[Secure-testing-team] Bug#858873: radare2: CVE-2017-7274
Salvatore Bonaccorso
carnil at debian.org
Tue Mar 28 04:37:19 UTC 2017
Source: radare2
Version: 1.3.0+dfsg-1
Severity: important
Tags: security upstream patch
Forwarded: https://github.com/radare/radare2/issues/7152
Hi,
the following vulnerability was published for radare2.
CVE-2017-7274[0]:
| The r_pkcs7_parse_cms function in libr/util/r_pkcs7.c in radare2 1.3.0
| allows remote attackers to cause a denial of service (NULL pointer
| dereference and application crash) via a crafted PE file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
AFAICS the version in sid is not affected, since the corresponding
parsers were added only in 1.3.0. Would be great if you can confirm.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-7274
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7274
[1] https://github.com/radare/radare2/issues/7152
[2] https://github.com/radare/radare2/commit/7ab66cca5bbdf6cb2d69339ef4f513d95e532dbf
Regards,
Salvatore
More information about the Secure-testing-team
mailing list