Re: libcdio stable update for CVE-2007-6613
On 2008-01-21, Nicolas Boullis <email@example.com> wrote:
> Hi Nico and others,
> On Sun, Jan 20, 2008 at 02:31:39PM +0100, Nico Golde wrote:
>> the following CVE (Common Vulnerabilities & Exposures) id was
>> published for libcdio some time ago.
>> | Stack-based buffer overflow in the print_iso9660_recurse function in
>> | iso-info (src/iso-info.c) in GNU Compact Disc Input and Control
>> | Library (libcdio) 0.79 and earlier allows context-dependent attackers
>> | to cause a denial of service (core dump) and possibly execute
>> | arbitrary code via a disk or image that contains a long joilet file
>> | name.
>> Unfortunately the vulnerability described above is not important enough
>> to get it fixed via regular security update in Debian stable. It does
>> not warrant a DSA.
>> However it would be nice if this could get fixed via a regular point update.
>> Please contact the release team for this.
> I don't think an update is needed. The issue only affects the cd-info
> and iso-info programs, that were not part of any binary package package
> before 0.78.2-1. (Etch has 0.76-1.) Hence, only the source package is
> affected (that is anyone who builds the programs from the source
> package). Is it something we should support?
In that case I don't think a stable update is necessary.