Radare Radare2 vulnerabilities

CVE-2018-11384 [MEDIUM] CWE-125 CVE-2018-11384: The sh_op() function in radare2 2.5.0 allows remote attackers to cause a denial of service (heap-bas The sh_op() function in radare2 2.5.0 allows remote attackers to cause a denial of service (heap-based out-of-bounds read and application crash) via a crafted ELF file.

CVE-2018-11381 [MEDIUM] CWE-125 CVE-2018-11381: The string_scan_range() function in radare2 2.5.0 allows remote attackers to cause a denial of servi The string_scan_range() function in radare2 2.5.0 allows remote attackers to cause a denial of service (heap-based out-of-bounds read and application crash) via a crafted binary file.

CVE-2018-11383 [MEDIUM] CWE-908 CVE-2018-11383: The r_strbuf_fini() function in radare2 2.5.0 allows remote attackers to cause a denial of service ( The r_strbuf_fini() function in radare2 2.5.0 allows remote attackers to cause a denial of service (invalid free and application crash) via a crafted ELF file because of an uninitialized variable in the CPSE handler in libr/anal/p/anal_avr.c.

CVE-2018-11382 [MEDIUM] CWE-125 CVE-2018-11382: The _inst__sts() function in radare2 2.5.0 allows remote attackers to cause a denial of service (hea The _inst__sts() function in radare2 2.5.0 allows remote attackers to cause a denial of service (heap-based out-of-bounds read and application crash) via a crafted binary file.

CVE-2018-10187 [MEDIUM] CWE-125 CVE-2018-10187: In radare2 2.5.0, there is a heap-based buffer over-read in the dalvik_op function (libr/anal/p/anal In radare2 2.5.0, there is a heap-based buffer over-read in the dalvik_op function (libr/anal/p/anal_dalvik.c). Remote attackers could leverage this vulnerability to cause a denial of service via a crafted DEX file. Note that this issue is different from CVE-2018-8809, which was patched earlier.

CVE-2018-10186 [MEDIUM] CVE-2018-10186: In radare2 2.5.0, there is a heap-based buffer over-read in the r_hex_bin2str function (libr/util/he In radare2 2.5.0, there is a heap-based buffer over-read in the r_hex_bin2str function (libr/util/hex.c). Remote attackers could leverage this vulnerability to cause a denial of service via a crafted DEX file. This issue is different from CVE-2017-15368.

CVE-2018-8810 [MEDIUM] CWE-125 CVE-2018-8810: In radare2 2.4.0, there is a heap-based buffer over-read in the get_ivar_list_t function of mach0_cl In radare2 2.4.0, there is a heap-based buffer over-read in the get_ivar_list_t function of mach0_classes.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted Mach-O file.

CVE-2018-8808 [MEDIUM] CWE-125 CVE-2018-8808: In radare2 2.4.0, there is a heap-based buffer over-read in the r_asm_disassemble function of asm.c. In radare2 2.4.0, there is a heap-based buffer over-read in the r_asm_disassemble function of asm.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted dex file.

CVE-2018-8809 [MEDIUM] CWE-125 CVE-2018-8809: In radare2 2.4.0, there is a heap-based buffer over-read in the dalvik_op function of anal_dalvik.c. In radare2 2.4.0, there is a heap-based buffer over-read in the dalvik_op function of anal_dalvik.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted dex file.

CVE-2017-16805 [MEDIUM] CWE-125 CVE-2017-16805: In radare2 2.0.1, libr/bin/dwarf.c allows remote attackers to cause a denial of service (invalid rea In radare2 2.0.1, libr/bin/dwarf.c allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted ELF file, related to r_bin_dwarf_parse_comp_unit in dwarf.c and sdb_set_internal in shlr/sdb/src/sdb.c.

CVE-2017-16357 [HIGH] CWE-119 CVE-2017-16357: In radare 2.0.1, a memory corruption vulnerability exists in store_versioninfo_gnu_verdef() and stor In radare 2.0.1, a memory corruption vulnerability exists in store_versioninfo_gnu_verdef() and store_versioninfo_gnu_verneed() in libr/bin/format/elf/elf.c, as demonstrated by an invalid free. This error is due to improper sh_size validation when allocating memory.

CVE-2017-16358 [HIGH] CWE-125 CVE-2017-16358: In radare 2.0.1, an out-of-bounds read vulnerability exists in string_scan_range() in libr/bin/bin.c In radare 2.0.1, an out-of-bounds read vulnerability exists in string_scan_range() in libr/bin/bin.c when doing a string search.

CVE-2017-16359 [MEDIUM] CWE-476 CVE-2017-16359: In radare 2.0.1, a pointer wraparound vulnerability exists in store_versioninfo_gnu_verdef() in libr In radare 2.0.1, a pointer wraparound vulnerability exists in store_versioninfo_gnu_verdef() in libr/bin/format/elf/elf.c.

CVE-2017-15932 [HIGH] CWE-125 CVE-2017-15932: In radare2 2.0.1, an integer exception (negative number leading to an invalid memory access) exists In radare2 2.0.1, an integer exception (negative number leading to an invalid memory access) exists in store_versioninfo_gnu_verdef() in libr/bin/format/elf/elf.c via crafted ELF files when parsing the ELF version on 32bit systems.

CVE-2017-15931 [HIGH] CWE-125 CVE-2017-15931: In radare2 2.0.1, an integer exception (negative number leading to an invalid memory access) exists In radare2 2.0.1, an integer exception (negative number leading to an invalid memory access) exists in store_versioninfo_gnu_verneed() in libr/bin/format/elf/elf.c via crafted ELF files on 32bit systems.

CVE-2017-15385 [HIGH] CWE-119 CVE-2017-15385: The store_versioninfo_gnu_verdef function in libr/bin/format/elf/elf.c in radare2 2.0.0 allows remot The store_versioninfo_gnu_verdef function in libr/bin/format/elf/elf.c in radare2 2.0.0 allows remote attackers to cause a denial of service (r_read_le16 invalid write and application crash) or possibly have unspecified other impact via a crafted ELF file.

CVE-2017-15368 [HIGH] CWE-125 CVE-2017-15368: The wasm_dis function in libr/asm/arch/wasm/wasm.c in radare2 2.0.0 allows remote attackers to cause The wasm_dis function in libr/asm/arch/wasm/wasm.c in radare2 2.0.0 allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) or possibly have unspecified other impact via a crafted WASM file that triggers an incorrect r_hex_bin2str call.

CVE-2017-10929 [HIGH] CWE-119 CVE-2017-10929: The grub_memmove function in shlr/grub/kern/misc.c in radare2 1.5.0 allows remote attackers to cause The grub_memmove function in shlr/grub/kern/misc.c in radare2 1.5.0 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, possibly related to a read overflow in the grub_disk_read_small_real function in kern/disk.c in GNU GRUB 2.02.

CVE-2017-9949 [HIGH] CWE-787 CVE-2017-9949: The grub_memmove function in shlr/grub/kern/misc.c in radare2 1.5.0 allows remote attackers to cause The grub_memmove function in shlr/grub/kern/misc.c in radare2 1.5.0 allows remote attackers to cause a denial of service (stack-based buffer underflow and application crash) or possibly have unspecified other impact via a crafted binary file, possibly related to a buffer underflow in fs/ext2.c in GNU GRUB 2.02.

CVE-2017-9763 [HIGH] CWE-119 CVE-2017-9763: The grub_ext2_read_block function in fs/ext2.c in GNU GRUB before 2013-11-12, as used in shlr/grub/f The grub_ext2_read_block function in fs/ext2.c in GNU GRUB before 2013-11-12, as used in shlr/grub/fs/ext2.c in radare2 1.5.0, allows remote attackers to cause a denial of service (excessive stack use and application crash) via a crafted binary file, related to use of a variable-size stack array.