[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: libcdio stable update for CVE-2007-6613

Hi Nico and others,

On Sun, Jan 20, 2008 at 02:31:39PM +0100, Nico Golde wrote:
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for libcdio some time ago.
> CVE-2007-6613[0]:
> | Stack-based buffer overflow in the print_iso9660_recurse function in
> | iso-info (src/iso-info.c) in GNU Compact Disc Input and Control
> | Library (libcdio) 0.79 and earlier allows context-dependent attackers
> | to cause a denial of service (core dump) and possibly execute
> | arbitrary code via a disk or image that contains a long joilet file
> | name.
> Unfortunately the vulnerability described above is not important enough
> to get it fixed via regular security update in Debian stable. It does
> not warrant a DSA.
> However it would be nice if this could get fixed via a regular point update[1].
> Please contact the release team for this.

I don't think an update is needed. The issue only affects the cd-info 
and iso-info programs, that were not part of any binary package package 
before 0.78.2-1. (Etch has 0.76-1.) Hence, only the source package is 
affected (that is anyone who builds the programs from the source 
package). Is it something we should support?



PS: please CC replies to me.

Reply to: