1

Topic: radare2 CVE topic.

I see the Hyperbola extra git repository shows

minetest: remove package, upstream has no interest to work together for older versions

and the package radare2 shows in it's SECURITY.md file

# Security Policies and Procedures

We take security seriously, and encourage everyone to use the last version of
radare2 from git if possible. We do not backport security fixes to old
releases.

Security bugs are considered top priority and a fix is required within 24 hours
of disclosure.

https://github.com/radare/radare2/archi … 7.8.tar.gz

Though there may have been a possible backport of minetest's CVE-2022-35978 problem at

https://github.com/minetest/minetest/co … 25d141ca13

and

https://forums.hyperbola.info/viewtopic … 7719#p7719

I see it can be hard to work on patches and backports as

https://wiki.hyperbola.info/doku.php?id … e_packages

shows

There is no easy patch!

Please be also aware that even if it would be possible to patch several dependencies out for packaging a concrete version: This patch would only work for a concrete version and release. With any new released version the whole work would be done again or even worse is no longer possible. Also take into your perspective that even a questionable dependency is once optional it may be changed in coming new releases. For a small system and project like Hyperbola this is not acceptable. You cannot select the fitting convinient way, just some packages are not fitting and others do. Either to follow the whole strict way for not ignoring issues or staying pragmatic. The decision for the project is oriented onto not ignore all issues!

and also at the incompatible packages page of Hyperbola's

Also to add: It is surely not always the newest version of a software-package needed or the safe spot for security afterwards. When a package always needs the newest version for being “safe” it should be more questioned in its quality of code and design.

so I thought about looking at

https://cve.mitre.org/cgi-bin/cvekey.cg … rd=radare2

to see if there were any problems in radare2.

I saw

There are 129 CVE Records that match your search.

though some may be older and fixed, there are some that may affect radare2 v.0.9.7 through v.5.8.6 as well as later ones.

Like the first 2 of 129 show

CVE-2024-26475     An issue in radareorg radare2 v.0.9.7 through v.5.8.6 and fixed in v.5.8.8 allows a local attacker to cause a denial of service via the grub_sfs_read_extent function.
CVE-2023-5686     Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.9.0.

I do not know what this "denial of service via the grub_sfs_read_extent function" affects or causes a denial of though. Or if Hyperbola's radare2 also has problems or not. As Hyperbola's radare2 may be version 5.7.8.

So I hope this report like post helps.

2

Re: radare2 CVE topic.

Mixing minetest within to radare2 is not working: The CVE reported would have been possible to patch, but maintainers upstream left no doubt within their point that patching out the so-called ContentDB from minetest is not welcome and also that there were "several other vulnerabilities" so the patch would not have helped and minetest had to be removed.

Same for radare2. Closing thread.

Besides one last point: When you want to report a CVE, please do so for a CURRENT thread and not for a full bunch of listings as those were or are worked within different ranges. For example Debian also rejects patching CVEs in some situations, when they are not really important out of missing parts. Open a thread with a report when you have clear points that there is high and severe security risk, but not the full listing of CVEs. This point mostly approves that more packages is also more risk and therefore Hyperbola removes packages when there is no need.

Surely please look and research, but it would really help more when you also point out for solution when there is a severe problem. Reporting is only leaving the whole situation on a team-member now. And this is causing work, we would otherwise use really for different and more needed situations and tasks. wink

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!