Bug#891638: libcdio: CVE-2017-18201: double free inget_cdtext_generic() in lib/driver/_cdio_generic.c.
Hi!
On Tue, Feb 27, 2018 at 12:34:58PM -0500, Rocky Bernstein wrote:
> In https://security-tracker.debian.org/tracker/CVE-2017-18201 it claims
> 0.83 is vulnerable, but I don't believe that this the case.
>
> I think that bug was introduced in version 0.92. There was a major change
> in 0.90 as to how CD-TEXT was handle (and in 0.90 there was memory that was
> not freed rather than double freed which started I think in 0.92). So I
> don't believe 0.83 should be marked as vulnerable.
Thanks a lot. I update the security-tracker information, which was
older versions are automatically marked as affected as well, until
someone does triage it.
Regards,
Salvatore
Reply to: