Your message dated Sun, 23 Apr 2017 21:51:58 +0000
with message-id <[email protected]>
and subject line Bug#860962: fixed in radare2 1.1.0+dfsg-5
has caused the Debian Bug report #860962,
regarding radare2: CVE-2017-7946
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
860962: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860962
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: radare2
Version: 1.1.0+dfsg-1
Severity: important
Tags: security patch
Forwarded: https://github.com/radare/radare2/issues/7301
Hi,
the following vulnerability was published for radare2.
CVE-2017-7946[0]:
| The get_relocs_64 function in libr/bin/format/mach0/mach0.c in radare2
| 1.3.0 allows remote attackers to cause a denial of service
| (use-after-free and application crash) via a crafted Mach0 file.
----cut---------cut---------cut---------cut---------cut---------cut-----
$ valgrind r2 -A r2_uaf_get_relocs_64
==19477== Memcheck, a memory error detector
==19477== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==19477== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==19477== Command: r2 -A r2_uaf_get_relocs_64
==19477==
Warning: chopping hdr.sizeofcmds
Cannot parse dyldinfo
Warning: Cannot initialize items
==19477== Invalid read of size 4
==19477== at 0x5C3D749: get_relocs_64 (mach0.c:1671)
==19477== by 0x5C383CF: relocs (bin_mach0.c:325)
==19477== by 0x5BF94EF: r_bin_object_set_items (bin.c:671)
==19477== by 0x5BF94EF: r_bin_object_new (bin.c:1258)
==19477== by 0x5BFA183: r_bin_file_new_from_bytes (bin.c:1438)
==19477== by 0x5BFA183: r_bin_load_io_at_offset_as_sz (bin.c:997)
==19477== by 0x5BFA74A: r_bin_load_io_at_offset_as (bin.c:1015)
==19477== by 0x5BFAB5D: r_bin_load_io (bin.c:841)
==19477== by 0x50CD0B0: r_core_file_do_load_for_io_plugin (file.c:406)
==19477== by 0x50CD0B0: r_core_bin_load (file.c:529)
==19477== by 0x10C344: main (radare2.c:822)
==19477== Address 0xa54b904 is 20 bytes inside a block of size 48 free'd
==19477== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==19477== by 0x5C3B935: init_items (mach0.c:1077)
==19477== by 0x5C3D42E: init (mach0.c:1144)
==19477== by 0x5C3D617: new_buf_64 (mach0.c:1207)
==19477== by 0x5C38ECF: load_bytes (bin_mach0.c:44)
==19477== by 0x5BF9910: r_bin_object_new (bin.c:1221)
==19477== by 0x5BFA183: r_bin_file_new_from_bytes (bin.c:1438)
==19477== by 0x5BFA183: r_bin_load_io_at_offset_as_sz (bin.c:997)
==19477== by 0x5BFA74A: r_bin_load_io_at_offset_as (bin.c:1015)
==19477== by 0x5BFAB5D: r_bin_load_io (bin.c:841)
==19477== by 0x50CD0B0: r_core_file_do_load_for_io_plugin (file.c:406)
==19477== by 0x50CD0B0: r_core_bin_load (file.c:529)
==19477== by 0x10C344: main (radare2.c:822)
==19477== Block was alloc'd at
==19477== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==19477== by 0x5C3A2E1: init_items (mach0.c:1073)
==19477== by 0x5C3D42E: init (mach0.c:1144)
==19477== by 0x5C3D617: new_buf_64 (mach0.c:1207)
==19477== by 0x5C38ECF: load_bytes (bin_mach0.c:44)
==19477== by 0x5BF9910: r_bin_object_new (bin.c:1221)
==19477== by 0x5BFA183: r_bin_file_new_from_bytes (bin.c:1438)
==19477== by 0x5BFA183: r_bin_load_io_at_offset_as_sz (bin.c:997)
==19477== by 0x5BFA74A: r_bin_load_io_at_offset_as (bin.c:1015)
==19477== by 0x5BFAB5D: r_bin_load_io (bin.c:841)
==19477== by 0x50CD0B0: r_core_file_do_load_for_io_plugin (file.c:406)
==19477== by 0x50CD0B0: r_core_bin_load (file.c:529)
==19477== by 0x10C344: main (radare2.c:822)
==19477==
==19477== Invalid read of size 4
==19477== at 0x5C3D74D: get_relocs_64 (mach0.c:1672)
==19477== by 0x5C383CF: relocs (bin_mach0.c:325)
==19477== by 0x5BF94EF: r_bin_object_set_items (bin.c:671)
==19477== by 0x5BF94EF: r_bin_object_new (bin.c:1258)
==19477== by 0x5BFA183: r_bin_file_new_from_bytes (bin.c:1438)
==19477== by 0x5BFA183: r_bin_load_io_at_offset_as_sz (bin.c:997)
==19477== by 0x5BFA74A: r_bin_load_io_at_offset_as (bin.c:1015)
==19477== by 0x5BFAB5D: r_bin_load_io (bin.c:841)
==19477== by 0x50CD0B0: r_core_file_do_load_for_io_plugin (file.c:406)
==19477== by 0x50CD0B0: r_core_bin_load (file.c:529)
==19477== by 0x10C344: main (radare2.c:822)
==19477== Address 0xa54b914 is 36 bytes inside a block of size 48 free'd
==19477== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==19477== by 0x5C3B935: init_items (mach0.c:1077)
==19477== by 0x5C3D42E: init (mach0.c:1144)
==19477== by 0x5C3D617: new_buf_64 (mach0.c:1207)
==19477== by 0x5C38ECF: load_bytes (bin_mach0.c:44)
==19477== by 0x5BF9910: r_bin_object_new (bin.c:1221)
==19477== by 0x5BFA183: r_bin_file_new_from_bytes (bin.c:1438)
==19477== by 0x5BFA183: r_bin_load_io_at_offset_as_sz (bin.c:997)
==19477== by 0x5BFA74A: r_bin_load_io_at_offset_as (bin.c:1015)
==19477== by 0x5BFAB5D: r_bin_load_io (bin.c:841)
==19477== by 0x50CD0B0: r_core_file_do_load_for_io_plugin (file.c:406)
==19477== by 0x50CD0B0: r_core_bin_load (file.c:529)
==19477== by 0x10C344: main (radare2.c:822)
==19477== Block was alloc'd at
==19477== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==19477== by 0x5C3A2E1: init_items (mach0.c:1073)
==19477== by 0x5C3D42E: init (mach0.c:1144)
==19477== by 0x5C3D617: new_buf_64 (mach0.c:1207)
==19477== by 0x5C38ECF: load_bytes (bin_mach0.c:44)
==19477== by 0x5BF9910: r_bin_object_new (bin.c:1221)
==19477== by 0x5BFA183: r_bin_file_new_from_bytes (bin.c:1438)
==19477== by 0x5BFA183: r_bin_load_io_at_offset_as_sz (bin.c:997)
==19477== by 0x5BFA74A: r_bin_load_io_at_offset_as (bin.c:1015)
==19477== by 0x5BFAB5D: r_bin_load_io (bin.c:841)
==19477== by 0x50CD0B0: r_core_file_do_load_for_io_plugin (file.c:406)
==19477== by 0x50CD0B0: r_core_bin_load (file.c:529)
==19477== by 0x10C344: main (radare2.c:822)
==19477==
asm.arch: cannot find (unknown)
anal.arch: cannot find 'unknown'
asm.arch: cannot find (unknown)
anal.arch: cannot find 'unknown'
asm.arch: cannot find (unknown)
anal.arch: cannot find 'unknown'
asm.arch: cannot find (unknown)
anal.arch: cannot find 'unknown'
[...]
==19477== Invalid free() / delete / delete[] / realloc()
==19477== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==19477== by 0x5C3C22E: mach0_free_64 (mach0.c:1159)
==19477== by 0x5C38E83: destroy (bin_mach0.c:74)
==19477== by 0x5BF7994: r_bin_file_free (bin.c:1075)
==19477== by 0x84106ED: r_list_delete (list.c:93)
==19477== by 0x841073B: r_list_purge (list.c:62)
==19477== by 0x841076D: r_list_free (list.c:72)
==19477== by 0x5BF7E20: r_bin_free (bin.c:1511)
==19477== by 0x507D695: r_core_fini (core.c:1638)
==19477== by 0x10B88F: main (radare2.c:1166)
==19477== Address 0xa54b8f0 is 0 bytes inside a block of size 48 free'd
==19477== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==19477== by 0x5C3B935: init_items (mach0.c:1077)
==19477== by 0x5C3D42E: init (mach0.c:1144)
==19477== by 0x5C3D617: new_buf_64 (mach0.c:1207)
==19477== by 0x5C38ECF: load_bytes (bin_mach0.c:44)
==19477== by 0x5BF9910: r_bin_object_new (bin.c:1221)
==19477== by 0x5BFA183: r_bin_file_new_from_bytes (bin.c:1438)
==19477== by 0x5BFA183: r_bin_load_io_at_offset_as_sz (bin.c:997)
==19477== by 0x5BFA74A: r_bin_load_io_at_offset_as (bin.c:1015)
==19477== by 0x5BFAB5D: r_bin_load_io (bin.c:841)
==19477== by 0x50CD0B0: r_core_file_do_load_for_io_plugin (file.c:406)
==19477== by 0x50CD0B0: r_core_bin_load (file.c:529)
==19477== by 0x10C344: main (radare2.c:822)
==19477== Block was alloc'd at
==19477== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==19477== by 0x5C3A2E1: init_items (mach0.c:1073)
==19477== by 0x5C3D42E: init (mach0.c:1144)
==19477== by 0x5C3D617: new_buf_64 (mach0.c:1207)
==19477== by 0x5C38ECF: load_bytes (bin_mach0.c:44)
==19477== by 0x5BF9910: r_bin_object_new (bin.c:1221)
==19477== by 0x5BFA183: r_bin_file_new_from_bytes (bin.c:1438)
==19477== by 0x5BFA183: r_bin_load_io_at_offset_as_sz (bin.c:997)
==19477== by 0x5BFA74A: r_bin_load_io_at_offset_as (bin.c:1015)
==19477== by 0x5BFAB5D: r_bin_load_io (bin.c:841)
==19477== by 0x50CD0B0: r_core_file_do_load_for_io_plugin (file.c:406)
==19477== by 0x50CD0B0: r_core_bin_load (file.c:529)
==19477== by 0x10C344: main (radare2.c:822)
==19477==
==19477==
==19477== HEAP SUMMARY:
==19477== in use at exit: 12,934 bytes in 6 blocks
==19477== total heap usage: 61,595 allocs, 61,590 frees, 49,376,884 bytes
allocated
==19477==
==19477== LEAK SUMMARY:
==19477== definitely lost: 0 bytes in 0 blocks
==19477== indirectly lost: 0 bytes in 0 blocks
==19477== possibly lost: 0 bytes in 0 blocks
==19477== still reachable: 12,934 bytes in 6 blocks
==19477== suppressed: 0 bytes in 0 blocks
==19477== Rerun with --leak-check=full to see details of leaked memory
==19477==
==19477== For counts of detected and suppressed errors, rerun with: -v
==19477== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)
----cut---------cut---------cut---------cut---------cut---------cut-----
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-7946
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7946
[1] https://github.com/radare/radare2/issues/7301
[2]
https://github.com/radare/radare2/commit/d1e8ac62c6d978d4662f69116e30230d43033c92
Please adjust the affected versions in the BTS as needed.
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Source: radare2
Source-Version: 1.1.0+dfsg-5
We believe that the bug you reported is fixed in the latest version of
radare2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Reichel <[email protected]> (supplier of updated radare2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 23 Apr 2017 23:20:16 +0200
Source: radare2
Binary: radare2 libradare2-1.1 libradare2-dev libradare2-common
Architecture: source amd64 all
Version: 1.1.0+dfsg-5
Distribution: unstable
Urgency: high
Maintainer: Sebastian Reichel <[email protected]>
Changed-By: Sebastian Reichel <[email protected]>
Description:
libradare2-1.1 - libraries from the radare2 suite
libradare2-common - arch independent files from the radare2 suite
libradare2-dev - devel files from the radare2 suite
radare2 - free and advanced command line hexadecimal editor
Closes: 860962
Changes:
radare2 (1.1.0+dfsg-5) unstable; urgency=high
.
* Add upstream patch to fix security bug
- CVE-2017-7946 (Closes: #860962)
The get_relocs_64 function in libr/bin/format/mach0/mach0.c in
radare2 1.3.0 allows remote attackers to cause a denial of service
(use-after-free and application crash) via a crafted Mach0 file.
Checksums-Sha1:
f530e9f69e1460686b589713fb47ba5632c950d5 2234 radare2_1.1.0+dfsg-5.dsc
b8d65dbf48577c57c449d653c63c5bb9b0bace62 26024
radare2_1.1.0+dfsg-5.debian.tar.xz
2c1c48832b4246383acc1a062b5205c590a0661f 8648204
libradare2-1.1-dbgsym_1.1.0+dfsg-5_amd64.deb
41099904e5c2a89aaac8b3311462593b2abf67a3 2054764
libradare2-1.1_1.1.0+dfsg-5_amd64.deb
814ea93429948282647ee55e5a10eb03a0a5dc9d 522278
libradare2-common_1.1.0+dfsg-5_all.deb
c4b3d22465f2fe60d1bd27aa95e1791c5decaa66 146684
libradare2-dev_1.1.0+dfsg-5_amd64.deb
c41cdc55da34bc84f1fa35d2c9232b3cdd633fe1 294782
radare2-dbgsym_1.1.0+dfsg-5_amd64.deb
2aa808f02e2b572b712fcd53de7285a688d56d1d 9220
radare2_1.1.0+dfsg-5_amd64.buildinfo
e150793f5118463b5b453fbf0d5b81636e0045a4 151614 radare2_1.1.0+dfsg-5_amd64.deb
Checksums-Sha256:
68e942777bff7db6b45369fa378ff153af99b72f4839278c27ffc4a593138a77 2234
radare2_1.1.0+dfsg-5.dsc
17f0c189fc93f587e495056a1ad8f1110a57716491acf02e74d524daaa7c0aff 26024
radare2_1.1.0+dfsg-5.debian.tar.xz
bde55cabb4fd9db9bde26c84ada0e71a6f6e03a56f27fe485bd8d0f53aae373d 8648204
libradare2-1.1-dbgsym_1.1.0+dfsg-5_amd64.deb
8f743e822f201a38b734f7e7cdf65589da14a37b9a51dbc3e1f82db8f3224741 2054764
libradare2-1.1_1.1.0+dfsg-5_amd64.deb
91a1863cd8dac84ab1c277b8c05ce11deefc0d7c82137910c5234160f23713a8 522278
libradare2-common_1.1.0+dfsg-5_all.deb
08d461a8c261810aeb96088825e0204ea16538e365822c2f1c9cafaaf2c1aca8 146684
libradare2-dev_1.1.0+dfsg-5_amd64.deb
1efce8e450cedc664f9b4378775fa2aad1b0b4cc027780585269a759a0490c13 294782
radare2-dbgsym_1.1.0+dfsg-5_amd64.deb
444044f364911ec5074e78858d6846d2da3f8b10277402dba9a35f469182288d 9220
radare2_1.1.0+dfsg-5_amd64.buildinfo
02d5f2f13d4a9732ab31cf054c39aae12ebb424eb0822354e91a36cf647c1d95 151614
radare2_1.1.0+dfsg-5_amd64.deb
Files:
4b408b02282a2c12a6b104a22709ba70 2234 devel extra radare2_1.1.0+dfsg-5.dsc
52e850880dc4dbf66eb0c8f2e48227bc 26024 devel extra
radare2_1.1.0+dfsg-5.debian.tar.xz
3a5f136a5a675c9ff4e8ce76964ec271 8648204 debug extra
libradare2-1.1-dbgsym_1.1.0+dfsg-5_amd64.deb
dea0c355df1a134ff932204dd2854528 2054764 libs extra
libradare2-1.1_1.1.0+dfsg-5_amd64.deb
857057bc02dd8ad9d256ffb10d8b96d4 522278 devel extra
libradare2-common_1.1.0+dfsg-5_all.deb
1deb5f5eb3bad1be0dcd3ab24896ab8d 146684 libdevel extra
libradare2-dev_1.1.0+dfsg-5_amd64.deb
147068d8fca559d9bba41c07bb412173 294782 debug extra
radare2-dbgsym_1.1.0+dfsg-5_amd64.deb
6c365869f8bb7833b7ecde78466fa400 9220 devel extra
radare2_1.1.0+dfsg-5_amd64.buildinfo
f6b0947a462e710d855b5e53f5c64976 151614 devel extra
radare2_1.1.0+dfsg-5_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJY/R62AAoJENju1/PIO/qaDg4P/iNM9pDSXGS23TnjZeO3lmf4
UNngtj0/zIgWxSoISbCfhWcBpNPQEEqaDl8BCRtVSTHypPBQZN5xbUdmWj2Sy/oO
3N241+eslVknpRAYNhCL5EirKgd13qZzI/2xheHninE6ieYTh1vqqUsdiCWu3yUb
31OftvcPtd8zshofLi7uxPyMt9TYO4NfOzNKNVhS8h6Fs2KCWCDWJz8MHIETkrcM
r7evgSrZ9nSudrLWCgEg1TMueJtzJg2Oc+dXIGu/A/JN8mZIJXgwDH6vcY1evtxC
+UfN6//SXherR7NvAlyvOIuUne7Tq6pO/MPmgnmIxwDfydGv0yXy9IfDI7o3ot2f
M24LyJh/ATx2lmAj/MApNrAy0eetwbE1Egb7kjNyVXCpeF1TAiyn8mBm8JA8oDaq
rdp1RszuqwPzvt9scjyKUsyC0WcLwaVGKUN5mI2ejmWnpxDQ2ye3l2+082NCsu6J
JHZstE113lAwecoQdXyNqMIQYEx8RSYseMUQP81LbqQWQppuAK32bvTUgGMTUl7z
nsqDRVK1srs+U092pS23NmKR7KCRTQuK0eUeCJvOjo2cK6S/h3FgJtT6L6CR4Zpr
lEwZSz3DVkjOphQ4reFRxuCQM4xQc9wE6Bqqd+DSa2kPT9CpRfT5CfiYyMGGSK5I
J9W0xFzDqt4USB4FAGMd
=/KL8
-----END PGP SIGNATURE-----
--- End Message ---
