[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#891638: libcdio: CVE-2017-18201: double free inget_cdtext_generic() in lib/driver/_cdio_generic.c.

Hi!

On Tue, Feb 27, 2018 at 12:34:58PM -0500, Rocky Bernstein wrote:
> In https://security-tracker.debian.org/tracker/CVE-2017-18201 it claims
> 0.83 is vulnerable, but I don't believe that this the case.
> 
> I think that bug was introduced in version 0.92.  There was a major change
> in 0.90 as to how CD-TEXT was handle (and in 0.90 there was memory that was
> not freed rather than double freed which started I think in 0.92). So I
> don't believe 0.83 should be marked as vulnerable.

Thanks a lot. I update the security-tracker information, which was
older versions are automatically marked as affected as well, until
someone does triage it.

Regards,
Salvatore
Reply to: