Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 889026 (CVE-2022-4843, CVE-2023-0302)

Summary: <dev-util/radare2-5.8.2: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: davidroman96, proxy-maint
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/29223
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-30 22:26:39 UTC 
CVE-2022-4843 (https://huntr.dev/bounties/075b2760-66a0-4d38-b3b5-e9934956ab7f):

NULL Pointer Dereference in GitHub repository radareorg/radare2 prior to 5.8.2.

Unreleased patch: https://github.com/radareorg/radare2/commit/842f809d4ec6a12af2906f948657281c9ebc8a24
Comment 1 filip ambroz 2023-01-15 13:43:58 UTC 
CVE-2023-0302 (https://huntr.dev/bounties/583133af-7ae6-4a21-beef-a4b0182cf82e/)

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in GitHub repository radareorg/radare2 prior to 5.8.2.

Patch: https://github.com/radareorg/radare2/commit/961f0e723903011d4f54c2396e44efa91fcc74ce
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-23 02:27:33 UTC 
These patches are in 5.8.2.
Comment 3 Larry the Git Cow gentoo-dev 2023-01-23 04:32:45 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f6b02f1030e87d04391b24bdb861bd6406bf2beb

commit f6b02f1030e87d04391b24bdb861bd6406bf2beb
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2023-01-23 04:32:22 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-01-23 04:32:34 +0000

    dev-util/radare2: drop 5.7.4, 5.7.6, 5.7.8
    
    Bug: https://bugs.gentoo.org/885395
    Bug: https://bugs.gentoo.org/889026
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 dev-util/radare2/Manifest                          |  11 --
 .../radare2/files/radare2-5.7.0-vector35.patch     |  22 ----
 dev-util/radare2/radare2-5.7.4.ebuild              | 119 ---------------------
 dev-util/radare2/radare2-5.7.6.ebuild              | 119 ---------------------
 dev-util/radare2/radare2-5.7.8.ebuild              | 119 ---------------------
 5 files changed, 390 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=309640e8da12494bdc227e238bdbd7435cb415f9

commit 309640e8da12494bdc227e238bdbd7435cb415f9
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2023-01-23 03:38:19 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-01-23 04:32:34 +0000

    dev-util/radare2: add 5.8.2
    
    Unbundle capstone to avoid upstream requirement of capstone-5 patches
    which are not shipped in Gentoo's capstone package.
    
    Bug: https://bugs.gentoo.org/885395
    Bug: https://bugs.gentoo.org/889026
    Bug: https://bugs.gentoo.org/891805
    Closes: https://github.com/gentoo/gentoo/pull/29223
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 dev-util/radare2/Manifest                          |   5 +
 .../files/radare2-5.8.2-bundled-capstone.patch     |  21 ++++
 .../radare2/files/radare2-5.8.2-vector35.patch     |  24 ++++
 dev-util/radare2/radare2-5.8.2.ebuild              | 125 +++++++++++++++++++++
 4 files changed, 175 insertions(+)