CVE-2022-1240

NameCVE-2022-1240
DescriptionHeap buffer overflow in libr/bin/format/mach0/mach0.c in GitHub repository radareorg/radare2 prior to 5.8.6. If address sanitizer is disabled during the compiling, the program should executes into the `r_str_ncpy` function. Therefore I think it is very likely to be exploitable. For more general description of heap buffer overflow, see [CWE](https://cwe.mitre.org/data/definitions/122.html).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs1014478

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
radare2 (PTS)sid5.5.0+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
radare2source(unstable)(unfixed)1014478

Notes

https://huntr.dev/bounties/e589bd97-4c74-4e79-93b5-0951a281facc
https://github.com/radareorg/radare2/commit/ca8d8b39f3e34a4fd943270330b80f1148129de4

Search for package or bug name: Reporting problems