Your message dated Thu, 25 Apr 2024 14:52:15 +0000
with message-id <[email protected]>
and subject line Bug#950372: fixed in radare2 5.9.0+dfsg-1
has caused the Debian Bug report #950372,
regarding Is radare2 suitable for stable Debian releases?
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
950372: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950372
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: radare2
Severity: grave
Tags: security
It is understandable (and normal for most software) that upstream
is not able or willing to provide security support for the old
version shipped in stable distribution releases.
But below seems to be upstream actively encouraging exploiting
the version in stable.
AFAIK Debian in general tries to avoid shipping software when upstream
strongly objects to it, or is openly hostile towards Debian.
<-- snip -->
https://rada.re/con/2019/
PwnDebian
Since the very begining of radare development we had people complaining of bugs
because they were using the 3-4 year old version shipped in their distro. We
tried to work with everyone who ships builds of r2 to always get updates and
merge back their patches upstream so everyone gets benefit out of it.
But that has been not enough. In github/radare2 we can check out most of
known/used Linux and BSD distros and the shipped r2 version, and it's pretty
clear that Debian/Ubuntu stopped updating those packages long time ago (3.2.1).
Yes, the 0.9.6 drama is over.
The aim of this competition is to publish a working exploit for radare2 on
Debian stable (nowadays, unstable keeps the same version). To show that
debian-security and backporting patches is not solving enough when distributing
such state-of-the-art packages.
In order to win this competition. We will accept only 1 working exploit (the
first one to submit it) for radare2-3.2.1 (built for x86-64 debian/stable).
Additional points will be given for writing some notes or presenting at r2con
the way the vuln was found and how the exploit was developed.
--- End Message ---
--- Begin Message ---
Source: radare2
Source-Version: 5.9.0+dfsg-1
Done: Alex Myczko <[email protected]>
We believe that the bug you reported is fixed in the latest version of
radare2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alex Myczko <[email protected]> (supplier of updated radare2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 25 Apr 2024 15:46:50 +0200
Source: radare2
Architecture: source
Version: 5.9.0+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Security Tools <[email protected]>
Changed-By: Alex Myczko <[email protected]>
Closes: 950372 1014478 1014490 1016979 1027144 1029037 1032667 1034180 1034862
1051898 1054908 1055854 1056930 1060127
Changes:
radare2 (5.9.0+dfsg-1) unstable; urgency=medium
.
* New upstream version. (Closes: #1034862, #1060127, #950372)
(Closes: #1056930) (CVE-2023-47016)
(Closes: #1032667) (CVE-2023-27114)
(Closes: #1055854) (CVE-2023-5686)
(Closes: #1054908) (CVE-2023-46570) (CVE-2023-46569)
(Closes: #1051898) (CVE-2023-4322)
(Closes: #1034180) (CVE-2023-1605)
(Closes: #1029037) (CVE-2023-0302)
(Closes: #1027144) (CVE-2022-4398)
(Closes: #1016979) (CVE-2022-34502) (CVE-2022-34520)
(Closes: #1014490) (CVE-2021-44975) (CVE-2021-44974) (CVE-2021-4021)
(Closes: #1014478) (CVE-2022-1714 CVE-2022-1809 CVE-2022-1899 CVE-2022-0849
CVE-2022-1052 CVE-2022-1061 CVE-2022-1207 CVE-2022-1237
CVE-2022-1238 CVE-2022-1240 CVE-2022-1244 CVE-2022-0476
CVE-2022-0518 CVE-2022-0519 CVE-2022-0521 CVE-2022-0523
CVE-2022-0559 CVE-2022-0676 CVE-2022-0695 CVE-2022-0712
CVE-2022-0713 CVE-2022-0139 CVE-2022-0173 CVE-2022-0419
CVE-2022-1031 CVE-2022-1283 CVE-2022-1284 CVE-2022-1296
CVE-2022-1297 CVE-2022-1382 CVE-2022-1444 CVE-2022-1437
CVE-2022-1451 CVE-2022-1452 CVE-2022-1649
CVE-2022-1383)
Checksums-Sha1:
6aaf46d1cd2d740cc4129753d4bee1f84b50c740 2424 radare2_5.9.0+dfsg-1.dsc
fd7a9ff7105bd15f313182c8c02496f9f47ac78e 7248984 radare2_5.9.0+dfsg.orig.tar.xz
6b9d0e7d6d3e892bc8f9924abc2f89c681cd75a3 17232
radare2_5.9.0+dfsg-1.debian.tar.xz
4f936e002d5b6662f8f3699bc5f9f87444f76bc5 8546
radare2_5.9.0+dfsg-1_source.buildinfo
Checksums-Sha256:
d54adc2144a010999089f5c309adb46c8a64a9a8a35571975f7fd840e9066c47 2424
radare2_5.9.0+dfsg-1.dsc
02932c7eabc63878b4ab6375e7e6603ef84dcb9c6352c351919021d3d2c89765 7248984
radare2_5.9.0+dfsg.orig.tar.xz
cb2ac3cc22c084bec7c2ba24e9474f71ccd1861e62d4c82224deb3ed98c06b6f 17232
radare2_5.9.0+dfsg-1.debian.tar.xz
327a2bec8c87c421c892a5967d85e2ccd3c7c428347d8d638b2197b73124ee24 8546
radare2_5.9.0+dfsg-1_source.buildinfo
Files:
ac7b3678ec07629d7005825fe0f2eab8 2424 devel optional radare2_5.9.0+dfsg-1.dsc
c67ae12ae0b3a6497aababa89862d8ae 7248984 devel optional
radare2_5.9.0+dfsg.orig.tar.xz
5f5218a3ce37466455be75e9b4b1d00a 17232 devel optional
radare2_5.9.0+dfsg-1.debian.tar.xz
1666f9e10e4e76ea65f27c812677bb57 8546 devel optional
radare2_5.9.0+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEtgob82PcExn/Co6JEWhSvN91FcAFAmYqYygACgkQEWhSvN91
FcD8KxAAjBu59z1TyLPQI4YhzT48O8bUPZ0Va9l+TrFaQZ0Cdwr1Es6QOxtM8BL+
B6c0DyRX/3oqpjdtgkGUm+/vrrgHXXQNWbb/ue56a3R1hrnadJdTqM7DmyaBrlTX
aNAWcIWEodHMysUU+d4JFnwCj/YmsCDFpakqVkT+YZB23I0agOB/Tr0yySI6vPSK
OUdGKKzS5aB6+tRd9MnbSS0dFeHpvovBY4jkxXG8BJO6Cqv4jjP1SapcXGTqfl9Y
QJDfpFT9xkCVN1DyOCmXN7jMATPRr0xbeiM5Pf/1VRnic/s6feE78MGs14HGISlT
RSCEbwTHuREI58SYSv4YtBuJRrEMcFylaZT5la3eX/dp4uc6KggcPhw0csVPxLwi
YxQZU7mxqb84G2+CFM2jBDCrq7yffivAVt+DZ8CVKFhJ7o3hRhVDKNT2lT9cwPDt
lqL4C0Ije1wq8ldYTe7YL3c8BWwh4pxzOgppTMWRN1KdF6gDwdz/JTjYeIUywhSe
lzCGuIGOvw4NFavC/2rDr3hYkuKMHTIRwFswI7vyJlg29n5eMlKZX+plEP+G5aNN
a1rDrZyD+aNV1eqjFinRPrqI1eSekBizzT3mBSow8I4jv6A36GxLk/flmcbuvozH
3E9aCxmjork1cAwr9vzfxQY9cnk3Y99gAo+3GsVIbtfE7Me8fMI=
=ZgBH
-----END PGP SIGNATURE-----
pgpYWOAO5EnIQ.pgp
Description: PGP signature
--- End Message ---
