CVE-2019-14745

NameCVE-2019-14745
DescriptionIn radare2 before 3.7.0, a command injection vulnerability exists in bin_symbols() in libr/core/cbin.c. By using a crafted executable file, it's possible to execute arbitrary shell commands with the permissions of the victim. This vulnerability is due to improper handling of symbol names embedded in executables.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs934204

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
radare2 (PTS)jessie0.9.6-3.1+deb8u1vulnerable
stretch1.1.0+dfsg-5vulnerable
bullseye, sid, buster3.2.1+dfsg-5vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
radare2source(unstable)(unfixed)934204

Notes

[buster] - radare2 <no-dsa> (Minor issue)
[stretch] - radare2 <no-dsa> (Minor issue)
https://github.com/radare/radare2/pull/14690
When fixing this ussue make sure to not only apply the initial commits but
as well the followups to avoid opening CVE-2019-16718:
https://github.com/radareorg/radare2/commit/5411543a310a470b1257fb93273cdd6e8dfcb3af
https://github.com/radareorg/radare2/commit/dd739f5a45b3af3d1f65f00fe19af1dbfec7aea7

Search for package or bug name: Reporting problems