Source: radare2 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerabilities were published for radare2. CVE-2022-34502[0]: | Radare2 v5.7.0 was discovered to contain a heap buffer overflow via | the function consume_encoded_name_new at format/wasm/wasm.c. This | vulnerability allows attackers to cause a Denial of Service (DoS) via | a crafted binary file. https://github.com/radareorg/radare2/issues/20336 https://github.com/radareorg/radare2/commit/b4ca66f5d4363d68a6379e5706353b3bde5104a4 (5.7.2) CVE-2022-34520[1]: | Radare2 v5.7.2 was discovered to contain a NULL pointer dereference | via the function r_bin_file_xtr_load_buffer at bin/bfile.c. This | vulnerability allows attackers to cause a Denial of Service (DOS) via | a crafted binary file. https://github.com/radareorg/radare2/issues/20354 https://github.com/radareorg/radare2/commit/fc285cecb8469f0262db0170bf6dd7c01d9b8ed5 (5.7.4) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-34502 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34502 [1] https://security-tracker.debian.org/tracker/CVE-2022-34520 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34520 Please adjust the affected versions in the BTS as needed.