Mageia: 2020-0329 Moderate: radare2 Shell Injection Issue
mageia
August 18, 2020
In radare2 before version 4.5.0, malformed PDB file names in the PDB server path cause shell injection
Summary
In radare2 before version 4.5.0, malformed PDB file names in the PDB server
path cause shell injection. To trigger the problem it's required to open the
executable in radare2 and run idpd to trigger the download. The shell code will
execute, and will create a file called pwned in the current directory
(CVE-2020-15121).
The radare2 package has been updated to version 4.5.0, fixing these issues and
other bugs.
Also, the radare2-cutter package has been updated to version 1.11.0.
References
- https://bugs.mageia.org/show_bug.cgi?id=27060
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7OFOJ23B5CP5XDVYTW6TTN7OFZPAIVY4/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MWC7KNBETYE5MK6VIUU26LUIISIFGSBZ/
- https://www.cve.org/CVERecord?id=CVE-2020-15121
Resolution
SRPMS
- 7/core/radare2-4.5.0-1.mga7
- 7/core/radare2-cutter-1.11.0-1.mga7
PREVIOUS 
NEXT Severity
important
Lowest
Low
Medium
High
Critical
Publication date: 18 Aug 2020
URL: https://advisories.mageia.org/MGASA-2020-0329.html
Type: security
CVE: CVE-2020-15121
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!