1 |
type: security |
2 |
subject: Updated radare2 packages fix security vulnerability |
3 |
CVE: |
4 |
- CVE-2020-15121 |
5 |
src: |
6 |
7: |
7 |
core: |
8 |
- radare2-4.5.0-1.mga7 |
9 |
- radare2-cutter-1.11.0-1.mga7 |
10 |
description: | |
11 |
In radare2 before version 4.5.0, malformed PDB file names in the PDB server |
12 |
path cause shell injection. To trigger the problem it's required to open the |
13 |
executable in radare2 and run idpd to trigger the download. The shell code will |
14 |
execute, and will create a file called pwned in the current directory |
15 |
(CVE-2020-15121). |
16 |
|
17 |
The radare2 package has been updated to version 4.5.0, fixing these issues and |
18 |
other bugs. |
19 |
|
20 |
Also, the radare2-cutter package has been updated to version 1.11.0. |
21 |
references: |
22 |
- https://bugs.mageia.org/show_bug.cgi?id=27060 |
23 |
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7OFOJ23B5CP5XDVYTW6TTN7OFZPAIVY4/ |
24 |
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MWC7KNBETYE5MK6VIUU26LUIISIFGSBZ/ |
25 |
ID: MGASA-2020-0329 |