Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 245649 (CVE-2008-5030) - media-libs/libcdaudio <0.99.12-1: remotely exploitable buffer overflow (CVE-2008-5030)
Summary: media-libs/libcdaudio <0.99.12-1: remotely exploitable buffer overflow (CVE-2...
Alias: CVE-2008-5030
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2008-11-05 12:14 UTC by Stefan Behte (RETIRED)
Modified: 2009-03-17 21:33 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2008-11-05 12:14:06 UTC
I'm unsure about the versions, got this one from Thomas Biege @ oss-sec:

--- src/cddb.c
+++ src/cddb.c
@@ -1679,7 +1679,7 @@ cddb_read_disc_data(int cd_desc, struct disc_data

while(!feof(cddb_data)) {
- fgets(inbuffer, 512, cddb_data);
+ fgets(inbuffer, 256, cddb_data);
cddb_process_line(inbuffer, data);

I checked that: we've got a vulnerable version in our tree.
Comment 1 Peter Alfredsen (RETIRED) gentoo-dev 2008-11-05 13:13:36 UTC
InCVS as libcdaudio-0.99.12-r1
Comment 2 Christian Hoffmann (RETIRED) gentoo-dev 2008-11-05 13:49:13 UTC
Arches, please test and mark stable
Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

I'm re-rating this as B2 as it most likely requires user interaction (i.e. the user has to open a malicious URL or file)
Comment 3 Brent Baude (RETIRED) gentoo-dev 2008-11-06 02:52:57 UTC
ppc64 done
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2008-11-06 12:03:10 UTC
Stable for HPPA.
Comment 5 Markus Meier gentoo-dev 2008-11-08 12:58:54 UTC
amd64/x86 stable
Comment 6 Markus Meier gentoo-dev 2008-11-08 13:00:12 UTC
btw please note:

dodoc: ChangLog does not exist
>>> Completed installing libcdaudio-0.99.12-r1 into /var/tmp/portage/media-libs/libcdaudio-0.99.12-r1/image/
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2008-11-08 17:15:31 UTC
alpha/arm/ia64/sparc stable
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2008-11-15 18:41:46 UTC
ppc stable
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-11-27 11:54:08 UTC
CVE-2008-5030 (
  Heap-based buffer overflow in the cddb_read_disc_data function in
  cddb.c in libcdaudio 0.99.12p2 allows remote CDDB servers to execute
  arbitrary code via long CDDB data.

Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-17 21:33:22 UTC
GLSA 200903-31