Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 831057 (CVE-2021-4021, CVE-2022-0139, CVE-2022-0173, CVE-2022-0476, CVE-2022-0518, CVE-2022-0519, CVE-2022-0520, CVE-2022-0521, CVE-2022-0522, CVE-2022-0523, CVE-2022-0559, CVE-2022-0695, CVE-2022-0712, CVE-2022-0713, CVE-2022-1237, CVE-2022-1238, CVE-2022-1283, CVE-2022-1284, CVE-2022-1296, CVE-2022-1297, CVE-2022-1382, CVE-2022-1383, CVE-2022-1437) - <dev-util/radare2-5.6.8: multiple vulnerabilities
Summary: <dev-util/radare2-5.6.8: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2021-4021, CVE-2022-0139, CVE-2022-0173, CVE-2022-0476, CVE-2022-0518, CVE-2022-0519, CVE-2022-0520, CVE-2022-0521, CVE-2022-0522, CVE-2022-0523, CVE-2022-0559, CVE-2022-0695, CVE-2022-0712, CVE-2022-0713, CVE-2022-1237, CVE-2022-1238, CVE-2022-1283, CVE-2022-1284, CVE-2022-1296, CVE-2022-1297, CVE-2022-1382, CVE-2022-1383, CVE-2022-1437
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL:
Whiteboard: ~3 [noglsa]
Keywords: PullRequest
Depends on:
Blocks: CVE-2022-1061, CVE-2022-1240, CVE-2022-1244
  Show dependency tree
 
Reported: 2022-01-12 08:04 UTC by filip ambroz
Modified: 2022-04-26 14:45 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description filip ambroz 2022-01-12 08:04:51 UTC
The vulnerability is of out-of-bound read. The bug exists in latest stable release (radare2-5.5.4).

The POC can be directly used to launch DoS attack. Besides, it is possible for the attacker to finally accomplish RCE (Remote Code Execution) if the broken pointer address (b->methods) can be further exploited (need more investigation).

URLs:
https://nvd.nist.gov/vuln/detail/CVE-2022-0173
https://huntr.dev/bounties/727d8600-88bc-4dde-8dea-ee3d192600e5/

Patch:
https://github.com/radareorg/radare2/commit/37897226a1a31f982bfefdc4aeefc2e50355c73c

Reproducible: Always
Comment 1 filip ambroz 2022-02-08 21:34:49 UTC
[CVE-2022-0139]
This vulnerability is of use-after-free. The bug exists in latest stable release (radare2-5.5.4).

URL: https://huntr.dev/bounties/3dcb6f40-45cd-403b-929f-db123fde32c0/

Patch:https://github.com/radareorg/radare2/commit/37897226a1a31f982bfefdc4aeefc2e50355c73c

Please bump to 5.6.0: https://github.com/radareorg/radare2/releases/tag/5.6.0
Comment 2 filip ambroz 2022-02-09 00:04:31 UTC
...and then some more:

[CVE-2022-0518]
Heap-based Buffer Overflow in NPM radare2.js prior to 5.6.2.
URL: https://huntr.dev/bounties/10051adf-7ddc-4042-8fd0-8e9e0c5b1184/
Patch: https://github.com/radareorg/radare2/commit/9650e3c352f675687bf6c6f65ff2c4a3d0e288fa

[CVE-2022-0519]
Buffer Access with Incorrect Length Value in GitHub repository radareorg/radare2 prior to 5.6.2.
URL: https://huntr.dev/bounties/af85b9e1-d1cf-4c0e-ba12-525b82b7c1e3/
Patch: https://github.com/radareorg/radare2/commit/6c4428f018d385fc80a33ecddcb37becea685dd5

[CVE-2022-0520]
Use After Free in NPM radare2.js prior to 5.6.2.
https://nvd.nist.gov/vuln/detail/CVE-2022-0520
URL: https://huntr.dev/bounties/ce13c371-e5ef-4993-97f3-3d33dcd943a6/
Patch: https://github.com/radareorg/radare2/commit/8525ad0b9fd596f4b251bb3d7b114e6dc7ce1ee8

[CVE-2022-0521]
Access of Memory Location After End of Buffer in GitHub repository radareorg/radare2 prior to 5.6.2.
URL: https://huntr.dev/bounties/4d436311-bbf1-45a3-8774-bdb666d7f7ca/
Patch: https://github.com/radareorg/radare2/commit/6c4428f018d385fc80a33ecddcb37becea685dd5

[CVE-2022-0522]
Access of Memory Location Before Start of Buffer in NPM radare2.js prior to 5.6.2.
URL: https://huntr.dev/bounties/2d45e589-d614-4875-bba1-be0f729e7ca9/
Patch: https://github.com/radareorg/radare2/commit/d17a7bdf166108a29a27cd89bf454f9fa6c050d6

[CVE-2022-0523]
Expired Pointer Dereference in NPM radare2.js prior to 5.6.2.
URL: https://huntr.dev/bounties/9d8d6ae0-fe00-40b9-ae1e-b0e8103bac69/
Patch: https://github.com/radareorg/radare2/commit/35482cb760db10f87a62569e2f8872dbd95e9269
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-16 15:14:15 UTC
CVE-2022-0559 (https://github.com/radareorg/radare2/commit/b5cb90b28ec71fda3504da04e3cc94a362807f5e):

Use After Free in GitHub repository radareorg/radare2 prior to 5.6.2.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-23 16:01:28 UTC
CVE-2022-0713 (https://huntr.dev/bounties/d35b3dff-768d-4a09-a742-c18ca8f56d3c):

Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.6.4.

CVE-2022-0712 (https://github.com/radareorg/radare2/commit/515e592b9bea0612bc63d8e93239ff35bcf645c7):

NULL Pointer Dereference in GitHub repository radareorg/radare2 prior to 5.6.4.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-24 20:59:15 UTC
CVE-2022-0695 (https://github.com/radareorg/radare2/commit/634b886e84a5c568d243e744becc6b3223e089cf):

Denial of Service in GitHub repository radareorg/radare2 prior to 5.6.4.

CVE-2022-0476 (https://github.com/radareorg/radare2/commit/27fe8031782d3a06c3998eaa94354867864f9f1b):

Denial of Service in GitHub repository radareorg/radare2 prior to 5.6.4.
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-24 22:39:12 UTC
CVE-2021-4021 (https://github.com/radareorg/radare2/issues/19436):

A vulnerability was found in Radare2 in versions prior to 5.6.2, 5.6.0, 5.5.4 and 5.5.2. Mapping a huge section filled with zeros of an ELF64 binary for MIPS architecture can lead to uncontrolled resource consumption and DoS.
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-09 23:01:19 UTC
CVE-2022-1283 (https://huntr.dev/bounties/bfeb8fb8-644d-4587-80d4-cb704c404013):

NULL Pointer Dereference in r_bin_ne_get_entrypoints function in GitHub repository radareorg/radare2 prior to 5.6.8. This vulnerability allows attackers to cause a denial of service (application crash).

CVE-2022-1284 (https://huntr.dev/bounties/e98ad92c-3a64-48fb-84d4-d13afdbcbdd7):

heap-use-after-free in GitHub repository radareorg/radare2 prior to 5.6.8. This vulnerability is capable of inducing denial of service.

CVE-2022-1244 (https://huntr.dev/bounties/8ae2c61a-2220-47a5-bfe8-fe6d41ab1f82):

heap-buffer-overflow in GitHub repository radareorg/radare2 prior to 5.6.8. This vulnerability is capable of inducing denial of service.

CVE-2022-1238 (https://huntr.dev/bounties/47422cdf-aad2-4405-a6a1-6f63a3a93200):

Heap-based Buffer Overflow in libr/bin/format/ne/ne.c in GitHub repository radareorg/radare2 prior to 5.6.8. This vulnerability is heap overflow and may be exploitable. For more general description of heap buffer overflow, see [CWE](https://cwe.mitre.org/data/definitions/122.html).

CVE-2022-1237 (https://huntr.dev/bounties/ad3c9c4c-76e7-40c8-bd4a-c095acd8bb40):

Improper Validation of Array Index in GitHub repository radareorg/radare2 prior to 5.6.8. This vulnerability is heap overflow and may be exploitable. For more general description of heap buffer overflow, see [CWE](https://cwe.mitre.org/data/definitions/122.html).

CVE-2022-1240 (https://huntr.dev/bounties/e589bd97-4c74-4e79-93b5-0951a281facc):

Heap buffer overflow in libr/bin/format/mach0/mach0.c in GitHub repository radareorg/radare2 prior to 5.8.6. If address sanitizer is disabled during the compiling, the program should executes into the `r_str_ncpy` function. Therefore I think it is very likely to be exploitable. For more general description of heap buffer overflow, see [CWE](https://cwe.mitre.org/data/definitions/122.html).

All patched upstream.
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-12 16:15:53 UTC
CVE-2022-1296 (https://github.com/radareorg/radare2/commit/153bcdc29f11cd8c90e7d639a7405450f644ddb6):

Out-of-bounds read in `r_bin_ne_get_relocs` function in GitHub repository radareorg/radare2 prior to 5.6.8. This vulnerability may allow attackers to read sensitive information or cause a crash.

CVE-2022-1297 (https://github.com/radareorg/radare2/commit/0a557045476a2969c7079aec9eeb29d02f2809c6):

Out-of-bounds Read in r_bin_ne_get_entrypoints function in GitHub repository radareorg/radare2 prior to 5.6.8. This vulnerability may allow attackers to read sensitive information or cause a crash.
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-19 02:37:36 UTC
CVE-2022-1382 (https://github.com/radareorg/radare2/commit/48f0ea79f99174fb0a62cb2354e13496ce5b7c44):
https://huntr.dev/bounties/d8b6d239-6d7b-4783-b26b-5be848c01aa1

NULL Pointer Dereference in GitHub repository radareorg/radare2 prior to 5.6.8. This vulnerability is capable of making the radare2 crash, thus affecting the availability of the system.

CVE-2022-1383 (https://huntr.dev/bounties/02b4b563-b946-4343-9092-38d1c5cd60c9):
https://github.com/radareorg/radare2/commit/1dd65336f0f0c351d6ea853efcf73cf9c0030862

Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.6.8. The bug causes the program reads data past the end of the intented buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash.
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-22 21:35:11 UTC
CVE-2022-1437 (https://github.com/radareorg/radare2/commit/669a404b6d98d5db409a5ebadae4e94b34ef5136):

Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.7.0. The bug causes the program reads data past the end of the intented buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash.
Comment 11 filip ambroz 2022-04-25 06:47:01 UTC
[CVE-2022-1444]
heap-use-after-free in GitHub repository radareorg/radare2 prior to 5.7.0. This vulnerability is capable of inducing denial of service.
URLs:
https://huntr.dev/bounties/b438a940-f8a4-4872-b030-59bdd1ab72aa/
https://github.com/radareorg/radare2/commit/14189710859c27981adb4c2c2aed2863c1859ec5

[CVE-2022-1451]
Out-of-bounds Read in r_bin_java_constant_value_attr_new function in GitHub repository radareorg/radare2 prior to 5.7.0. The bug causes the program reads data past the end 2f the intented buffer.
URLs:
https://huntr.dev/bounties/229a2e0d-9e5c-402f-9a24-57fa2eb1aaa7
https://github.com/radareorg/radare2/commit/0927ed3ae99444e7b47b84e43118deb10fe37529

[CVE-2022-1452]
Out-of-bounds Read in r_bin_java_bootstrap_methods_attr_new function in GitHub repository radareorg/radare2 prior to 5.7.0. The bug causes the program reads data past the end 2f the intented buffer.
URLs:
https://huntr.dev/bounties/c8f4c2de-7d96-4ad4-857a-c099effca2d6
https://github.com/radareorg/radare2/commit/ecc44b6a2f18ee70ac133365de0e509d26d5e168
Comment 12 Larry the Git Cow gentoo-dev 2022-04-25 06:56:59 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=48627ba2203445afedb3eb0e99c24cf931896f1e

commit 48627ba2203445afedb3eb0e99c24cf931896f1e
Author:     David Roman <davidroman96@gmail.com>
AuthorDate: 2022-04-22 10:45:36 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-04-25 06:56:56 +0000

    dev-util/radare2: verbump to 5.6.8
    
    Bug: https://bugs.gentoo.org/831057
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: David Roman <davidroman96@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/25155
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 dev-util/radare2/Manifest                  |   3 +
 dev-util/radare2/files/CVE-2022-1437.patch |  72 +++++++++++++++++++
 dev-util/radare2/radare2-5.6.8.ebuild      | 109 +++++++++++++++++++++++++++++
 3 files changed, 184 insertions(+)
Comment 13 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-25 23:50:58 UTC
Thanks! Please cleanup.
Comment 14 Larry the Git Cow gentoo-dev 2022-04-26 05:51:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=12dee7b9dcd337b5bd8014904dedda597122049b

commit 12dee7b9dcd337b5bd8014904dedda597122049b
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2022-04-26 05:49:50 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-04-26 05:49:50 +0000

    dev-util/radare2: drop 5.5.4
    
    Bug: https://bugs.gentoo.org/831057
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 dev-util/radare2/Manifest             |   3 -
 dev-util/radare2/radare2-5.5.4.ebuild | 106 ----------------------------------
 2 files changed, 109 deletions(-)
Comment 15 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-26 13:14:01 UTC
Thanks, all done!
Comment 16 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-26 14:45:13 UTC
(In reply to filip ambroz from comment #11)
> [CVE-2022-1444]
> heap-use-after-free in GitHub repository radareorg/radare2 prior to 5.7.0.
> This vulnerability is capable of inducing denial of service.
> URLs:
> https://huntr.dev/bounties/b438a940-f8a4-4872-b030-59bdd1ab72aa/
> https://github.com/radareorg/radare2/commit/
> 14189710859c27981adb4c2c2aed2863c1859ec5
> 
> [CVE-2022-1451]
> Out-of-bounds Read in r_bin_java_constant_value_attr_new function in GitHub
> repository radareorg/radare2 prior to 5.7.0. The bug causes the program
> reads data past the end 2f the intented buffer.
> URLs:
> https://huntr.dev/bounties/229a2e0d-9e5c-402f-9a24-57fa2eb1aaa7
> https://github.com/radareorg/radare2/commit/
> 0927ed3ae99444e7b47b84e43118deb10fe37529
> 
> [CVE-2022-1452]
> Out-of-bounds Read in r_bin_java_bootstrap_methods_attr_new function in
> GitHub repository radareorg/radare2 prior to 5.7.0. The bug causes the
> program reads data past the end 2f the intented buffer.
> URLs:
> https://huntr.dev/bounties/c8f4c2de-7d96-4ad4-857a-c099effca2d6
> https://github.com/radareorg/radare2/commit/
> ecc44b6a2f18ee70ac133365de0e509d26d5e168

I'm sorry, I missed this comment, these didn't make it into the release. I'll pop them into another bug.