Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 885395 (CVE-2022-4398)

Summary: <dev-util/radare2-5.8.2: integer overflow vulnerability
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: davidroman96, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://huntr.dev/bounties/c6f8d3ef-5420-4eba-9a5f-aba5e2b5fea2
Whiteboard: ~2 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-11 00:13:50 UTC 
CVE-2022-4398:

Integer Overflow or Wraparound in GitHub repository radareorg/radare2 prior to 5.8.0.

Patch (unreleased): https://github.com/radareorg/radare2/commit/b53a1583d05c3a5bfe5fa60da133fe59dfbb02b8

I'm not sure about the possibility of code execution, but we're not
going to GLSA an unstable package anyway.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-30 22:26:10 UTC 
Now fixed in 5.8.0.
Comment 2 Larry the Git Cow gentoo-dev 2023-01-23 04:32:47 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f6b02f1030e87d04391b24bdb861bd6406bf2beb

commit f6b02f1030e87d04391b24bdb861bd6406bf2beb
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2023-01-23 04:32:22 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-01-23 04:32:34 +0000

    dev-util/radare2: drop 5.7.4, 5.7.6, 5.7.8
    
    Bug: https://bugs.gentoo.org/885395
    Bug: https://bugs.gentoo.org/889026
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 dev-util/radare2/Manifest                          |  11 --
 .../radare2/files/radare2-5.7.0-vector35.patch     |  22 ----
 dev-util/radare2/radare2-5.7.4.ebuild              | 119 ---------------------
 dev-util/radare2/radare2-5.7.6.ebuild              | 119 ---------------------
 dev-util/radare2/radare2-5.7.8.ebuild              | 119 ---------------------
 5 files changed, 390 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=309640e8da12494bdc227e238bdbd7435cb415f9

commit 309640e8da12494bdc227e238bdbd7435cb415f9
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2023-01-23 03:38:19 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-01-23 04:32:34 +0000

    dev-util/radare2: add 5.8.2
    
    Unbundle capstone to avoid upstream requirement of capstone-5 patches
    which are not shipped in Gentoo's capstone package.
    
    Bug: https://bugs.gentoo.org/885395
    Bug: https://bugs.gentoo.org/889026
    Bug: https://bugs.gentoo.org/891805
    Closes: https://github.com/gentoo/gentoo/pull/29223
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 dev-util/radare2/Manifest                          |   5 +
 .../files/radare2-5.8.2-bundled-capstone.patch     |  21 ++++
 .../radare2/files/radare2-5.8.2-vector35.patch     |  24 ++++
 dev-util/radare2/radare2-5.8.2.ebuild              | 125 +++++++++++++++++++++
 4 files changed, 175 insertions(+)