674014 – (CVE-2018-20455, CVE-2018-20456) <dev-util/radare2-3.1.1: multiple vulnerabilities

Bug 674014 (CVE-2018-20455, CVE-2018-20456) - <dev-util/radare2-3.1.1: multiple vulnerabilities

Summary: <dev-util/radare2-3.1.1: multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2018-20455, CVE-2018-20456

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2018-12-29 16:34 UTC by Melissa Mcdonald
Modified:	2019-03-24 02:30 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Melissa Mcdonald 2018-12-29 16:34:34 UTC

https://nvd.nist.gov/vuln/detail/CVE-2018-20455:

In radare2 prior to 3.1.1, the parseOperand function inside libr/asm/p/asm_x86_nz.c may allow attackers to cause a denial of service (application crash via a stack-based buffer overflow) by crafting an input file, a related issue to CVE-2018-20456.


https://nvd.nist.gov/vuln/detail/CVE-2018-20456:

In radare2 prior to 3.1.1, the parseOperand function inside libr/asm/p/asm_x86_nz.c may allow attackers to cause a denial of service (application crash in libr/util/strbuf.c via a stack-based buffer over-read) by crafting an input file, a related issue to CVE-2018-20455.

References:

https://github.com/radare/radare2/issues/12373
https://github.com/radare/radare2/issues/12372

Comment 1 Aaron Bauman (RETIRED) gentoo-dev

2019-03-24 02:30:48 UTC

tree is clean