CVE-2017-6319 Radare CVE debrief

Who should care

Security teams, developers, and analysts using radare2 1.2.1 or downstream builds to inspect DEX files, especially when inputs come from untrusted or externally supplied samples.

Technical summary

The vulnerable function is dex_parse_debug_item in libr/bin/p/bin_dex.c. According to the NVD description, crafted DEX input can trigger a buffer overflow leading to denial of service via application crash, with possible unspecified additional impact. NVD maps the weakness to CWE-119 and assigns CVSS 3.0 7.8 HIGH with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The supplied record also links to an upstream issue and a patch commit.

Defensive priority

High for any environment that processes untrusted DEX files with radare2 1.2.1 or affected downstream packages.

Recommended defensive actions

• Apply the upstream fix referenced by commit ad55822430a03fe075221b543efb434567e9e431, or ensure your downstream build includes it.
• Inventory installed radare2 versions and confirm whether any 1.2.1 or equivalent vulnerable builds are in use.
• Avoid opening untrusted DEX files directly on sensitive workstations; use a sandboxed analysis environment instead.
• If patching is delayed, restrict DEX parsing to trusted inputs and watch for crashes during file analysis.

Evidence notes

The source corpus ties the issue to radare2 1.2.1, the function dex_parse_debug_item in libr/bin/p/bin_dex.c, and CWE-119. References provided in the record include the official CVE and NVD entries, a SecurityFocus advisory, upstream GitHub issue #6836, and the upstream fixing commit ad55822430a03fe075221b543efb434567e9e431.

Official resources