Your message dated Thu, 14 May 2026 21:34:08 +0000
with message-id <[email protected]>
and subject line Bug#1132232: fixed in radare2 6.1.4+ds-1
has caused the Debian Bug report #1132232,
regarding radare2: CVE-2026-4174
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132232: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132232
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: radare2
Version: 6.0.7+ds-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/radareorg/radare2/issues/25482
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for radare2.
CVE-2026-4174[0]:
| A vulnerability has been found in Radare2 5.9.9. This issue affects
| the function walk_exports_trie of the file
| libr/bin/format/mach0/mach0.c of the component Mach-O File Parser.
| Such manipulation leads to resource consumption. The attack can only
| be performed from a local environment. The exploit has been
| disclosed to the public and may be used. The existence of this
| vulnerability is still disputed at present. Upgrading to version
| 6.1.2 is capable of addressing this issue. The name of the patch is
| 4371ae84c99c46b48cb21badbbef06b30757aba0. You should upgrade the
| affected component. The code maintainer states that, "[he] wont
| consider this bug a DoS".
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-4174
https://www.cve.org/CVERecord?id=CVE-2026-4174
[1] https://github.com/radareorg/radare2/issues/25482
[2]
https://github.com/radareorg/radare2/commit/4371ae84c99c46b48cb21badbbef06b30757aba0
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: radare2
Source-Version: 6.1.4+ds-1
Done: Alex Myczko <[email protected]>
We believe that the bug you reported is fixed in the latest version of
radare2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alex Myczko <[email protected]> (supplier of updated radare2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 15 Apr 2026 17:45:24 +0000
Source: radare2
Architecture: source
Version: 6.1.4+ds-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Security Tools <[email protected]>
Changed-By: Alex Myczko <[email protected]>
Closes: 1132232 1134621 1134622 1134885 1134886 1134893
Changes:
radare2 (6.1.4+ds-1) experimental; urgency=medium
.
* New upstream version.
(Closes: #1132232) (CVE-2026-4174)
(Closes: #1134621) (CVE-2026-40527)
(Closes: #1134622) (CVE-2026-40499)
(Closes: #1134885) (CVE-2026-6940)
(Closes: #1134886) (CVE-2026-6941)
(Closes: #1134893) (CVE-2026-40517)
* d/control:
- add acr to build-depends.
- drop Rules-Requires-Root.
* Bump standards version to 4.7.4.
Checksums-Sha1:
7917061eec65312743369af74308e1e3f9c23e1c 2394 radare2_6.1.4+ds-1.dsc
ec7772351c3a7063ebd50a81bfc8110033c57918 8220752 radare2_6.1.4+ds.orig.tar.xz
c9208a310f9ac04b0793a3a6be864b1f71dfeae5 18568 radare2_6.1.4+ds-1.debian.tar.xz
1d014f491b09683521c513d43930df38ac5430dd 7578
radare2_6.1.4+ds-1_source.buildinfo
Checksums-Sha256:
61008f7b9bdbe40ffe547def14a54a4ddd78ba9ffd1c6efaea5634210c0d85a3 2394
radare2_6.1.4+ds-1.dsc
7384ed985d919e5ef79a6068589d9662f543b91561dcfdc986f54d6c032bf4db 8220752
radare2_6.1.4+ds.orig.tar.xz
d4eef8672a81f4fa2349ddd4f596234512257a5891f73ea4f7e70bc1ce78523e 18568
radare2_6.1.4+ds-1.debian.tar.xz
44d597fd69803dc5d141a3bee7a5392744089685302d8c8825fed3d729f34bf5 7578
radare2_6.1.4+ds-1_source.buildinfo
Files:
bee0240d4fdb6d20c6323b4e10b2f8d0 2394 devel optional radare2_6.1.4+ds-1.dsc
7e6a60114dfa0e421b6ff7354d164b3b 8220752 devel optional
radare2_6.1.4+ds.orig.tar.xz
6aef0fb3d58b3e98249b01739ce346f5 18568 devel optional
radare2_6.1.4+ds-1.debian.tar.xz
fe051a489cd088ad8b3fe6d42abba374 7578 devel optional
radare2_6.1.4+ds-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJDBAEBCgAtFiEEtgob82PcExn/Co6JEWhSvN91FcAFAmoGPBAPHHRhckBkZWJp
YW4ub3JnAAoJEBFoUrzfdRXAs9cP/i4hxbY8TOUBFaOj8vczExiGhAOpERpDetPs
d9TMGN3c7O/RLwEtlsetIwCn4BpqRnfU0F0m0vUwzgqF0HFP3OXfSLJpkucmOuhF
rRbL1hq9xaa2fmUCidxiBnqqRuqh22GyLcr2zeZAmj9uJW7O1d9hJFS1v53RDzZE
ifl/pXPXVXreRoXN3dXLX9VNdOo4d4pBe8dMWHBJCFPl+c3p3W4EToVUvT5mm91A
oZ0E9315rLR5sKA+/XuGVamME1u9eK4/6zWglMghjaaXIJAF1zXp5AChVGy3mjaV
UTQB3VC/DzvaBL3JoWY+b/Ox33IfELWb9nX8zejBPCI56gIptHKwk9VLq87BqQpC
cwRl9zQK2m0rEMY1hAeNaATvgsi5fwjxKVuzh8KUUbf4iohyhBtk5rTPr2TvE3sp
K3nQJCzA8ACLZIvITSaKpzfWD4ZLVnRN63gWhnn4QOClxDOrtRGdnbP3RFuK1kg9
NX2/1F0cjMGPWNf9fomnbxDqbI2lW/rfOTYIScDxOoKAhhtGLIF6x1oUAR+/8DO4
TitkOmiGtNZ1U7LaUPRg67oay8LG8+FuVJ+WeOvOH2vSfFN9LEKHhEAeOCtjdau2
rGw8LHAxfCoEHQ+thIu73dpq1OT3uLrXW/fFJrUvxlgmdNxUGMjbUR3RPYm2h4YY
nVdDgaqP
=cZzf
-----END PGP SIGNATURE-----
pgpocyFVGLHvt.pgp
Description: PGP signature
--- End Message ---
