Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1770916 (CVE-2019-16718)

Summary: CVE-2019-16718 radare2: command injection vulnerability in bin_symbols() in libr/core/cbin.c
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: rebus, rschirone91
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-04-19 14:03:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1770918    
Bug Blocks:    

Description Guilherme de Almeida Suckevicz 2019-11-11 13:42:41 UTC
In radare2 before 3.9.0, a command injection vulnerability exists in bin_symbols() in libr/core/cbin.c. By using a crafted executable file, it's possible to execute arbitrary shell commands with the permissions of the victim. This vulnerability is due to an insufficient fix for CVE-2019-14745 and improper handling of symbol names embedded in executables.

Upstream commits:
https://github.com/radareorg/radare2/commit/5411543a310a470b1257fb93273cdd6e8dfcb3af
https://github.com/radareorg/radare2/commit/dd739f5a45b3af3d1f65f00fe19af1dbfec7aea7

Comment 1 Guilherme de Almeida Suckevicz 2019-11-11 13:44:28 UTC
Created radare2 tracking bugs for this issue:

Affects: epel-7 [bug 1770918]

Comment 2 Michal Ambroz 2021-04-17 03:12:42 UTC
I believe this bug should be closed, please can you confirm?

Comment 3 Guilherme de Almeida Suckevicz 2021-04-19 14:03:57 UTC
Closing bug, thanks!