Bug#917322: marked as done (radare2: CVE-2018-20457 CVE-2018-20459)

Fri, 25 Jan 2019 12:16:43 -0800 

Your message dated Fri, 25 Jan 2019 20:10:52 +0000
with message-id <[email protected]>
and subject line Bug#917322: fixed in radare2 3.2.1+dfsg-1
has caused the Debian Bug report #917322,
regarding radare2: CVE-2018-20457 CVE-2018-20459
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
917322: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917322
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: radare2
Version: 3.1.2+dfsg-1.1
Severity: important
Tags: patch security upstream

Hi,

The following vulnerabilities were published for radare2.

CVE-2018-20457[0]:
| In radare2 through 3.1.3, the assemble function inside
| libr/asm/p/asm_arm_cs.c allows attackers to cause a denial-of-service
| (application crash via an r_num_calc out-of-bounds read) by crafting an
| arm assembly input because a loop uses an incorrect index in armass.c
| and certain length validation is missing in armass64.c, a related issue
| to CVE-2018-20459.

CVE-2018-20459[1]:
| In radare2 through 3.1.3, the armass_assemble function in
| libr/asm/arch/arm/armass.c allows attackers to cause a
| denial-of-service (application crash by out-of-bounds read) by crafting
| an arm assembly input because a loop uses an incorrect index in
| armass.c and certain length validation is missing in armass64.c, a
| related issue to CVE-2018-20457.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-20457
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20457
[1] https://security-tracker.debian.org/tracker/CVE-2018-20459
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20459
[1] https://github.com/radare/radare2/issues/12417
[2] https://github.com/radare/radare2/issues/12418

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: radare2
Source-Version: 3.2.1+dfsg-1

We believe that the bug you reported is fixed in the latest version of
radare2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hilko Bengen <[email protected]> (supplier of updated radare2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 23 Jan 2019 23:53:52 +0100
Source: radare2
Binary: libradare2-3.2 libradare2-3.2-dbgsym libradare2-dev radare2 
radare2-dbgsym
Architecture: source amd64
Version: 3.2.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Security Tools <[email protected]>
Changed-By: Hilko Bengen <[email protected]>
Description:
 libradare2-3.2 - libraries from the radare2 suite
 libradare2-dev - devel files from the radare2 suite
 radare2    - free and advanced command line hexadecimal editor
Closes: 917322
Changes:
 radare2 (3.2.1+dfsg-1) unstable; urgency=medium
 .
   * Team upload
   * New upstream version 3.2.1+dfsg
     - Fixes CVE-2018-20457, CVE-2018-20459 (Closes: #917322)
   * Drop patch that has been integrated upstream
   * Bump Debhelper compat level
   * Bump Standards-Version
   * Bump libradare2 SONAME
   * Add libssl-dev build-dependency
Checksums-Sha1:
 684ff38560aadf60c0f948391b1199096bfa0641 2387 radare2_3.2.1+dfsg-1.dsc
 f5ee6f54ef5dba0ffd06e14b57edaef6807fbe2f 4015756 radare2_3.2.1+dfsg.orig.tar.xz
 4dd3770406c047d54afcdec53a255ca7a63e62da 13744 
radare2_3.2.1+dfsg-1.debian.tar.xz
 13282bd3a820002f7a149b76fd760eadc3ced8a3 8154140 
libradare2-3.2-dbgsym_3.2.1+dfsg-1_amd64.deb
 921c5c8885511bd0ddaa8dd8fcfb9a8842e2fcb4 2626568 
libradare2-3.2_3.2.1+dfsg-1_amd64.deb
 447ba18cd3e8c2449a656b72109ec75aae30e060 324460 
libradare2-dev_3.2.1+dfsg-1_amd64.deb
 f761763973445c19ab95d5d80795766b442aed16 342180 
radare2-dbgsym_3.2.1+dfsg-1_amd64.deb
 17eb582aca786ccf32867210577331aafa4a2a4b 8879 
radare2_3.2.1+dfsg-1_amd64.buildinfo
 9bc4917dad3b56f582cf74bd3fae667e722001a4 167320 radare2_3.2.1+dfsg-1_amd64.deb
Checksums-Sha256:
 013a8af6f1ca12d8b8c313fe754552ca53fc298f450d11d89ccfa975d3732b02 2387 
radare2_3.2.1+dfsg-1.dsc
 bcfdbd94c3aa7deb326ac31ea99d8c6e8d7069aa0f37d22a13a2f035995e4490 4015756 
radare2_3.2.1+dfsg.orig.tar.xz
 452f92933216605e15e5a15c052464c1b77abcad2ce5bc97c3556cd130eb8af7 13744 
radare2_3.2.1+dfsg-1.debian.tar.xz
 1f4b4e7c0be6c70ecf4833e8064622fc25d25a4063ca38c5ab823c45dd432634 8154140 
libradare2-3.2-dbgsym_3.2.1+dfsg-1_amd64.deb
 75a4b91a72f54c3ccb5f81ac54ab9c91db53b326f1cc409f1bf81fb97956f00d 2626568 
libradare2-3.2_3.2.1+dfsg-1_amd64.deb
 da8feb1b9c417d75893dd387edbd9cd1313e65f6c26c3f3937f2cd94c54f5026 324460 
libradare2-dev_3.2.1+dfsg-1_amd64.deb
 da420a58b23fd2f3079c8ed1bf067d22a6936f0f59fce82b465386f20764b3ea 342180 
radare2-dbgsym_3.2.1+dfsg-1_amd64.deb
 097473e9c7dce3534d9c60f4b3f066c443da0b713fde94d311cf0e5328bcbbf3 8879 
radare2_3.2.1+dfsg-1_amd64.buildinfo
 d589be7604395997c0bf407dd543c15c1abbb3bf62b7d6c77790b1dc8fdeee63 167320 
radare2_3.2.1+dfsg-1_amd64.deb
Files:
 2750112d9a5decac331c08c89f65f25d 2387 devel optional radare2_3.2.1+dfsg-1.dsc
 b4f417654a4008e17ca7bf4b5a082888 4015756 devel optional 
radare2_3.2.1+dfsg.orig.tar.xz
 c51915b78ba7fcb4822b3d48dd0df911 13744 devel optional 
radare2_3.2.1+dfsg-1.debian.tar.xz
 04fc7fa1a87baca81daa025d9eac879e 8154140 debug optional 
libradare2-3.2-dbgsym_3.2.1+dfsg-1_amd64.deb
 4f8022c50dd9cfd9846cab0b74cb7936 2626568 libs optional 
libradare2-3.2_3.2.1+dfsg-1_amd64.deb
 5fed46811a44b9911680dc8ed831ac42 324460 libdevel optional 
libradare2-dev_3.2.1+dfsg-1_amd64.deb
 1860614282b064774246bfc981e01b55 342180 debug optional 
radare2-dbgsym_3.2.1+dfsg-1_amd64.deb
 0e41c8a079d0e54b58a5f84ec6a8159b 8879 devel optional 
radare2_3.2.1+dfsg-1_amd64.buildinfo
 d3e1eb9759290b475f95a30edb8f0bc4 167320 devel optional 
radare2_3.2.1+dfsg-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEErnMQVUQqHZbPTUx4dbcQY1whOn4FAlxI8ywSHGJlbmdlbkBk
ZWJpYW4ub3JnAAoJEHW3EGNcITp+jVEQALxaDpozUG5LQs8IDOmuls7+ZiONXDga
yIMI676IPJbnwUrU9r2OYUTlsb1VKe3FvAXN6/SnQu5FG5z1O1VwQQkQV+QsrUv2
3n97OUBJoAmtqed5SROcz0ao2DGoIxD4HY2OuOURK8B0M7VuRe5riwf56zcSEPTD
7epuI7Qkb1YZLc5iIqL4YmNuFRASc+YJTZfhax2csyw+zEOwN4VgvoN7YcScq+Ik
TtFFbYmKTIJvLMEL8dlsrb3k6T+SryssSWOBzRawzjHNNdON7rnALQ4yEhNwnxjg
NKSdFolxKqxqnA5VUoUqqy0Ase+CucrxneAzpM/l9uOe9YBeK4IwoSwAjwFkAZb8
TXuZiiafz0u7IB8kCxy8CPWDJ9E+yBho+VUBSanm/JV5kEzJvTQMyq1AU2V8s/qq
OU7+kxEhKk/uf0+BKrmBPTOSAnDUwEg4tNUV+y0FEZ9px97hlFT0U5JPT0LxBKM9
ztjV0SjkugL8mH88ZfJfQneQDzJNm40iLG/NrAwp504fGIS9F/f2/7i2d0Y2cUPf
3MIr2an2muUjLOGsqkRrpfhLZkJEAmhrR5P82WDsDeeohIJzwDdIh+s4TKKIx6Hu
J1dIOj7vGwspmBYkoKXp4n9FJ8YShvUv7dFFCMQgHgtu/+GgnPoERwTZHnM7eUkM
cCGL79wo33os
=+97L
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to