Debian Radare2 vulnerabilities

CVE-2018-10186 [HIGH] CVE-2018-10186: radare2 - In radare2 2.5.0, there is a heap-based buffer over-read in the r_hex_bin2str fu... In radare2 2.5.0, there is a heap-based buffer over-read in the r_hex_bin2str function (libr/util/hex.c). Remote attackers could leverage this vulnerability to cause a denial of service via a crafted DEX file. This issue is different from CVE-2017-15368. Scope: local sid: resolved (fixed in 2.6.0+dfsg-1)

CVE-2018-8809 [MEDIUM] CVE-2018-8809: radare2 - In radare2 2.4.0, there is a heap-based buffer over-read in the dalvik_op functi... In radare2 2.4.0, there is a heap-based buffer over-read in the dalvik_op function of anal_dalvik.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted dex file. Scope: local sid: resolved (fixed in 2.6.0+dfsg-1)

CVE-2018-19842 [MEDIUM] CVE-2018-19842: radare2 - getToken in libr/asm/p/asm_x86_nz.c in radare2 before 3.1.0 allows attackers to ... getToken in libr/asm/p/asm_x86_nz.c in radare2 before 3.1.0 allows attackers to cause a denial of service (stack-based buffer over-read) via crafted x86 assembly data, as demonstrated by rasm2. Scope: local sid: resolved (fixed in 3.1.0+dfsg-1)

CVE-2018-12322 [MEDIUM] CVE-2018-12322: radare2 - There is a heap out of bounds read in radare2 2.6.0 in _6502_op() in libr/anal/p... There is a heap out of bounds read in radare2 2.6.0 in _6502_op() in libr/anal/p/anal_6502.c via a crafted iNES ROM binary file. Scope: local sid: resolved (fixed in 2.7.0+dfsg-1)

CVE-2018-11382 [MEDIUM] CVE-2018-11382: radare2 - The _inst__sts() function in radare2 2.5.0 allows remote attackers to cause a de... The _inst__sts() function in radare2 2.5.0 allows remote attackers to cause a denial of service (heap-based out-of-bounds read and application crash) via a crafted binary file. Scope: local sid: resolved

CVE-2018-20459 [MEDIUM] CVE-2018-20459: radare2 - In radare2 through 3.1.3, the armass_assemble function in libr/asm/arch/arm/arma... In radare2 through 3.1.3, the armass_assemble function in libr/asm/arch/arm/armass.c allows attackers to cause a denial-of-service (application crash by out-of-bounds read) by crafting an arm assembly input because a loop uses an incorrect index in armass.c and certain length validation is missing in armass64.c, a related issue to CVE-2018-20457. Scope: local sid:

CVE-2018-20461 [MEDIUM] CVE-2018-20461: radare2 - In radare2 prior to 3.1.1, core_anal_bytes in libr/core/cmd_anal.c allows attack... In radare2 prior to 3.1.1, core_anal_bytes in libr/core/cmd_anal.c allows attackers to cause a denial-of-service (application crash caused by out-of-bounds read) by crafting a binary file. Scope: local sid: resolved (fixed in 3.1.2+dfsg-1)

CVE-2018-11376 [MEDIUM] CVE-2018-11376: radare2 - The r_read_le32() function in radare2 2.5.0 allows remote attackers to cause a d... The r_read_le32() function in radare2 2.5.0 allows remote attackers to cause a denial of service (heap-based out-of-bounds read and application crash) via a crafted ELF file. Scope: local sid: resolved (fixed in 2.6.0+dfsg-1)

CVE-2018-8808 [MEDIUM] CVE-2018-8808: radare2 - In radare2 2.4.0, there is a heap-based buffer over-read in the r_asm_disassembl... In radare2 2.4.0, there is a heap-based buffer over-read in the r_asm_disassemble function of asm.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted dex file. Scope: local sid: resolved (fixed in 2.6.0+dfsg-1)

CVE-2017-6194 [HIGH] CVE-2017-6194: radare2 - The relocs function in libr/bin/p/bin_bflt.c in radare2 1.2.1 allows remote atta... The relocs function in libr/bin/p/bin_bflt.c in radare2 1.2.1 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file. Scope: local sid: resolved (fixed in 1.1.0+dfsg-4)

CVE-2017-9949 [HIGH] CVE-2017-9949: radare2 - The grub_memmove function in shlr/grub/kern/misc.c in radare2 1.5.0 allows remot... The grub_memmove function in shlr/grub/kern/misc.c in radare2 1.5.0 allows remote attackers to cause a denial of service (stack-based buffer underflow and application crash) or possibly have unspecified other impact via a crafted binary file, possibly related to a buffer underflow in fs/ext2.c in GNU GRUB 2.02. Scope: local sid: resolved (fixed in 1.6.0+dfsg-1)

CVE-2017-16358 [HIGH] CVE-2017-16358: radare2 - In radare 2.0.1, an out-of-bounds read vulnerability exists in string_scan_range... In radare 2.0.1, an out-of-bounds read vulnerability exists in string_scan_range() in libr/bin/bin.c when doing a string search. Scope: local sid: resolved (fixed in 2.1.0+dfsg-1)

CVE-2017-16357 [HIGH] CVE-2017-16357: radare2 - In radare 2.0.1, a memory corruption vulnerability exists in store_versioninfo_g... In radare 2.0.1, a memory corruption vulnerability exists in store_versioninfo_gnu_verdef() and store_versioninfo_gnu_verneed() in libr/bin/format/elf/elf.c, as demonstrated by an invalid free. This error is due to improper sh_size validation when allocating memory. Scope: local sid: resolved (fixed in 2.1.0+dfsg-1)

CVE-2017-15368 [HIGH] CVE-2017-15368: radare2 - The wasm_dis function in libr/asm/arch/wasm/wasm.c in radare2 2.0.0 allows remot... The wasm_dis function in libr/asm/arch/wasm/wasm.c in radare2 2.0.0 allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) or possibly have unspecified other impact via a crafted WASM file that triggers an incorrect r_hex_bin2str call. Scope: local sid: resolved (fixed in 2.1.0+dfsg-1)

CVE-2017-15385 [HIGH] CVE-2017-15385: radare2 - The store_versioninfo_gnu_verdef function in libr/bin/format/elf/elf.c in radare... The store_versioninfo_gnu_verdef function in libr/bin/format/elf/elf.c in radare2 2.0.0 allows remote attackers to cause a denial of service (r_read_le16 invalid write and application crash) or possibly have unspecified other impact via a crafted ELF file. Scope: local sid: resolved (fixed in 2.1.0+dfsg-1)

CVE-2017-6319 [HIGH] CVE-2017-6319: radare2 - The dex_parse_debug_item function in libr/bin/p/bin_dex.c in radare2 1.2.1 allow... The dex_parse_debug_item function in libr/bin/p/bin_dex.c in radare2 1.2.1 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted DEX file. Scope: local sid: resolved (fixed in 1.1.0+dfsg-3)

CVE-2017-6448 [HIGH] CVE-2017-6448: radare2 - The dalvik_disassemble function in libr/asm/p/asm_dalvik.c in radare2 1.2.1 allo... The dalvik_disassemble function in libr/asm/p/asm_dalvik.c in radare2 1.2.1 allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted DEX file. Scope: local sid: resolved (fixed in 1.1.0+dfsg-4)

CVE-2017-15932 [HIGH] CVE-2017-15932: radare2 - In radare2 2.0.1, an integer exception (negative number leading to an invalid me... In radare2 2.0.1, an integer exception (negative number leading to an invalid memory access) exists in store_versioninfo_gnu_verdef() in libr/bin/format/elf/elf.c via crafted ELF files when parsing the ELF version on 32bit systems. Scope: local sid: resolved (fixed in 2.1.0+dfsg-1)

CVE-2017-15931 [HIGH] CVE-2017-15931: radare2 - In radare2 2.0.1, an integer exception (negative number leading to an invalid me... In radare2 2.0.1, an integer exception (negative number leading to an invalid memory access) exists in store_versioninfo_gnu_verneed() in libr/bin/format/elf/elf.c via crafted ELF files on 32bit systems. Scope: local sid: resolved (fixed in 2.1.0+dfsg-1)

CVE-2017-6197 [MEDIUM] CVE-2017-6197: radare2 - The r_read_* functions in libr/include/r_endian.h in radare2 1.2.1 allow remote ... The r_read_* functions in libr/include/r_endian.h in radare2 1.2.1 allow remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted binary file, as demonstrated by the r_read_le32 function. Scope: local sid: resolved (fixed in 1.1.0+dfsg-2)