Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 648954 (CVE-2017-18201) - <dev-libs/libcdio-2.0.0-r1: Double free (CVE-2017-18201)
Summary: <dev-libs/libcdio-2.0.0-r1: Double free (CVE-2017-18201)
Status: IN_PROGRESS
Alias: CVE-2017-18201
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://git.savannah.gnu.org/cgit/lib...
Whiteboard: B3 [cleanup noglsa cve]
Keywords:
: 671964 672230 (view as bug list)
Depends on: 673174
Blocks: 672392 650898 672356 673074 710264
  Show dependency tree
 
Reported: 2018-02-27 15:00 UTC by Demetris Nakos (sokan)
Modified: 2020-05-21 23:51 UTC (History)
2 users (show)

See Also:
Package list:
=dev-libs/libcdio-2.0.0-r1 =media-video/vcdimager-2.0.1
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Demetris Nakos (sokan) 2018-02-27 15:00:17 UTC
An issue was discovered in GNU libcdio before 2.0.0. There is a double free in get_cdtext_generic() in lib/driver/_cdio_generic.c. 

Commit/patch: https://git.savannah.gnu.org/cgit/libcdio.git/commit/?id=dec2f876c2d7162da213429bce1a7140cdbdd734

- Gentoo Security Padawan -
Comment 1 Thomas Deutschmann gentoo-dev Security 2018-02-27 15:14:43 UTC
Note that the patch was actually commit https://git.savannah.gnu.org/cgit/libcdio.git/commit/?id=dec2f876c2d7162da213429bce1a7140cdbdd734.

It is present in v2.0.0 which is already available in Gentoo repository.


@ Maintainer(s): Can we stabilize =dev-libs/libcdio-2.0.0?
Comment 2 Arfrever Frehtes Taifersar Arahesis 2018-02-28 02:33:41 UTC
>=libcdio-1.0 had incompatible changes in API, and not all reverse dependencies have been fixed yet (bug 638682, bug 641078, bug 641470).
Better to backport that simple one-line fix to older version.
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-04-08 21:50:43 UTC
What's the way forward here?  Do the maintainers want to backport the patch?
Comment 5 Andreas Sturmlechner gentoo-dev 2018-04-08 22:19:20 UTC
Adding =media-video/vcdimager-2.0.1 to the list as it should be stabilised in lockstep.
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-11-29 21:43:21 UTC
@arches, please stabilize.
Comment 7 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-11-30 20:28:47 UTC
*** Bug 672230 has been marked as a duplicate of this bug. ***
Comment 8 Andreas Sturmlechner gentoo-dev 2018-12-01 19:12:56 UTC
*** Bug 671964 has been marked as a duplicate of this bug. ***
Comment 9 Ortwin Glueck 2018-12-03 16:43:52 UTC
media-libs/xine-lib broken too #672458
Comment 10 Agostino Sarubbo gentoo-dev 2018-12-04 11:57:12 UTC
amd64 stable
Comment 11 Thomas Deutschmann gentoo-dev Security 2018-12-07 02:42:24 UTC
x86 stable
Comment 12 Rolf Eike Beer 2018-12-15 14:17:36 UTC
sparc stable
Comment 13 Markus Meier gentoo-dev 2018-12-18 21:06:52 UTC
arm stable
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-03-24 19:49:44 UTC
Depends removed.  This has since been stabilized.
Comment 15 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-03-24 20:11:27 UTC
(In reply to Aaron Bauman from comment #14)
> Depends removed.  This has since been stabilized.

nvm.  I see vcdimager which was not stabilized due to test failures.  Why the dependency and stabilization together if it wasn't needed...
Comment 16 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-06 13:37:06 UTC
alpha stable
Comment 17 Sergei Trofimovich gentoo-dev 2019-12-25 20:53:20 UTC
ppc stable
Comment 18 Andreas Sturmlechner gentoo-dev 2020-02-19 22:23:29 UTC
(In reply to Aaron Bauman from comment #15)
> nvm.  I see vcdimager which was not stabilized due to test failures.  Why
> the dependency and stabilization together if it wasn't needed...

Because obviously vcdimager is going to block cleanup besides being a blocker for stable user upgrades...
Comment 19 Andreas Sturmlechner gentoo-dev 2020-02-19 22:27:16 UTC
See also bug 671964...
Comment 20 Sergei Trofimovich gentoo-dev 2020-03-02 14:13:25 UTC
ignoring test failure and declaring hppa stable
Comment 21 Agostino Sarubbo gentoo-dev 2020-03-31 12:34:27 UTC
ia64 will pass. See https://archives.gentoo.org/gentoo-dev/message/edaadc85d7423810dd6ecfeda29cc85f
Comment 22 Thomas Deutschmann gentoo-dev Security 2020-04-01 19:16:23 UTC
GLSA Vote: No!
Comment 23 Yury German Gentoo Infrastructure gentoo-dev Security 2020-04-16 06:48:08 UTC
PPC64 forgot to remove themselves, version is stable in tree.

Maintainer(s), please drop the vulnerable version(s).
Comment 24 NATTkA bot gentoo-dev 2020-04-16 06:52:06 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 25 Yury German Gentoo Infrastructure gentoo-dev Security 2020-05-21 23:51:31 UTC
Maintainer(s), it has been 30 days + since request for cleanup. 
Please drop the vulnerable version(s).