Updated radare2 packages fix security vulnerability
Publication date: 18 Aug 2020Modification date: 18 Aug 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2020-15121
Description
In radare2 before version 4.5.0, malformed PDB file names in the PDB server
path cause shell injection. To trigger the problem it's required to open the
executable in radare2 and run idpd to trigger the download. The shell code will
execute, and will create a file called pwned in the current directory
(CVE-2020-15121).
The radare2 package has been updated to version 4.5.0, fixing these issues and
other bugs.
Also, the radare2-cutter package has been updated to version 1.11.0.
References
- https://bugs.mageia.org/show_bug.cgi?id=27060
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7OFOJ23B5CP5XDVYTW6TTN7OFZPAIVY4/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MWC7KNBETYE5MK6VIUU26LUIISIFGSBZ/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15121
SRPMS
7/core
- radare2-4.5.0-1.mga7
- radare2-cutter-1.11.0-1.mga7