radare2 - Debian Package Tracker

general

source: radare2 (main)
version: 5.9.8+dfsg-2
maintainer: Debian Security Tools (DMD)
uploaders: Andrej Shadura [DMD] – Alex Myczko [DMD] – Sebastian Reichel [DMD]
arch: all any
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

unstable: 5.9.8+dfsg-2

versioned links

5.9.8+dfsg-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libradare2-5.0.0t64
libradare2-common
libradare2-dev
radare2

action needed

11 security issues in sid high

There are 11 open security issues in sid.

11 important issues:

CVE-2025-1378: A vulnerability, which was classified as problematic, was found in radare2 5.9.9 33286. Affected is an unknown function in the library /libr/main/rasm2.c of the component rasm2. The manipulation leads to memory corruption. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 6.0.0 is able to address this issue. The patch is identified as c6c772d2eab692ce7ada5a4227afd50c355ad545. It is recommended to upgrade the affected component.
CVE-2025-1744: Out-of-bounds Write vulnerability in radareorg radare2 allows heap-based buffer over-read or buffer overflow.This issue affects radare2: before <5.9.9.
CVE-2025-1864: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in radareorg radare2 allows Overflow Buffers.This issue affects radare2: before <5.9.9.
CVE-2025-5641: A vulnerability was found in Radare2 5.9.9. It has been rated as problematic. This issue affects the function r_cons_is_breaked in the library /libr/cons/cons.c of the component radiff2. The manipulation of the argument -T leads to memory corruption. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The identifier of the patch is 5705d99cc1f23f36f9a84aab26d1724010b97798. It is recommended to apply a patch to fix this issue. The documentation explains that the parameter -T is experimental and "crashy". Further analysis has shown "the race is not a real problem unless you use asan". An additional warning regarding threading support has been added.
CVE-2025-5642: A vulnerability classified as problematic has been found in Radare2 5.9.9. Affected is the function r_cons_pal_init in the library /libr/cons/pal.c of the component radiff2. The manipulation leads to memory corruption. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The patch is identified as 5705d99cc1f23f36f9a84aab26d1724010b97798. It is recommended to apply a patch to fix this issue. The documentation explains that the parameter -T is experimental and "crashy". Further analysis has shown "the race is not a real problem unless you use asan". A new warning has been added.
CVE-2025-5643: A vulnerability classified as problematic was found in Radare2 5.9.9. Affected by this vulnerability is the function cons_stack_load in the library /libr/cons/cons.c of the component radiff2. The manipulation of the argument -T leads to memory corruption. An attack has to be approached locally. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The patch is named 5705d99cc1f23f36f9a84aab26d1724010b97798. It is recommended to apply a patch to fix this issue. The documentation explains that the parameter -T is experimental and "crashy". Further analysis has shown "the race is not a real problem unless you use asan". A new warning has been added.
CVE-2025-5644: A vulnerability, which was classified as problematic, has been found in Radare2 5.9.9. Affected by this issue is the function r_cons_flush in the library /libr/cons/cons.c of the component radiff2. The manipulation of the argument -T leads to use after free. Local access is required to approach this attack. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The name of the patch is 5705d99cc1f23f36f9a84aab26d1724010b97798. It is recommended to apply a patch to fix this issue. The documentation explains that the parameter -T is experimental and "crashy". Further analysis has shown "the race is not a real problem unless you use asan". A new warning has been added.
CVE-2025-5645: A vulnerability, which was classified as problematic, was found in Radare2 5.9.9. This affects the function r_cons_pal_init in the library /libr/cons/pal.c of the component radiff2. The manipulation of the argument -T leads to memory corruption. Attacking locally is a requirement. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The identifier of the patch is 5705d99cc1f23f36f9a84aab26d1724010b97798. It is recommended to apply a patch to fix this issue. The documentation explains that the parameter -T is experimental and "crashy". Further analysis has shown "the race is not a real problem unless you use asan". A new warning has been added.
CVE-2025-5646: A vulnerability has been found in Radare2 5.9.9 and classified as problematic. This vulnerability affects the function r_cons_rainbow_free in the library /libr/cons/pal.c of the component radiff2. The manipulation of the argument -T leads to memory corruption. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The patch is identified as 5705d99cc1f23f36f9a84aab26d1724010b97798. It is recommended to apply a patch to fix this issue. The documentation explains that the parameter -T is experimental and "crashy". Further analysis has shown "the race is not a real problem unless you use asan". A new warning has been added.
CVE-2025-5647: A vulnerability was found in Radare2 5.9.9 and classified as problematic. This issue affects the function r_cons_context_break_pop in the library /libr/cons/cons.c of the component radiff2. The manipulation of the argument -T leads to memory corruption. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The patch is named 5705d99cc1f23f36f9a84aab26d1724010b97798. It is recommended to apply a patch to fix this issue. The documentation explains that the parameter -T is experimental and "crashy". Further analysis has shown "the race is not a real problem unless you use asan". A new warning has been added.
CVE-2025-5648: A vulnerability was found in Radare2 5.9.9. It has been classified as problematic. Affected is the function r_cons_pal_init in the library /libr/cons/pal.c of the component radiff2. The manipulation of the argument -T leads to memory corruption. An attack has to be approached locally. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The name of the patch is 5705d99cc1f23f36f9a84aab26d1724010b97798. It is recommended to apply a patch to fix this issue. The documentation explains that the parameter -T is experimental and "crashy". Further analysis has shown "the race is not a real problem unless you use asan". A new warning has been added.

Created: 2025-02-17 Last update: 2025-06-06 06:32

3 security issues in trixie high

There are 3 open security issues in trixie.

3 important issues:

CVE-2025-1378: A vulnerability, which was classified as problematic, was found in radare2 5.9.9 33286. Affected is an unknown function in the library /libr/main/rasm2.c of the component rasm2. The manipulation leads to memory corruption. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 6.0.0 is able to address this issue. The patch is identified as c6c772d2eab692ce7ada5a4227afd50c355ad545. It is recommended to upgrade the affected component.
CVE-2025-1744: Out-of-bounds Write vulnerability in radareorg radare2 allows heap-based buffer over-read or buffer overflow.This issue affects radare2: before <5.9.9.
CVE-2025-1864: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in radareorg radare2 allows Overflow Buffers.This issue affects radare2: before <5.9.9.

Created: 2025-02-17 Last update: 2025-03-05 23:32

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 20-day delay is over. Check why.

Created: 2025-05-20 Last update: 2025-06-13 16:29

lintian reports 42 warnings normal

Lintian reports 42 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2025-01-14 Last update: 2025-01-14 06:02

debian/patches: 1 patch to forward upstream low

Among the 1 debian patch available in version 5.9.8+dfsg-2 of the package, we noticed the following issues:

1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2025-01-14 Last update: 2025-01-14 11:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.7.0).

Created: 2025-02-21 Last update: 2025-02-27 13:25

testing migrations

excuses:
- Migration status for radare2 (- to 5.9.8+dfsg-2): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Updating radare2 would introduce bugs in testing: #950372
- ∙ ∙ blocked by freeze: is not in testing
- Additional info:
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/r/radare2.html
- ∙ ∙ Reproducible on amd64 - info ♻
- ∙ ∙ Reproducible on arm64 - info ♻
- ∙ ∙ Reproducible on armhf - info ♻
- ∙ ∙ Reproducible on i386 - info ♻
- ∙ ∙ 150 days old (needed 20 days)
- Not considered

news

[rss feed]

[2025-05-21] radare2 REMOVED from testing (Debian testing watch)
[2025-01-19] radare2 5.9.8+dfsg-2 MIGRATED to testing (Debian testing watch)
[2025-01-13] Accepted radare2 5.9.8+dfsg-2 (source) into unstable (Hilko Bengen)
[2024-12-02] Accepted radare2 5.9.8+dfsg-1 (source) into unstable (Alex Myczko) (signed by: GÃ¼rkan Myczko)
[2024-08-24] Accepted radare2 5.9.4+dfsg-1~bpo12+1 (source amd64 all) into stable-backports (Alex Myczko) (signed by: GÃ¼rkan Myczko)
[2024-08-16] radare2 5.9.4+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-08-10] Accepted radare2 5.9.4+dfsg-1 (source) into unstable (Alex Myczko) (signed by: GÃ¼rkan Myczko)
[2024-06-25] Accepted radare2 5.9.2+dfsg-1~bpo12+1 (source amd64 all) into stable-backports (Debian FTP Masters) (signed by: GÃ¼rkan Myczko)
[2024-05-28] radare2 5.9.2+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-05-28] radare2 5.9.2+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-05-23] Accepted radare2 5.9.2+dfsg-1 (source) into unstable (Alex Myczko) (signed by: GÃ¼rkan Myczko)
[2024-05-08] radare2 5.9.0+dfsg-2 MIGRATED to testing (Debian testing watch)
[2024-05-02] Accepted radare2 5.9.0+dfsg-2 (source) into unstable (Alex Myczko) (signed by: GÃ¼rkan Myczko)
[2024-04-25] Accepted radare2 5.9.0+dfsg-1 (source) into unstable (Alex Myczko) (signed by: GÃ¼rkan Myczko)
[2024-04-15] Accepted radare2 5.8.8+dfsg-1 (source) into experimental (Alex Myczko) (signed by: GÃ¼rkan Myczko)
[2024-02-29] Accepted radare2 5.5.0+dfsg-1.1 (source) into unstable (Benjamin Drung)
[2024-02-03] Accepted radare2 5.5.0+dfsg-1.1~exp1 (source) into experimental (Sergio Durigan Junior)
[2021-12-01] Accepted radare2 5.5.0+dfsg-1 (source) into unstable (Andrej Shadura) (signed by: Andrew Shadura)
[2021-01-05] Accepted radare2 5.0.0+dfsg-1 (source amd64 all) into unstable, unstable (Debian FTP Masters) (signed by: Sebastian Reichel)
[2020-03-27] Accepted radare2 4.3.1+dfsg-1 (source amd64 all) into unstable, unstable (Debian FTP Masters) (signed by: Sebastian Reichel)
[2020-02-20] Accepted radare2 4.2.1+dfsg-2 (source) into unstable (Sebastian Reichel)
[2020-02-18] Accepted radare2 4.2.1+dfsg-1 (source amd64 all) into unstable, unstable (Sebastian Reichel)
[2020-02-14] radare2 REMOVED from testing (Debian testing watch)
[2020-01-04] Accepted radare2 4.0.0+dfsg-1 (source amd64 all) into unstable, unstable (Sebastian Reichel)
[2020-01-03] Accepted radare2 3.9.0+dfsg-1 (source amd64 all) into unstable, unstable (Sebastian Reichel)
[2020-01-03] Accepted radare2 3.8.0+dfsg-1 (source amd64 all) into unstable, unstable (Sebastian Reichel)
[2019-03-13] radare2 3.2.1+dfsg-5 MIGRATED to testing (Debian testing watch)
[2019-03-02] Accepted radare2 3.2.1+dfsg-5 (source) into unstable (Hilko Bengen)
[2019-02-11] radare2 3.2.1+dfsg-4 MIGRATED to testing (Debian testing watch)
[2019-02-05] Accepted radare2 3.2.1+dfsg-4 (source amd64 all) into unstable (Sebastian Reichel)

bugs [bug history graph]

all: 6
RC: 1
I&N: 4
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (0, 42)
buildd: logs, checks, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 5.9.8+dfsg-2