Alpine: multiple radare2 packages: security update to 3.9.0

high Tenable Cloud Security Plugin ID 406874

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- In radare2 through 3.5.1, there is a heap-based buffer over-read in the r_egg_lang_parsechar function of
egg_lang.c. This allows remote attackers to cause a denial of service (application crash) or possibly have
unspecified other impact because of missing length validation in libr/egg/egg.c. (CVE-2019-12790)

- In radare2 through 3.5.1, the rcc_context function of libr/egg/egg_lang.c mishandles changing context.
This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified
other impact (invalid memory access in r_egg_lang_parsechar; invalid free in rcc_pusharg).
(CVE-2019-12802)

- radare2 through 3.5.1 mishandles the RParse API, which allows remote attackers to cause a denial of
service (application crash) or possibly have unspecified other impact, as demonstrated by newstr buffer
overflows during replace operations. This affects libr/asm/asm.c and libr/parse/parse.c. (CVE-2019-12829)

- In radare2 through 3.5.1, cmd_mount in libr/core/cmd_mount.c has a double free for the ms command.
(CVE-2019-12865)

- In radare2 before 3.7.0, a command injection vulnerability exists in bin_symbols() in libr/core/cbin.c. By
using a crafted executable file, it's possible to execute arbitrary shell commands with the permissions of
the victim. This vulnerability is due to improper handling of symbol names embedded in executables.
(CVE-2019-14745)

See Also

https://security.alpinelinux.org/vuln/CVE-2019-12790

https://security.alpinelinux.org/vuln/CVE-2019-12802

https://security.alpinelinux.org/vuln/CVE-2019-12829

https://security.alpinelinux.org/vuln/CVE-2019-12865

https://security.alpinelinux.org/vuln/CVE-2019-14745

Plugin Details

Severity: High

ID: 406874

Version: Revision 1.25

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-14745

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 6/10/2019

Reference Information

CVE: CVE-2019-12790, CVE-2019-12802, CVE-2019-12829, CVE-2019-12865, CVE-2019-14745