Arch Linux 811 Published by

An updated radare2 package is now available for Arch Linux to address multiple issues including arbitrary code execution and denial of service.



Arch Linux Security Advisory ASA-201806-2
=========================================

Severity: High
Date : 2018-06-05
CVE-ID : CVE-2018-11375 CVE-2018-11376 CVE-2018-11377 CVE-2018-11378
CVE-2018-11379 CVE-2018-11380 CVE-2018-11381 CVE-2018-11382
CVE-2018-11383 CVE-2018-11384
Package : radare2
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-709

Summary
=======

The package radare2 before version 2.6.0-1 is vulnerable to multiple
issues including arbitrary code execution and denial of service.

Resolution
==========

Upgrade to 2.6.0-1.

# pacman -Syu "radare2>=2.6.0-1"

The problems have been fixed upstream in version 2.6.0.

Workaround
==========

None.

Description
===========

- CVE-2018-11375 (denial of service)

The _inst__lds() function in radare2 2.5.0 allows remote attackers to
cause a denial of service (heap-based out-of-bounds read and
application crash) via a crafted binary file.

- CVE-2018-11376 (denial of service)

The r_read_le32() function in radare2 2.5.0 allows remote attackers to
cause a denial of service (heap-based out-of-bounds read and
application crash) via a crafted ELF file.

- CVE-2018-11377 (denial of service)

The avr_op_analyze() function in radare2 2.5.0 allows remote attackers
to cause a denial of service (heap-based out-of-bounds read and
application crash) via a crafted binary file.

- CVE-2018-11378 (arbitrary code execution)

The wasm_dis() function in libr/asm/arch/wasm/wasm.c has a stack-buffer
overflow that may result in denial-of-service or possibly have
unspecified other impact via a crafted WASM file.

- CVE-2018-11379 (denial of service)

The get_debug_info() function in radare2 2.5.0 allows remote attackers
to cause a denial of service (heap-based out-of-bounds read and
application crash) via a crafted PE file.

- CVE-2018-11380 (denial of service)

The parse_import_ptr() function in radare2 2.5.0 allows remote
attackers to cause a denial of service (heap-based out-of-bounds read
and application crash) via a crafted Mach-O file.

- CVE-2018-11381 (denial of service)

The string_scan_range() function in radare2 2.5.0 allows remote
attackers to cause a denial of service (heap-based out-of-bounds read
and application crash) via a crafted binary file.

- CVE-2018-11382 (denial of service)

The _inst__sts() function in radare2 2.5.0 allows remote attackers to
cause a denial of service (heap-based out-of-bounds read and
application crash) via a crafted binary file.

- CVE-2018-11383 (denial of service)

The r_strbuf_fini() function in radare2 2.5.0 allows remote attackers
to cause a denial of service (invalid free and application crash) via a
crafted ELF file because of an uninitialized variable in the CPSE
handler in libr/anal/p/anal_avr.c.

- CVE-2018-11384 (denial of service)

The sh_op() function in radare2 2.5.0 allows remote attackers to cause
a denial of service (heap-based out-of-bounds read and application
crash) via a crafted ELF file.

Impact
======

A remote attacker is able to execute arbitrary code or crash the
application via a specially crafted file.

References
==========

https://github.com/radare/radare2/commit/041e53cab7ca33481ae45ecd65ad596976d78e68
https://github.com/radare/radare2/issues/9928
https://github.com/radare/radare2/commit/1f37c04f2a762500222dda2459e6a04646feeedf
https://github.com/radare/radare2/issues/9904
https://github.com/radare/radare2/commit/25a3703ef2e015bbe1d1f16f6b2f63bb10dd34f4
https://github.com/radare/radare2/commit/b35530fa0681b27eba084de5527037ebfb397422
https://github.com/radare/radare2/issues/9901
https://github.com/radare/radare2/commit/bd276ef2fd8ac3401e65be7c126a43175ccfbcd7
https://github.com/radare/radare2/issues/9969
https://github.com/radare/radare2/commit/4e1cf0d3e6f6fe2552a269def0af1cd2403e266c
https://github.com/radare/radare2/issues/9926
https://github.com/radare/radare2/commit/60208765887f5f008b3b9a883f3addc8bdb9c134
https://github.com/radare/radare2/issues/9970
https://github.com/radare/radare2/commit/3fcf41ed96ffa25b38029449520c8d0a198745f3
https://github.com/radare/radare2/issues/9902
https://github.com/radare/radare2/commit/d04c78773f6959bcb427453f8e5b9824d5ba9eff
https://github.com/radare/radare2/issues/10091
https://github.com/radare/radare2/commit/9d348bcc2c4bbd3805e7eec97b594be9febbdf9a
https://github.com/radare/radare2/issues/9943
https://github.com/radare/radare2/commit/77c47cf873dd55b396da60baa2ca83bbd39e4add
https://github.com/radare/radare2/issues/9903
https://security.archlinux.org/CVE-2018-11375
https://security.archlinux.org/CVE-2018-11376
https://security.archlinux.org/CVE-2018-11377
https://security.archlinux.org/CVE-2018-11378
https://security.archlinux.org/CVE-2018-11379
https://security.archlinux.org/CVE-2018-11380
https://security.archlinux.org/CVE-2018-11381
https://security.archlinux.org/CVE-2018-11382
https://security.archlinux.org/CVE-2018-11383
https://security.archlinux.org/CVE-2018-11384
  Radare2 Update for Arch Linux