Bug 2245328 (CVE-2023-5686)

Summary: CVE-2023-5686 radare2: heap-buffer-overflow in /radare2/shlr/java/code.c:211:21 in java_print_opcode
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: radare2 5.9.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2245329, 2245330    
Bug Blocks:    

Description Robb Gatica 2023-10-20 20:07:36 UTC
Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.9.0. According to comments in the Huntr bug report and github commit, this is an OOBREAD in the heap, which causes an UB when disassembling an instruction using the Java decoder. So it may not be exploitable because it just returns an invalid value instead of "not enough bytes to decode the instruction". The issue has been fixed in radare2 5.9.0. 

References:
- https://github.com/radareorg/radare2/commit/1bdda93e348c160c84e30da3637acef26d0348de
- https://huntr.com/bounties/bbfe1f76-8fa1-4a8c-909d-65b16e970be0
- https://nvd.nist.gov/vuln/detail/CVE-2023-5686

Comment 1 Robb Gatica 2023-10-20 20:07:54 UTC
Created radare2 tracking bugs for this issue:

Affects: epel-all [bug 2245329]
Affects: fedora-all [bug 2245330]