An issue was discovered in GNU libcdio before 2.0.0. There is a double free in get_cdtext_generic() in lib/driver/_cdio_generic.c. Commit/patch: https://git.savannah.gnu.org/cgit/libcdio.git/commit/?id=dec2f876c2d7162da213429bce1a7140cdbdd734 - Gentoo Security Padawan -
Note that the patch was actually commit https://git.savannah.gnu.org/cgit/libcdio.git/commit/?id=dec2f876c2d7162da213429bce1a7140cdbdd734. It is present in v2.0.0 which is already available in Gentoo repository. @ Maintainer(s): Can we stabilize =dev-libs/libcdio-2.0.0?
>=libcdio-1.0 had incompatible changes in API, and not all reverse dependencies have been fixed yet (bug 638682, bug 641078, bug 641470). Better to backport that simple one-line fix to older version.
I assume that both commits are needed: https://git.savannah.gnu.org/cgit/libcdio.git/commit/?id=f6f9c48fb40b8a1e8218799724b0b61a7161eb1d https://git.savannah.gnu.org/cgit/libcdio.git/commit/?id=dec2f876c2d7162da213429bce1a7140cdbdd734
What's the way forward here? Do the maintainers want to backport the patch?
Adding =media-video/vcdimager-2.0.1 to the list as it should be stabilised in lockstep.
@arches, please stabilize.
*** Bug 672230 has been marked as a duplicate of this bug. ***
*** Bug 671964 has been marked as a duplicate of this bug. ***
media-libs/xine-lib broken too #672458
amd64 stable
x86 stable
sparc stable
arm stable
Depends removed. This has since been stabilized.
(In reply to Aaron Bauman from comment #14) > Depends removed. This has since been stabilized. nvm. I see vcdimager which was not stabilized due to test failures. Why the dependency and stabilization together if it wasn't needed...
alpha stable
ppc stable
(In reply to Aaron Bauman from comment #15) > nvm. I see vcdimager which was not stabilized due to test failures. Why > the dependency and stabilization together if it wasn't needed... Because obviously vcdimager is going to block cleanup besides being a blocker for stable user upgrades...
See also bug 671964...
ignoring test failure and declaring hppa stable
ia64 will pass. See https://archives.gentoo.org/gentoo-dev/message/edaadc85d7423810dd6ecfeda29cc85f
GLSA Vote: No!
PPC64 forgot to remove themselves, version is stable in tree. Maintainer(s), please drop the vulnerable version(s).
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Maintainer(s), it has been 30 days + since request for cleanup. Please drop the vulnerable version(s).
ppc64 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4a0390ce45e2faa0dc97db10c2310a6164bf0cc2 commit 4a0390ce45e2faa0dc97db10c2310a6164bf0cc2 Author: Sam James <sam@gentoo.org> AuthorDate: 2020-07-29 00:19:24 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-07-29 00:19:38 +0000 dev-libs/libcdio: security cleanup Bug: https://bugs.gentoo.org/648954 Package-Manager: Portage-3.0.1, Repoman-2.3.23 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/libcdio/Manifest | 3 -- dev-libs/libcdio/libcdio-0.93.ebuild | 73 -------------------------------- dev-libs/libcdio/libcdio-0.94-r1.ebuild | 73 -------------------------------- dev-libs/libcdio/libcdio-1.1.0.ebuild | 75 --------------------------------- dev-libs/libcdio/libcdio-2.0.0.ebuild | 74 -------------------------------- 5 files changed, 298 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cce5ce922fc380cd1bde667ac65c55e253169739 commit cce5ce922fc380cd1bde667ac65c55e253169739 Author: Sam James <sam@gentoo.org> AuthorDate: 2020-07-29 00:19:23 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-07-29 00:19:38 +0000 media-video/vcdimager: cleanup for libcdio security cleanup Bug: https://bugs.gentoo.org/648954 Package-Manager: Portage-3.0.1, Repoman-2.3.23 Signed-off-by: Sam James <sam@gentoo.org> media-video/vcdimager/Manifest | 1 - .../files/vcdimager-0.7.24-libcdio-1.0.0.patch | 230 --------------------- media-video/vcdimager/vcdimager-0.7.24.ebuild | 61 ------ 3 files changed, 292 deletions(-)
