Package: radare2 / 0.9.6-3.1+deb8u1

Metadata

Package Version Patches format
radare2 0.9.6-3.1+deb8u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
01_fix kfreebsd compilation.patch | (download)

libr/debug/p/debug_native.c | 24 10 + 14 - 0 !
1 file changed, 10 insertions(+), 14 deletions(-)

 fix compilation under kfreebsd.
 strlcat and strlcpy appear in the sources and break.  Instead, backport
 commit 1941efc1 that removes those two functions..
02_link needed libmagic.patch | (download)

libr/core/Makefile | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 link with needed libmagic
 required when building with ld --as-needed
03_unsafe_snprintf.patch | (download)

shlr/java/code.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 fix incomplete snprintf declaration.
 This patch prevents a potential format string attack, caught thanks to
 the hardening flags in the Debian build (-Werror=format-security).
 It's partially taken from upstream's 1289476120c4...
04_remove_non installable_library.patch | (download)

libr/Makefile | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 a test library is being installed and breaks the build.
 This solves the problem of creating and installing parse/t/lib.so
 as debian/tmp//usr/lib/x86_64-linux-gnu/t.0.9.6.
05_typos.patch | (download)

libr/bin/format/mach0/mach-o/fat.h | 2 1 + 1 - 0 !
libr/cons/grep.c | 2 1 + 1 - 0 !
libr/core/cmd_debug.c | 2 1 + 1 - 0 !
man/rabin2.1 | 6 2 + 4 - 0 !
man/radare2.1 | 3 1 + 2 - 0 !
man/radiff2.1 | 1 0 + 1 - 0 !
man/rafind2.1 | 1 0 + 1 - 0 !
man/ragg2-cc.1 | 3 1 + 2 - 0 !
man/ragg2.1 | 5 2 + 3 - 0 !
man/rahash2.1 | 1 0 + 1 - 0 !
man/rarun2.1 | 7 3 + 4 - 0 !
man/rasm2.1 | 12 5 + 7 - 0 !
man/rax2.1 | 6 2 + 4 - 0 !
13 files changed, 19 insertions(+), 32 deletions(-)

 fix a round of typos and incorrect man macros.
 The macro Em. was present in all the manpages and it's incorrect, plus
 there's some typos here and there, some of them spotted by lintian.
06_no_forced_rpath.patch | (download)

configure | 22 15 + 7 - 0 !
1 file changed, 15 insertions(+), 7 deletions(-)

 honor --with-rpath, and disable it when not specified.
 Lintian noticed that rpath was being added to every binary object.  The
 problem is that when the --with-rpath option is not specified to configure,
 disabling of rpath is not really enforced.
 I altered the logic to honor any previous options, and then decide whether
 to use rpath or not.
 This configure has been generated with acr, so it's very possible that this
 change will need to go there.
07_propagate_ldflags.patch | (download)

libr/util/Makefile | 2 1 + 1 - 0 !
mk/gcc.mk | 2 1 + 1 - 0 !
shlr/tcc/Makefile | 2 1 + 1 - 0 !
3 files changed, 3 insertions(+), 3 deletions(-)

 properly propagate ldflags in libraries.
 Debian fills up LDFLAGS with hardening flgs but for some libraries this
 parameter is not read from the environment variable but hardcoded.
08_proper_tcc_build.patch | (download)

shlr/tcc/Makefile | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 add .so as a suffix for libtcc on linux.
 It's an oversight that libtcc is being built as .dylib (OS X).  Do the
 right thing and use .so as the default.
09_fix_internal_plugins.patch | (download)

Makefile | 2 0 + 2 - 0 !
libr/lang/p/Makefile | 4 2 + 2 - 0 !
libr/lang/p/lua.c | 2 0 + 2 - 0 !
3 files changed, 2 insertions(+), 6 deletions(-)

 fix check for lua libs.
 The internal plugins Makefile is too strict on the pkgconfig check for
 lua config, so I made the hyphen optional and added a number to make
 a possible mismatch more unlikely.
 There's a leftover in the main Makefile, possibly from radare1, for
 installing radare.lua.
 Also the lua plugin is not looking at the same directory for radare.lua
 as the installation says.
10_fix_rafind2_segfault.patch | (download)

libr/io/p/io_malloc.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 fix a segfault in rafind2.
 The Mayhem team from CMU found with a fuzzying attack that a short hex://
 URL can make it to segfault.
11_block_libtcc_install.patch | (download)

shlr/Makefile | 10 5 + 5 - 0 !
1 file changed, 5 insertions(+), 5 deletions(-)

 stop installing libtcc files.
 As per pancake, we shouldn't install any of the libtcc files in the final
 package.  Based on commit 1531e96.
101_split_plugins_installation | (download)

libr/Makefile | 10 7 + 3 - 0 !
1 file changed, 7 insertions(+), 3 deletions(-)

 move language plugins to a different directory.
 In order to prevent conflicts and to ease packaging (otherwise you have to
 use a dh_install line in debian/rules for every package and an additional
 -X n libradare2), move the installation of the plugins to a harmless
 directory where it can be safely ignored by libradare2 and installed by
 radare2-plugins.
 This is Debian-only.
12_fix_strcasestr_declaration.patch | (download)

libr/util/str.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 fix an implicit declaration of strcasestr.
 Matthias Klose found a function not defined in the build logs.  It's due
 to a missing include.  I checked upstream and it's has already been fixed.
 Updated by Steve McIntyre <93sam@debian.org>
13_fix_CVE 2017 6197.patch | (download)

libr/util/mem.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 fix cve cve-2017-6197
 The r_read_* functions in libr/include/r_endian.h in radare2 1.2.1 allow
 remote attackers to cause a denial of service (NULL pointer dereference and
 application crash) via a crafted binary file, as demonstrated by the
 r_read_le32 function.
 
 r_read_* was only introduced in 0.10.x, but previous versions are also
 affected via r_mem_copyendian. This fixes the NULL pointer dereference
 and fills the destination buffer with 0xFF, which is the behaviour of
 the upstream fix for version 1.2.1.
14_fix_dex_loadcode.patch | (download)

libr/bin/p/bin_dex.c | 24 19 + 5 - 0 !
1 file changed, 19 insertions(+), 5 deletions(-)

 fix cve cve-2017-6197
 The example binary for CVE-2017-6197 also crashes radare2
 0.9.6 because of missing NULL checks in the dex parser
 and a memory leak resulting in resource exhaustion.