Bug 2329102 (CVE-2024-11858)

Summary: CVE-2024-11858 radare2: Command Injection via Pebble Application Files in Radare2
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Radare2, which contains a command injection vulnerability caused by insufficient input validation when handling Pebble Application files. Maliciously crafted inputs can inject shell commands during command parsing, leading to unintended behavior during file processing​
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2329104, 2329105, 2329106, 2329107, 2329108    
Bug Blocks:    

Description OSIDB Bzimport 2024-11-27 09:42:52 UTC 
The vulnerability in Radare2 affects versions up to and including 5.9.8. When processing malicious Pebble Application files, Radare2 improperly sanitizes user-controlled input, leading to command injection. This allows arbitrary shell commands to execute during file handling. The issue was confirmed in version 5.9.7 on Linux x86-64 and demonstrated with a Base64-encoded test file​