We are pleased to announce the release of the first IDA 9.3 Service Pack (sp2).
This Service Pack is a focused security release, addressing a set of externally reported vulnerabilities in the loaders, the command-line tools, and the Clang-based type parser.
Below is a summary and you can read the detailed release notes here.
You can download the latest IDA installer from My Hex-Rays, our customer portal. We recommend all users who are using the 9.3 branch to update.
Security fixes
- wasm: fixed a heap buffer overflow in the WebAssembly loader when reading malformed LEB128 values in the function/import sections
- tools: fixed multiple heap corruption and out-of-bounds bugs in
zipids, pcf and ptmobj when parsing crafted input files
- idaclang: fixed an argument injection in
CLANG_ARGV that could lead to arbitrary code execution when opening a malicious database
Acknowledgments
We'd like to thank the researchers who reported these issues through coordinated disclosure:
- Milánek of Gen Digital (WebAssembly loader)
- Dell Security Assurance (command-line tools:
zipids, pcf, ptmobj)
- Lam Jun Rong of Calif.io (idaclang argument injection)
If you've found a security issue in IDA, we'd love to hear from you. Check out our bug bounty program for details on how to report and what we reward.
The detailed release notes here.
