{"id":"MGASA-2022-0440","summary":"Updated radare2/rizin packages fix security vulnerability","details":"In radare2 through 5.3.0 there is a double free vulnerability in the pyc\nparse via a crafted file which can lead to DoS. (CVE-2021-32613)\n\nA vulnerability was found in Radare2 in version 5.3.1. Improper input\nvalidation when reading a crafted LE binary can lead to resource\nexhaustion and DoS. (CVE-2021-3673)\n\nA vulnerability was found in Radare2 in versions prior to 5.6.2, 5.6.0,\n5.5.4 and 5.5.2. Mapping a huge section filled with zeros of an ELF64\nbinary for MIPS architecture can lead to uncontrolled resource consumption\nand DoS. (CVE-2021-4021)\n\nradareorg radare2 version 5.5.2 is vulnerable to NULL Pointer Dereference\nvia libr/bin/p/bin_symbols.c binary symbol parser. (CVE-2021-44974)\n\nradareorg radare2 5.5.2 is vulnerable to Buffer Overflow via\n/libr/core/anal_objc.c mach-o parser. (CVE-2021-44975)\n\nradare2 is vulnerable to Out-of-bounds Read. (CVE-2022-0173)\n\nNULL Pointer Dereference in GitHub repository radareorg/radare2 prior to\n5.6.0. (CVE-2022-0419)\n\nDenial of Service in GitHub repository radareorg/radare2 prior to 5.6.4.\n(CVE-2022-0476)\n\nHeap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to\n5.6.2. (CVE-2022-0518)\n\nBuffer Access with Incorrect Length Value in GitHub repository\nradareorg/radare2 prior to 5.6.2. (CVE-2022-0519)\n\nUse After Free in NPM radare2.js prior to 5.6.2. (CVE-2022-0520)\n\nAccess of Memory Location After End of Buffer in GitHub repository\nradareorg/radare2 prior to 5.6.2. (CVE-2022-0521)\n\nAccess of Memory Location Before Start of Buffer in NPM radare2.js prior\nto 5.6.2. (CVE-2022-0522)\n\nExpired Pointer Dereference in GitHub repository radareorg/radare2 prior\nto 5.6.2. (CVE-2022-0523)\n\nUse After Free in GitHub repository radareorg/radare2 prior to 5.6.2.\n(CVE-2022-0559)\n\nHeap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to\n5.6.4. (CVE-2022-0676)\n\nDenial of Service in GitHub repository radareorg/radare2 prior to 5.6.4.\n(CVE-2022-0695)\n\nNULL Pointer Dereference in GitHub repository radareorg/radare2 prior to\n5.6.4. (CVE-2022-0712)\n\nHeap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to\n5.6.4. (CVE-2022-0713)\n","modified":"2026-02-02T15:52:22.565821Z","published":"2022-11-27T20:51:49Z","related":["CVE-2021-32613","CVE-2021-3673","CVE-2021-4021","CVE-2021-44974","CVE-2021-44975","CVE-2022-0173","CVE-2022-0419","CVE-2022-0476","CVE-2022-0518","CVE-2022-0519","CVE-2022-0520","CVE-2022-0521","CVE-2022-0522","CVE-2022-0523","CVE-2022-0559","CVE-2022-0676","CVE-2022-0695","CVE-2022-0712","CVE-2022-0713"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2022-0440.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=29163"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/V2UL4V4XKSFJVNNUMFV443UJXGDBYGS4/"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JIARALLVVY2362AYFSFULTZKIW6QO5R5/"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IQIRJ72UALGMSWH6MYPVJQQLXFGZ23RS/"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/E6YBRQ3UCFWJVSOYIKPVUDASZ544TFND/"},{"type":"REPORT","url":"https://www.openwall.com/lists/oss-security/2022/05/25/1"},{"type":"REPORT","url":"https://census-labs.com/news/2022/05/24/multiple-vulnerabilities-in-radare2/"}],"affected":[{"package":{"name":"radare2","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/radare2?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.6.4-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0440.json"}},{"package":{"name":"radare2-cutter","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/radare2-cutter?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.0.4-2.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0440.json"}},{"package":{"name":"rizin","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/rizin?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.3.1-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0440.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}