Source: radare2 Severity: grave Tags: security It is understandable (and normal for most software) that upstream is not able or willing to provide security support for the old version shipped in stable distribution releases.
But below seems to be upstream actively encouraging exploiting the version in stable. AFAIK Debian in general tries to avoid shipping software when upstream strongly objects to it, or is openly hostile towards Debian. <-- snip --> https://rada.re/con/2019/ PwnDebian Since the very begining of radare development we had people complaining of bugs because they were using the 3-4 year old version shipped in their distro. We tried to work with everyone who ships builds of r2 to always get updates and merge back their patches upstream so everyone gets benefit out of it. But that has been not enough. In github/radare2 we can check out most of known/used Linux and BSD distros and the shipped r2 version, and it's pretty clear that Debian/Ubuntu stopped updating those packages long time ago (3.2.1). Yes, the 0.9.6 drama is over. The aim of this competition is to publish a working exploit for radare2 on Debian stable (nowadays, unstable keeps the same version). To show that debian-security and backporting patches is not solving enough when distributing such state-of-the-art packages. In order to win this competition. We will accept only 1 working exploit (the first one to submit it) for radare2-3.2.1 (built for x86-64 debian/stable). Additional points will be given for writing some notes or presenting at r2con the way the vuln was found and how the exploit was developed.
