Bug 650898

Summary:	<dev-libs/libcdio{1.0.0,2.0.0}: Multiple vulnerabilities
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	sound
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [noglsa cve blocked]
Package list:		Runtime testing required:	---
Bug Depends on:	648954
Bug Blocks:

Description GLSAMaker/CVETool Bot gentoo-dev

2018-03-19 15:00:09 UTC

CVE-2017-18201 (https://nvd.nist.gov/vuln/detail/CVE-2017-18201):
  An issue was discovered in GNU libcdio before 2.0.0. There is a double free
  in get_cdtext_generic() in lib/driver/_cdio_generic.c.

CVE-2017-18199 (https://nvd.nist.gov/vuln/detail/CVE-2017-18199):
  realloc_symlink in rock.c in GNU libcdio before 1.0.0 allows remote
  attackers to cause a denial of service (NULL Pointer Dereference) via a
  crafted iso file.

CVE-2017-18198 (https://nvd.nist.gov/vuln/detail/CVE-2017-18198):
  print_iso9660_recurse in iso-info.c in GNU libcdio before 1.0.0 allows
  remote attackers to cause a denial of service (heap-based buffer over-read)
  or possibly have unspecified other impact via a crafted iso file.


@Maintainers versions 2.0.0 and 1.0.0 already in tree. Please call for stabilization when ready.

Thank you.

Comment 1 NATTkA bot gentoo-dev

2020-04-12 19:30:52 UTC

Resetting sanity check; package list is empty or all packages are done.

Comment 2 Yury German Gentoo Infrastructure

2020-04-16 06:56:09 UTC

GLSA Vote: No
Cleanup is being done as part of Depending bug.
Thank you all for you work. 
Closing as [noglsa].