Re: libcdio stable update for CVE-2007-6613
Hi Nico and others,
On Sun, Jan 20, 2008 at 02:31:39PM +0100, Nico Golde wrote:
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for libcdio some time ago.
> | Stack-based buffer overflow in the print_iso9660_recurse function in
> | iso-info (src/iso-info.c) in GNU Compact Disc Input and Control
> | Library (libcdio) 0.79 and earlier allows context-dependent attackers
> | to cause a denial of service (core dump) and possibly execute
> | arbitrary code via a disk or image that contains a long joilet file
> | name.
> Unfortunately the vulnerability described above is not important enough
> to get it fixed via regular security update in Debian stable. It does
> not warrant a DSA.
> However it would be nice if this could get fixed via a regular point update.
> Please contact the release team for this.
I don't think an update is needed. The issue only affects the cd-info
and iso-info programs, that were not part of any binary package package
before 0.78.2-1. (Etch has 0.76-1.) Hence, only the source package is
affected (that is anyone who builds the programs from the source
package). Is it something we should support?
PS: please CC replies to me.