{"id":"MGASA-2020-0100","summary":"Updated radare2 packages fix security vulnerabilities","details":"Updated radare2 packages fix security vulnerabilities:\n\nA vulnerability was found in radare2 through 4.0, there is an integer\noverflow for the variable new_token_size in the function r_asm_massemble\nat libr/asm/asm.c. This integer overflow will result in a Use-After-Free\nfor the buffer tokens, which can be filled with arbitrary malicious data\nafter the free. This allows remote attackers to cause a denial of service\n(application crash) or possibly execute arbitrary code via crafted input\n(CVE-2019-19590).\n\nradare2 through 4.0.0 lacks validation of the content variable in the\nfunction r_asm_pseudo_incbin at libr/asm/asm.c, ultimately leading to an\narbitrary write. This allows remote attackers to cause a denial of service\n(application crash) or possibly have unspecified other impact via crafted\ninput (CVE-2019-19647).\n\nThe radare2 package has been updated to version 4.2.1, fixing these issues\nand other bugs.\n\nAlso, the radare2-cutter package has been updated to version 1.10.1.\n","modified":"2026-04-16T00:11:49.392149093Z","published":"2020-02-24T21:44:46Z","upstream":["CVE-2019-19590","CVE-2019-19647"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2020-0100.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=26232"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DUW4XXPI6XCI2G4X22EP3TKU2APLQ5XD/"}],"affected":[{"package":{"name":"radare2","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/radare2?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.2.1-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0100.json"}},{"package":{"name":"radare2-cutter","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/radare2-cutter?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.10.1-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0100.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}