Main Vulnerability Database SB2019092813

SB2019092813 - Command Injection in radare2 (Alpine package)

Published: September 28, 2019

Security Bulletin ID SB2019092813

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Command Injection (CVE-ID: CVE-2019-14745)

The vulnerability allows a local non-authenticated attacker to execute arbitrary code.

In radare2 before 3.7.0, a command injection vulnerability exists in bin_symbols() in libr/core/cbin.c. By using a crafted executable file, it's possible to execute arbitrary shell commands with the permissions of the victim. This vulnerability is due to improper handling of symbol names embedded in executables.

Remediation

Install update from vendor's website.

References

https://git.alpinelinux.org/aports/commit/?id=dcf6ac0dd602ae862f74f0899531fd1cbf6c905f
https://git.alpinelinux.org/aports/commit/?id=11ebb645d709001687b866a6a60a71b566476c2a