SB2017102717 - Multiple vulnerabilities in Radare radare2
Published: October 27, 2017 Updated: August 8, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 secuirty vulnerabilities.
1) Out-of-bounds read (CVE-ID: CVE-2017-16805)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
In radare2 2.0.1, libr/bin/dwarf.c allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted ELF file, related to r_bin_dwarf_parse_comp_unit in dwarf.c and sdb_set_internal in shlr/sdb/src/sdb.c.
2) Buffer overflow (CVE-ID: CVE-2017-16357)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
In radare 2.0.1, a memory corruption vulnerability exists in store_versioninfo_gnu_verdef() and store_versioninfo_gnu_verneed() in libr/bin/format/elf/elf.c, as demonstrated by an invalid free. This error is due to improper sh_size validation when allocating memory.
3) Out-of-bounds read (CVE-ID: CVE-2017-16358)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
In radare 2.0.1, an out-of-bounds read vulnerability exists in string_scan_range() in libr/bin/bin.c when doing a string search.
4) NULL pointer dereference (CVE-ID: CVE-2017-16359)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
In radare 2.0.1, a pointer wraparound vulnerability exists in store_versioninfo_gnu_verdef() in libr/bin/format/elf/elf.c.
5) Out-of-bounds read (CVE-ID: CVE-2017-15931)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
In radare2 2.0.1, an integer exception (negative number leading to an invalid memory access) exists in store_versioninfo_gnu_verneed() in libr/bin/format/elf/elf.c via crafted ELF files on 32bit systems.
6) Out-of-bounds read (CVE-ID: CVE-2017-15932)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
In radare2 2.0.1, an integer exception (negative number leading to an invalid memory access) exists in store_versioninfo_gnu_verdef() in libr/bin/format/elf/elf.c via crafted ELF files when parsing the ELF version on 32bit systems.
Remediation
Install update from vendor's website.
References
- https://github.com/radare/radare2/commit/2ca9ab45891b6ae8e32b6c28c81eebca059cbe5d
- https://github.com/radare/radare2/issues/8813
- https://github.com/radare/radare2/commit/0b973e28166636e0ff1fad80baa0385c9c09c53a
- https://github.com/radare/radare2/issues/8742
- https://github.com/radare/radare2/commit/d31c4d3cbdbe01ea3ded16a584de94149ecd31d9
- https://github.com/radare/radare2/issues/8748
- https://github.com/radare/radare2/commit/62e39f34b2705131a2d08aff0c2e542c6a52cf0e
- https://github.com/radare/radare2/commit/d21e91f075a7a7a8ed23baa5c1bb1fac48313882
- https://github.com/radare/radare2/commit/fbaf24bce7ea4211e4608b3ab6c1b45702cb243d
- https://github.com/radare/radare2/issues/8764
- http://www.securityfocus.com/bid/101609
- https://github.com/radare/radare2/commit/c6d0076c924891ad9948a62d89d0bcdaf965f0cd
- https://github.com/radare/radare2/issues/8731
- http://www.securityfocus.com/bid/101614
- https://github.com/radare/radare2/commit/44ded3ff35b8264f54b5a900cab32ec489d9e5b9
- https://github.com/radare/radare2/issues/8743