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/radare/radare2/issues/14334
Whiteboard: ~3 [noglsa cve]
Package list:
Runtime testing required: ---

Description D'juan McDonald (domhnall) 2019-06-19 00:11:06 UTC 
(https://nvd.nist.gov/vuln/detail/CVE-2019-12865):
In radare2 through 3.5.1, cmd_mount in libr/core/cmd_mount.c has a double free for the ms command.

upstream fix: https://github.com/radare/radare2/commit/40453029179d230cf02ffed205f2d63e33981b8f

Gentoo Security Padawan
(domhnall)
Comment 1 Larry the Git Cow gentoo-dev 2019-06-22 08:21:54 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3abf285d96a21f56f86e1fdf7814d186bef3c374

commit 3abf285d96a21f56f86e1fdf7814d186bef3c374
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2019-06-22 08:21:36 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2019-06-22 08:21:44 +0000

    dev-util/radare2: drop old, bug #688336
    
    Reported-by: D'juan McDonald (domhnall)
    Bug: https://bugs.gentoo.org/688336
    Package-Manager: Portage-2.3.67, Repoman-2.3.15
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 dev-util/radare2/Manifest             |  2 --
 dev-util/radare2/radare2-3.4.1.ebuild | 62 -----------------------------------
 dev-util/radare2/radare2-3.5.0.ebuild | 56 -------------------------------
 dev-util/radare2/radare2-3.5.1.ebuild | 56 -------------------------------
 4 files changed, 176 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=677a68abfac2720af13042540adbb5f43b6475c3

commit 677a68abfac2720af13042540adbb5f43b6475c3
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2019-06-22 08:21:01 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2019-06-22 08:21:44 +0000

    dev-util/radare2: fix double-free in cmd_mount.c, bug #688336
    
    Reported-by: D'juan McDonald (domhnall)
    Bug: https://bugs.gentoo.org/688336
    Package-Manager: Portage-2.3.67, Repoman-2.3.15
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 .../radare2/files/radare2-3.5.1-mount-free.patch   | 22 ++++++++
 dev-util/radare2/radare2-3.5.1-r1.ebuild           | 60 ++++++++++++++++++++++
 2 files changed, 82 insertions(+)
Comment 2 D'juan McDonald (domhnall) 2019-08-21 19:47:02 UTC 
@Security, please add to CVETool.