MGASA-2020-0329

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2020-0329.html

Import Source

https://advisories.mageia.org/MGASA-2020-0329.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2020-0329

Related

CVE-2020-15121

Published

2020-08-18T17:41:27Z

Modified

2020-08-18T16:51:55Z

Summary

Updated radare2 packages fix security vulnerability

Details

In radare2 before version 4.5.0, malformed PDB file names in the PDB server path cause shell injection. To trigger the problem it's required to open the executable in radare2 and run idpd to trigger the download. The shell code will execute, and will create a file called pwned in the current directory (CVE-2020-15121).

The radare2 package has been updated to version 4.5.0, fixing these issues and other bugs.

Also, the radare2-cutter package has been updated to version 1.11.0.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:7 / radare2

Package

Name: radare2
Purl: pkg:rpm/mageia/radare2?arch=source&distro=mageia-7

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.5.0-1.mga7

Ecosystem specific

{
    "section": "core"
}

Mageia:7 / radare2-cutter

Package

Name: radare2-cutter
Purl: pkg:rpm/mageia/radare2-cutter?arch=source&distro=mageia-7

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.11.0-1.mga7

Ecosystem specific

{
    "section": "core"
}